The ECB conducted a public consultation on its new Guide on outsourcing cloud services to cloud service providers.
The Guide aims to clarify the ECB’s understanding of related legal requirements and its expectations for supervised banks. This will make supervision more consistent while helping ensure a level playing field for all banks. Drawing from risks and best practices observed through ongoing supervision and dedicated on-site inspections by Joint Supervisory Teams, the Guide seeks to strengthen regulatory oversight.
The consultation period closed on July 15th.
ECIIA has submitted a detailed response, emphasising the role of internal audit and offering key recommendations for enhancing the ECB guidance. These suggestions include:
- Incorporating practical examples to illustrate key technical elements.
- Clearly defining the minimum audit work for different types of cloud services, taking into account challenges in obtaining information from CSPs.
- Providing clear definitions of key items such as “critical functions”, considering those outlined in the Digital Operational Resilience Act (DORA).
View the full reaction below:
– Final comments
– Final with details