When companies intend to use cloud services, they must ensure compliance with all applicable internal and external regulations. This is particularly crucial for regulated sectors such as banking, insurance, and operators of critical infrastructure (KRITIS), where detailed requirements must be met through effective compliance management.
In this blog post, we examine the key factors relevant to ensuring cloud compliance for any organisation. Additionally, we use the banking sector as an example to highlight what must be considered under the EBA Guidelines on Outsourcing.
Cloud Compliance Aspects for Every Company
Cloud services introduce additional risks and challenges for compliance management in the context of IT outsourcing. Compliance requirements ensure that risks are identified, monitored, and controlled, and that appropriate measures are put in place to manage them sustainably.
The following five aspects, which should be considered during IT outsourcing, are generally relevant for ensuring cloud compliance in any organisation:
- IT strategy directive – when and how cloud services are used
- Assessment of service criticality (risk analysis)
- Contractual arrangements
- Evaluation and selection of the service provider
- Monitoring and control of services and agreements
These aspects are examined in more detail below.
Requirements from EBA and BaFin
In the banking sector, specific European and national regulations apply. The European Banking Authority (EBA) has issued its influential Guidelines on Outsourcing (EBA/GL/2019/02), which outline procedures for outsourcing services. These guidelines aim to harmonise outsourcing agreements and supervisory practices across Europe. Cloud service outsourcing is included within the scope of these guidelines, which supersede the previous Recommendations on Outsourcing to Cloud Providers.
Germany’s Federal Financial Supervisory Authority (BaFin) oversees banks and financial service providers. Institutions are expected to make every effort to comply with the EBA guidelines. BaFin has incorporated these guidelines into its supervisory practices and publishes regulations such as the Minimum Requirements for Risk Management (MaRisk), which reflect the EBA’s principles. Also relevant is the Banking Supervisory Requirements for IT (BAIT), which provides a framework for the technical and organisational setup of institutions.
Comparison of Relevant Cloud Compliance Aspects
| Relevant Aspect | Recommended for All Companies | EBA Guidelines Requirements |
|---|---|---|
| 1. IT Strategy Directive | Holistic and goal-oriented IT strategy aligned with corporate strategy | Sourcing strategy (possibly part of IT strategy), outsourcing strategy, exit strategy |
| 2. Service Criticality Assessment | Risk analysis and evaluation of each outsourced service | Risk analysis and classification of services; critical functions are defined |
| 3. Contractual Arrangements | Minimum contract scope: define service and quality, KPIs, audit rights, data protection, termination clauses, applicable law | Detailed specifications, unrestricted audit rights for critical outsourcing, data protection, exit clauses, subcontracting rules, applicable law |
| 4. Provider Evaluation and Selection | Criteria based on business needs: location, certifications, due diligence | Due diligence, location (EU/third country), certifications, audit reports |
| 5. Monitoring and Control | Ongoing reporting and audits based on KPIs | Continuous performance and quality monitoring, contractual reporting obligations |
Recommendations for All Companies
A comprehensive and targeted IT strategy should be developed in line with corporate goals, including a sourcing strategy component. A detailed risk analysis and evaluation of outsourced services is essential.
Contractual arrangements with providers should include a minimum set of clauses, with clearly defined service scope and quality. Providers must grant the client appropriate audit and information rights, and these obligations must be clearly stated in the contract. Termination clauses should allow companies to respond to poor performance and prepare for provider changes or insourcing. Data protection and confidentiality must be contractually secured in line with legal requirements. The applicable law must also be defined—typically German law.
Requirements for Banks (EBA Guidelines)
The EBA guidelines cover the entire outsourcing process and set specific requirements for risk management. They distinguish between outsourcing of critical or important functions and other types of outsourcing. The guidelines include fixed evaluation criteria for services and their criticality, with stricter requirements for critical functions.
For critical outsourcing, extensive documentation and reporting obligations apply to the supervisory authority (usually BaFin). Providers may use subcontractors, but contractual terms must not conflict with regulatory audit rights.
Provider selection, especially for critical functions, requires thorough due diligence and documentation. Companies must ensure robust monitoring and control mechanisms, including for subcontractors. Internal teams must have sufficient resources and capabilities to manage and oversee the provider(s).
Conclusion
The five aspects and recommended guidelines can be applied by any company to ensure cloud compliance. Depending on the risk profile of the industry or organisation, these guidelines can be adapted and strengthened. Each company must establish a compliance framework tailored to its specific needs.
The EBA guidelines are broadly comparable to general recommendations but go significantly further in some areas—particularly regarding accountability, documentation, and reporting obligations to regulators. These guidelines provide a robust framework for structuring outsourcing agreements, especially in the financial sector.
