On May 17, the European Cloud User Coalition (ECUC) published a Position Paper recommending solutions for the compliant use of cloud technology to address several challenges.
The main challenges identified by coalition are as follows:
Overall public cloud adoption by financial institution (FIs) is challenging due to the specifics of cloud computing being regarded as outsourcing.
Legislation such as Digital Operation Resilience Act (DORA) and rulings such as Schrems-II currently make it difficult for FIs to adopt public cloud services.
FIs engaging Cloud Service Providers (CSPs) individually leads to additional administrative effort and time, as well as misdirection of priorities.
Some of key recommendations focused on the following areas:
ECUC is recommending that CSPs demonstrate that they carry on their activities in accordance with EU data privacy law and strictly comply with GDPR.
Pursuant to the invalidation of the EU-US Privacy Shield by the European Court of Justice (Schrems-II), enabling financial institutions and cloud consumers to apply data restrictions to a certain country or geographic region, CSPs should provide the necessary to support the storing and processing of consumer’s data in a certain country or geographic region.
This section includes recommendations relating to Data at Rest which refers to the storing of data for various purposes.
To ensure transparent and strong security in the cloud, the coalition is recommending that CSPs provide solutions to ensure adequate security is in place through, among others the implementation of a data encryption methodology that cannot be forced to divulge the keys to decrypt customer data without approval, consent or knowledge of the data owners.
Data encryption methodologies should be subject to adequate policies and procedures.
CSPs should have their services certified by independent third-party auditors to provide assurance to users. Users should be provided with proof of certification on request and be offered the opportunity to conduct their own audit.
Governance and regulation
This section includes recommendations on how to best approach the risks associated with outsourced services including requirements relating to:
Control measures and solutions for outsourced services
Readily available information for users
Sound governance of third-party risk management
CSP audits and oversight with a main proposal for simplifications in audit procedures focusing on a collaborative audits approach as supported by the EBA Guidelines on Outsourcing Arrangements
Standard contractual clause
ECUC recommends that the Standard Contractual Clauses be binding for CSPs with a focus on the following key areas:
Audit rights for customers
Embedded URLs within contracts
Embedded URLs in contracts and service level agreements
CSP as controllers or processors
DORA forms part of the EU Digital Finance Package and was published with the goal to make Europe's financial services more digital-friendly and stimulate responsible innovation and competition among financial service providers in the EU through the simplification of compliance with existing regulation on information and communication technology (ICT) risk management and security (see our full article here).
ECUC encourages compliance with DORA and recommends, inter alia, the below:
Alignment of EBA and ESMA Guidelines with DORA
Alignment of DORA with Industry Standards
Clarification of the framework related to critical ICT third-party service providers
Exclusion of intra-group relationships from the scope of DORA
Additional clarification for the effective assessment of sub-contracting chains
The ECUC was founded in 2021 and is composed of at least 19 EU financial institutions whose objective is to develop a joint position for the use by its members of public cloud technology provided by EU and non-EU cloud service providers (CSPs).
The consultation is open to feedback from CSPs, regulatory bodies and other regulated institutions. A subsequent version of the Position paper will be published in due course.