top of page
  • Writer's pictureDeborah

On May 17, the European Cloud User Coalition (ECUC) published a Position Paper recommending solutions for the compliant use of cloud technology to address several challenges.

The main challenges identified by coalition are as follows:

  • Overall public cloud adoption by financial institution (FIs) is challenging due to the specifics of cloud computing being regarded as outsourcing.

  • Legislation such as Digital Operation Resilience Act (DORA) and rulings such as Schrems-II currently make it difficult for FIs to adopt public cloud services.

  • FIs engaging Cloud Service Providers (CSPs) individually leads to additional administrative effort and time, as well as misdirection of priorities.

Some of key recommendations focused on the following areas:


ECUC is recommending that CSPs demonstrate that they carry on their activities in accordance with EU data privacy law and strictly comply with GDPR.

Pursuant to the invalidation of the EU-US Privacy Shield by the European Court of Justice (Schrems-II), enabling financial institutions and cloud consumers to apply data restrictions to a certain country or geographic region, CSPs should provide the necessary to support the storing and processing of consumer’s data in a certain country or geographic region.


This section includes recommendations relating to Data at Rest which refers to the storing of data for various purposes.

To ensure transparent and strong security in the cloud, the coalition is recommending that CSPs provide solutions to ensure adequate security is in place through, among others the implementation of a data encryption methodology that cannot be forced to divulge the keys to decrypt customer data without approval, consent or knowledge of the data owners.

Data encryption methodologies should be subject to adequate policies and procedures.

CSPs should have their services certified by independent third-party auditors to provide assurance to users. Users should be provided with proof of certification on request and be offered the opportunity to conduct their own audit.

Governance and regulation

This section includes recommendations on how to best approach the risks associated with outsourced services including requirements relating to:

  • Control measures and solutions for outsourced services

  • Readily available information for users

  • Sound governance of third-party risk management

  • Exit strategy

  • CSP audits and oversight with a main proposal for simplifications in audit procedures focusing on a collaborative audits approach as supported by the EBA Guidelines on Outsourcing Arrangements

Standard contractual clause

ECUC recommends that the Standard Contractual Clauses be binding for CSPs with a focus on the following key areas:

  • Audit rights for customers

  • Sub-outsourcing

  • Embedded URLs within contracts

  • Embedded URLs in contracts and service level agreements

  • CSP as controllers or processors

  • Insurance


DORA forms part of the EU Digital Finance Package and was published with the goal to make Europe's financial services more digital-friendly and stimulate responsible innovation and competition among financial service providers in the EU through the simplification of compliance with existing regulation on information and communication technology (ICT) risk management and security (see our full article here).

ECUC encourages compliance with DORA and recommends, inter alia, the below:

  • Alignment of EBA and ESMA Guidelines with DORA

  • Alignment of DORA with Industry Standards

  • Clarification of the framework related to critical ICT third-party service providers

  • Exclusion of intra-group relationships from the scope of DORA

  • Additional clarification for the effective assessment of sub-contracting chains

The ECUC was founded in 2021 and is composed of at least 19 EU financial institutions whose objective is to develop a joint position for the use by its members of public cloud technology provided by EU and non-EU cloud service providers (CSPs).

The consultation is open to feedback from CSPs, regulatory bodies and other regulated institutions. A subsequent version of the Position paper will be published in due course.

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page