EBA recommendations on outsourcing to cloud service providers

Published: 12 February 2018


The European Banking Authority (EBA) has published its final recommendations on outsourcing to cloud service providers.  Although AIMA provided some suggestions for changes and clarifications to the EBA in response to its consultation on the draft recommendations, the EBA, in the end, made relatively few adjustments to what was proposed.  A detailed analysis of the feedback received and the EBA’s responses is provided near the end of the report.

Outsourcing firms are required to, among other things:

  1. Make a materiality assessment as regards their outsourcing to cloud service providers;
  2. Adequately inform supervisors of material activities outsourced to cloud service providers;
  3. Maintain a register of material and non-material outsourcings to cloud service providers;
  4. Make sure the written agreement with the cloud services provider contains the required provisions regarding access (including to head offices, operations centres and data centres) and audit rights for both the outsourcing firm and competent authorities, as well as confidentiality of information and chain outsourcing, among other things;
  5. Perform certain due diligence tasks;
  6. Monitor the performance of activities and security measures;
  7. Plan and implement arrangements to maintain business continuity in the face of failure by the cloud services provider and have clearly defined exit strategy.

These recommendations apply with respect to credit institutions and investment firms as defined in Article 4(1) of CRR and will apply from 1 July 2018.  For questions regarding these EBA recommendations, please contact Jennifer Wood.