The European Central Bank (ECB) has launched a public consultation on its recently published guide on outsourcing cloud services. The guide clarifies the ECB’s understanding of the rules under the Digital Operational Resilience Act (DORA) and the Capital Requirements Directive (CRD), and how they apply to the banks under ECB’s supervision. Stakeholders involved in cloud service outsourcing are invited to comment.

In a statement announcing the consultation, the ECB points out that “banks are increasingly using cloud computing services offered by third-party service providers”. Unfortunately, dependency on third parties can expose organisations to risks, espeically if the outsourced services cannot be easily substituted during a failure. In addition, the ECB describes the market for cloud services as “highly concentrated, with many banks relying on just a few service providers located in non-European countries”.

In light of these challenges and the “various vulnerabilities” ECB identified in banks’ IT outsourcing practices during the supervisory review and evaluation process last year, “third-party risk management, including cloud outsourcing, remains high on the list of the ECB’s supervisory priorities for 2024 to 2026”.

Drawing on the risks and best practices observed by the joint supervisory teams, the guide aims to “make supervision more consistent while helping ensure a level playing field for all banks”. The deadline for submitting of comments is 15 July.