|

Add a bookmark to get started

28 de marzo de 20244 minute read

BaFin updates guidelines on cloud provider outsourcing: Navigating DORA compliance and enhanced oversight

Introduction

In February 2024, BaFin updated its 2018 supervisory notice on outsourcing to cloud providers. The updated supervisory notice is based on the exchange between BaFin and the Deutsche Bundesbank with supervised companies and cloud providers.

Below we summarize the most important points and new features of the updated supervisory notice. Supervised entities should familiarize themselves with the new provisions of Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) and prepare for their implementation.

 

Summary
  • In its supervisory communication, the German financial supervisory authority (BaFin) refers extensively to Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) and advises supervised companies to take the provisions of DORA into account when amending or concluding new outsourcing agreements with regards to IT services.
  • BAIT (and corresponding circulars for insurance companies, payment service providers and fund managers) will also be revised and updated in the course of DORA to avoid double regulation.
  • Supervised companies must continuously monitor the security level of cloud providers and implement information security measures.

The updated supervisory letter from BaFin is based on the guideline for outsourcing to cloud providers from November 2018. The significantly expanded and updated version is based on the exchange between BaFin and the Deutsche Bundesbank with supervised companies and cloud providers. BaFin's discussions with cloud providers focused on the structure of (standard) contracts and the specific challenges in the practical implementation of outsourcing. BaFin emphasizes that supervised companies must continuously monitor the security level of cloud providers and implement information security measures.

The supervisory communication is intended to address the peculiarities associated with the use of cloud services and serve as a guide for supervised companies. In addition, the supervisory communication is intended to provide an outlook on the practical effects of DORA, which came into force on 16 January 2023, and will be directly applicable from 17 January 2025. The supervisory communication provides guidance on the requirements for outsourcing agreements and the monitoring and control of cloud outsourcing by supervised companies. BaFin advises supervised companies to take into account the new provisions of DORA when changing or concluding new outsourcing agreements.

BaFin emphasizes that supervised companies should carry out a risk analysis and materiality assessment of the intended outsourced service. In BaFin's view, this should be supplemented by a strategic analysis of whether the intended outsourcing is "cloud-capable," can be adequately monitored by the supervised company, and can also be relocated back to the supervised company to an appropriate extent.

Supervised companies should also develop internal guidelines for the use of cloud providers and cloud services that are in line with their (IT) strategy and their IT security guidelines. Ideally, the supervised companies should create general guidelines for using cloud services and specific guidelines for using certain cloud services and cloud providers. The guidelines should at least cover the topics of cloud compliance, identity and rights management, encryption and key management, development and operation, interfaces and environments, control of subcontractors, and IT emergency management.

In addition, supervised companies should provide and anchor sufficient quantitative and qualitative personnel, financial, and other resources for the use of the cloud. BaFin highlights the areas of governance, risk management, and outsourcing management. Above all, the areas of monitoring, control, and auditing of cloud outsourcing and the development, operation, and security of cloud applications and cloud environments must be adequately taken into account in resource allocation.

Due to the complex technical subject matter, supervised companies must ensure that outsourcing-related activities are carried out by personnel who have relevant knowledge and competencies about using cloud solutions. The more technical the tasks are, the more specific the knowledge of the personnel should be about the cloud provider and the cloud services.

Compared to the orientation aid from November 2018, there are few additions in the current supervisory communication from BaFin regarding the contract design of outsourcing contracts for cloud services. BaFin's statements are partly based on past circulars from BaFin (such as AT 9 of MaRisk or II. 9 of BAIT) and on Article 28 (7) and Article 30 DORA and continue the previous supervisory practice with regard to (conventional) outsourcing, the procurement of IT services, and the provisions of DORA. BAIT (and corresponding circulars for insurance companies, payment service providers, and capital management companies) will also be revised and updated in the course of DORA to avoid double regulation.

Print