Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Global Press Room
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

ECB issues new guidance on outsourcing cloud services

29 Aug 2025 International 8 min read

The European Central Bank (ECB) issued the final wording of its new guide on outsourcing cloud services to cloud service providers (CSPs) in July. The Guide is not legally binding and is not intended to introduce new rules over and above the DORA Regulation. It does, however, set out the ECB’s expectations on the requirements of DORA, including from the ECB’s observations of good practices.

For the largest of European banks, the Guide effectively introduces an additional layer of complexity that must be addressed to ensure that its compliance with the DORA Regulation meets the ECB’s expectations. “Significant Institutions” directly supervized by the ECB are already required to review and potentially uplift their DORA controls mere months after DORA became applicable.

Although the ECB’s direct supervisory remit is limited to the largest European banks, its position as a leading European regulator means that national regulations are also likely to draw upon the enhanced compliance standards outlined in the Guide. As a result, the Guide presents further considerations for less significant institutions in determining what constitutes a proportionate approach to compliance in relation to the scale and complexity of their operations.

ECB’s expectations

When these significant financial entities (FEs) use cloud services, the ECB expects them to apply the following measures and adopt the following policies and strategies, or at least to encourage the following good practices.

ICT governance framework, cloud strategy and ICT asset classification policy

As an additional expectation compared to DORA, FEs are advised to adopt:

  • a cloud strategy aligned with their other strategies, either as part of their DORA operational resilience strategy or as a component of their separate ICT risk and outsourcing strategy; and
  • a clear policy on the classification of all ICT assets, including those outsourced to CSPs.

FEs are expected to apply a governance framework for cloud services that clearly defines the roles and responsibilities of the relevant functions and bodies, specifically regarding cloud services.

Good practices in risk assessment

FEs should conduct risk assessments of CSPs with particular focus on the following cloud-related risks:

  • vendor lock-in and difficulties in switching to alternative providers;
  • data protection and data location;
  • region-specific political and physical risks;
  • risk of price increase, cost unpredictability, decline in service quality;
  • risk of multi-tenant environment;
  • increased difficulty of conducting audits;
  • lack of transparency regarding the use of sub-providers (subcontractors);
  • risk of concentration of provided functions, extending the services by time;
  • risk of terminating access/services by the CSP without the ability to transfer to another CSP;
  • risk on backup data and systems;
  • extreme scenarios where some or all of the relevant cloud services become unavailable.

Good practices in business continuity, disaster recovery and exit strategy

FEs should adopt an ICT business continuity policy, as well as disaster recovery plans and procedures, with particular attention to the following cloud-related issues:

  • Preventing termination of access or services by the CSP without the ability to transfer services to another provider.
  • Adopting backup policies, restoration and recovery procedures, and ensuring physical and logical segregation of backup data from the source ICT systems, in line with Article 12(3) of the DORA. This may be achieved through the same CSP, another CSP, on-premises, or a non-cloud provider.
  • Testing a variety of disaster recovery scenarios, including component failure, full site loss, regional outages, and partial failures.
  • Designating roles in disaster recovery procedures and providing training for these roles.
  • Considering scenarios of political or social instability in the CSP’s jurisdiction, including the location of data storage and processing.
  • Special requirements for cloud services supporting critical or important functions (CIF):
    • Ensuring multiple active data centres in different geographical locations with independent power supply and network connections. This expectation goes beyond DORA Article 12(5), which applies only to central securities depositories, as the ECB now recommends it as good practice for all financial institutions.
    • Using hybrid cloud architecture.
    • Using multiple CSPs or backup providers.

FEs should assess the CSP’s disaster recovery plans (DRPs) and tests and should not rely exclusively on the provider’s disaster recovery certifications. This goes beyond DORA, which requires testing only of an institution’s own plans (Art. 11(6)) and obliges CSPs to implement and test DRPs only for CIF services (Art. 30(3)(c)); the ECB extends this to all non-CIF cloud services.

FEs must also adopt an exit strategy for CIF cloud services. According to the Guide, such a strategy should allow sufficient time to identify alternative providers or migrate services in-house, and it would be  advisable to maintain a list of qualified alternative service providers. To enable effective service transfer, good practice for FEs is to apply measures that facilitate data portability and migration. For example, containerization in the case of IaaS (Infrastructure as a Service). The exit plan should include critical milestones, a description of required tasks and skillsets and a rough estimate of the time required, and the costs involved.

Cloud-specific good practices in data security, access management and user authentication

The Guide includes several cloud-specific data security measures that FEs are strongly advised to apply:

  • In line with Articles 9 and 28(5) of DORA, FEs must ensure the security and integrity of data both in transit and at rest within the cloud environment. They must use encryption for data in transit, at rest and, where feasible, in use, applying appropriate encryption methods. The ECB recommends the following good practices in encryption and cryptographic key management:
    • Adopting comprehensive encryption and cryptographic control policies.
    • Defining encryption algorithms, corresponding key lengths, data flows and processing logic that follow contemporary standards and are subject to regular review.
    • Ensuring cryptographic keys are generated and managed securely, with regular reviews.
    • Using encryption keys for supervised entity data that are unique and not shared with other users of the cloud service.
  • FEs should restrict the locations where CSPs may store their data and implement appropriate tracing mechanisms to monitor compliance with these restrictions. For this purpose, FEs may draw up a list of countries where their data may be stored and processed.
  • FEs should use multi-cloud technologies to enhance data security, apply appropriate network segmentation, and adopt other data loss prevention measures.
  • FEs are advised to include contractual clauses requiring CSPs to align with the FE’s IT and identity and access management (IAM) policies, or at least to verify how the IAM structure provided by the CSP fits with the FE’s IAM framework.
  • FEs must identify and authenticate all users – particularly those with privileged access rights – using multi-factor authentication, especially in the case of CIF cloud services. Access rights must be reviewed regularly. Privileged user access should be tracked in real time. Monitoring and logging tools must be applied to record a CSP’s access to any of the FE’s systems or data.

Good practices in monitoring of CSPs and contracts on cloud services

FEs should not rely exclusively on CSP-provided monitoring tools when overseeing CIF cloud services and assessing CSP performance. Independent monitoring tools must also be used, and FEs should maintain adequate in-house expertise and staff capacity for monitoring activities.

Although Article 30 of DORA does not include such provisions, the ECB recommends incorporating the following contractual clauses into cloud service agreements:

  • The right to request remedial actions for ineffective or deteriorating services.
  • A clear method for calculating on-site audit costs.
  • An obligation for all parties to retain copies of both original and amended contracts.

Good practices in audits

According to the ECB guidance, FEs should not rely solely on third-party audit reports and certifications provided by the CSP. Audits of CSPs should verify that the CSP applies its internal guidelines properly, risk assessments are conducted appropriately, and the CSP’s risk management framework is of sufficient quality.

FEs are advised to include in their contracts with CSPs a clause granting the FE, its internal audit function, as well as the competent supervisory and resolution authorities the right to access, inspect, and audit the CSP. While Article 30(3)(e)(i) of DORA makes this mandatory only for CIF cloud services, the ECB recommends applying this good practice to all types of cloud services.

This article was first published by Global Relay.

More insights
Commercial Insurance

Explore more

Publication International

CMS Global Radar 2026

12 Feb 2026 2 min read
Expert Guide International

CMS Expert Guide to autonomous vehicles law and regulation

4 min read
Event International

2026 Insurance sector webinar programme

17 Mar 2026
Back to top Back to top
Warning: Fraudulent emails and messages
Find out more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.