A raft of new rules set to be released by the European Union by the end of 2022 should help strengthen a financial institution’s ability to negotiate contracts with their cloud service providers (CSPs), says a European Union regulator.

Witte Wijsmuller, a policy officer for the European Commission’s cloud and software unit, said the new rules will give firms the tools to prevent vendor lock-in and overreliance on a single CSP.

“One of the challenges, which has been persistent and isn’t going away, is vendor lock-in. Or at least, the risk perceived by many customers is that when they choose one service provider, they may be locked [into that contract] at a later point in time when data volumes have grown,” Wijsmuller said, speaking at a recent industry conference hosted by the Association for Financial Markets in Europe (Afme).

The final drafts of the proposed rules are expected later this year. They include the Data Act, the Digital Operational Resilience Act (Dora), and the EU’s cloud computing objectives. They will target issues that include third-party operational resilience, rights and access to data, and the parameters around which cloud contracts should be agreed.

The Data Act, proposed in February 2022, is a sector-wide piece of regulation that stems from the EU’s Data Strategy goals, which aim to harmonize rules on who can use and access data across the EU. The proposal also sets out measures to strengthen small- to medium-sized firms’ bargaining powers when negotiating contractual terms in data-sharing contracts, such as those drafted with CSPs, and puts in place measures for allowing firms to switch between different providers more easily.

On the same day that the Data Act proposal was released, the European Commission also formed a group tasked with developing standard contractual clauses (SCCs) specific to the financial services industry, which would be used when agreeing to service terms with their cloud providers.

“Those SCCs would reinforce the position of the user at the negotiation table with cloud providers, where negotiation power is often still unbalanced,” Wijsmuller said.

“This would also help financial sector institutions to be sure that they respect what European regulators and supervisors expect from them, but also to make sure that things like appropriate exit strategies, and other contractual clauses that may lead to vendor lock-in, are not present in their contract.”

James Fox, director of enterprise cloud transformation at Protiviti, a London-based consultancy firm, tells WatersTechnology that cloud contracts have been largely weighted in favor of the CSPs for a variety of reasons. For one, cloud providers must manage thousands of clients, and thus typically commence their negotiation process by offering a default enterprise contract, rather than creating bespoke agreements for each customer. Secondly, these negotiations can be a drawn-out, painstaking process, and while many large financial institutions have the resources to invest in the legal rigmarole, many mid- to small-tier firms must accept the terms they are given.

“The challenge you always see with cloud is people want to move fast,” Fox says. “But we’ve seen with some customers that it takes six to 12 months to negotiate that enterprise agreement contract, and that’s a lot of back and forth between the respective legal teams.”

The legislators themselves echo Fox’s sentiments. Dora states that “many such contracts do not provide for sufficient safeguards allowing for fully-fledged monitoring of subcontracting processes, thus depriving the financial entity of its ability to assess these associated risks. In addition, as ICT [information and communications technology] third-party service providers often provide standardized services to different types of clients, such contracts may not always adequately cater to the individual or specific needs of the financial industry actors.”

As more banks, asset managers, exchanges, and vendors rely on cloud technology, there is a growing concern among end users that they could find themselves in a precarious position in the future if CSPs look to exert even more control.

“My request of the regulators is to help us do the right thing; help us by setting the minimum standards,” an executive at a tier-one bank told WatersTechnology earlier this year. “[Regulators should] bring the cloud providers to the discussion table and lay down the law to them. Although they’re not regulated, they are a major part of the financial services sector, and the regulators have clout.”

Fox says that cloud providers have been hesitant to disclose the details of their operations mainly due to competitive and commercial reasons, rather than from a position of trying to prevent financial firms from meeting their regulatory requirements. One solution, proposed by Protiviti in a paper it published in September 2021, was that the major cloud providers and banks could create a collective working group where the CSPs could, under non-disclosure agreements, share their resiliency information directly with their clients.

“It wouldn’t be public information, per se, but it’s a start in terms of sharing some of the [CSP’s] inner workings with the banks to be able to deduce their approaches to resilience, their ability to exit, and get more insight to manage their risk profile,” he says. “Right now, they don’t know what they don’t know, and so they are having to design [their cloud control frameworks] for a black box.”

“When the rubber meets the road”

Getting started is often one of the biggest hurdles when it comes to cloud migrations. Fox says that firms tend to think of these projects as pure technology plays and it is only later on in the development phase that chief risk officers and compliance teams tend to ask about controls and meeting broader regulatory landscape requirements.

“Often, we don’t see that baked in from the start,” he says. “And the challenge is balancing that without it acting as a break on their adoption.”

The new incoming rules and guidelines are expected to provide more structure—or a clearer methodology—for building those control frameworks from the ground up. For instance, an industry group made up of businesses, member state representatives and experts called the European Alliance for data, edge, and cloud is also publishing additional templates and rules for governing CSPs, such as a cloud rulebook, cloud security certifications, and standard cloud SLAs. The alliance was founded as part of the EU’s Data Strategy goals and is tasked with meeting ambitious objectives for fostering trustworthy and competitive cloud and edge computing services across the EU.

“The European Union will provide tools to help financial institutions dealing with [cloud negotiations],” Wijsmuller said. “For example, an EU cloud rulebook will be a transparency tool to show which rules are applicable when, or [will provide] an EU cloud security certification scheme, which the European Union Agency for Cybersecurity [Enisa], our EU cyber agency, together with [the] European Commission, are about to finalize.”

Perhaps more controversially, in the UK, the Bank of England has also published guidance that will expect board members and senior management to sign off on a financial firm’s cloud strategy prior to implementation. This acts as a potential sticking point, as many board members of financial institutions could have little to no understanding of how the cloud operates, let alone what makes a successful cloud strategy.

“They expect a cloud strategy that’s endorsed by the board—so before any regulated institution enters into their cloud journey that will be a requirement,” Fox says.

Multi-cloud or hybrid strategies have become another approach to mitigating vendor stickiness and concentration risk. From the offset, as part of the Dora proposals, many financial institutions are having to negotiate and test exit strategies with multiple CSPs or use backup on-premises solutions to avoid the risk of disruptions to their business or the wider financial system.

Consequently, access to talent has emerged as a problem in cloud migrations, Fox says. Not only must banks and financial firms acquire the skills to understand the deluge of incoming rules, but they need multi-skilled technologists—unicorns, as Fox calls them—that can operate across the various different cloud providers. These skills are rare, but when you do find them, they come at a high price.

“Most [large financial] firms have hundreds of people in their cloud team,” Fox says. “So if you’re forced to take on a second cloud provider, you’re almost having to find another 100 people to duplicate [those services]. It can be very costly and very complicated from a people perspective.”