Industry associations say ECB cloud guidelines clash with EU’s Dora

Some industry associations have raised concern that the European Central Bank’s cloud outsourcing guidelines—published in June—run counter to the requirements in the EU’s Digital Operational Resilience Act (Dora), a cybersecurity regulation introduced in 2023 to target the risks posed by third-party software use in the financial sector.

The guide is the ECB’s interpretation of two EU legal acts on technology outsourcing: Dora and Article 74 of the Capital Requirements Directive (CRD), which covers internal governance, recovery, and resolution plans. Third-party risk management, including cloud outsourcing, is one of the ECB’s supervisory priorities for 2024 through 2026.

Dora, which takes effect in January, has drawn attention to banks’ reliance on the major cloud platforms: most notably, Microsoft Azure, Amazon Web Services, and Google Cloud. By bringing regulatory oversight to the ever-closer relationship between finance and tech, Dora aims to close the gap between highly regulated financial firms and less regulated tech companies.

The ECB says its guide should be read “in conjunction” with Dora and that the incoming act takes precedence over its guidelines. Financial institutions are concerned, though, that some of the recommendations take Dora a step further by offering detailed interpretations where Dora’s language was intentionally left vague.

The industry associations say the ECB has taken a broader approach than Dora on the termination of contracts with cloud service providers. The ECB suggests that a contract could be terminated for commercial reasons, such as “an excessive increase in expenses” or the cost of the provider’s services. Dora does not explicitly state price as a reason a contract could be terminated.

Another example is the recommendation that critical service backups should not be stored in the same cloud environment. The ECB says a financial entity should instead have its backups stored on-premise or in an alternative cloud environment.

Dora’s article on backups and recovery addresses how a third-party provider maintains its backup and recovery methods, and the financial firm’s obligation to monitor those methods, but it largely avoids laying out specific methods of doing so.

“This may in practice push more institutions more in the direction of a multi-provider solution,” Kit Burden, a partner in the technology and sourcing group at law practice DLA Piper, wrote in a LinkedIn post.

The head of technology at a major industry body says this is “not commercially viable” for all institutions. Requirements for dual cloud strategies could relegate cloud innovation to the largest global banks and “ensure that banking is left to just a few global players,” they say, speaking on the condition of anonymity because industry responses to the guidelines are not yet public.

The consultation period for the ECB’s guide closed on July 15, with industry associations expected to make their responses public in the coming weeks. According to sources at two industry associations, the ECB’s guide risks reinterpreting Dora and making the already significant legislation harder to implement.

The guidelines have not yet been finalized. Sources with knowledge of Dora and the ECB’s proposed guidelines say the ECB could change or soften its language following industry feedback. The guide is meant to provide more explicit instruction than Dora’s Level 1 and Level 2 texts, but it is not intended to be stricter. It is based on research collected through the ECB’s supervision and analyses of outsourcing practices at banks.

A head of European policy at a second major industry association says the group has received feedback not only from its finance members but also from large infrastructure providers and vendors asking the trade body to respond to the guidelines.

The ECB guidelines suggest financial firms have more leeway to end a contract with a cloud provider than in Dora. It states specific examples that might fall under Dora’s Article 28(7) where Dora provides more general criteria for termination.

Dora’s Article 28(7), for example, says financial entities can end contracts with third parties for a significant breach of regulation or contract, weakness in the provider’s risk management and data policies, or contract conditions that impede a regulator’s ability to supervise the third party.

It also says contracts can be terminated for “circumstances identified throughout the monitoring of ICT (information and communication technology) third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider.”

The ECB guidelines say that a provider relocating its headquarters to another jurisdiction or raising its prices sharply could also be subject to Article 28(7).

“ECB wants firms to prepare for potentially large changes in availability [of third parties],” says the European policy head.

Though the ECB has said its guidelines are meant to supplement Dora, if the guidelines are finalized as they’re currently written, these two industry bodies are concerned about the precedent they could set for future cloud outsourcing regulation and the interpretation and implementation of Dora.

As January approaches, interpreting Dora has been a major task for firms and vendors who fall under its remit. According to the head of European policy, there’s still “major work” and communication needed to bring third parties up to speed, especially small companies that have dealt less with regulators.

“We can anticipate that cloud service providers will point to the fact that the guide is expressly stated as not being legally binding,” wrote Burden, “but institutions subject to the ECB’s oversight will need to be cognizant of its views.” 

The ECB declined to comment for this story.