ECB publishes final guide on outsourcing cloud services

The European Central Bank (ECB) has published its final guide on outsourcing cloud services, following from a July 2024 consultation. Feedback on the consultation is set out in an accompanying feedback statement. The guide clarifies supervisory expectations for banks under the ECB's remit in relation to the Digital Operational Resilience Act (DORA). While not legally binding, the guide outlines good practices for effective cloud outsourcing risk management, particularly given growing reliance on a limited number of third-party providers. Key areas covered include governance and risk management strategy, pre-outsourcing analysis, contractual arrangements, exit strategies and termination rights, and ongoing monitoring and oversight. The guide emphasises a risk-based and proportionate approach to outsourcing cloud services, tailored to the diverse structures, activities and risk profiles of ECB-supervised banks. The final version distinguishes more clearly between DORA requirements and ECB-recommended practices.