New ECB Guide on Outsourcing Cloud Services to Cloud Service Providers

Key Elements

Although formally non-binding, the ECB states that JSTs will use the ECB Guide on outsourcing cloud services to cloud service providers as a benchmark in supervisory assessments, which sets expectations that companies will adopt the recommended practices.

The Guide emphasizes that the management body retains ultimate responsibility for information and communications technology ("ICT") risk management (Art. 5 DORA) and requires an ex-ante risk assessment of each cloud arrangement under Art. 28 DORA. Institutions must align their cloud strategy with their overall business and digital-resilience strategy and apply the same level of diligence as if services were performed in-house.

The Guide sets out recommended practices on avoiding dependencies on specific vendors (including regular reassessment), holistic business-continuity and disaster-recovery planning, comprehensive ICT-asset inventories, data encryption in transit, at rest and in use, and robust identity-and-access management ("IAM") covering cloud assets. It also stresses tested exit strategies and independent monitoring, audit, and incident-reporting regimes.

Scope and Applicability

The Guide applies to all credit institutions under direct ECB supervision, and covers all forms of cloud outsourcing (IaaS, PaaS, SaaS), across public, private, community or hybrid cloud models. It also extends to situations where non-cloud third-party providers depend on cloud infrastructure supporting a critical or important function.

While the concept of proportionality will apply, the relevant institutions are encouraged to evidence compliance, based on the nature, scale, and complexity of the outsourced function.

Governance and Risk Management

Institutions should integrate cloud outsourcing into their ICT-risk frameworks, assign clear internal roles and responsibilities, and ensure contractual alignment with cloud service providers. Before signing, banks must conduct a comprehensive ex-ante risk assessment covering lock-in and concentration risks, multi-tenancy risks, data protection and geopolitical risks, long and complex sub-outsourcing chains (generally beyond two or three contractual layers), and vendor dependence across the institution's entire provider landscape. Regular reassessment is required as usage and market conditions evolve.

Internal policies—including risk, business-continuity, IAM, and data-classification policies—must explicitly cover cloud assets. Any deviation from internal standards must be mitigated through compensating controls.

Resilience, Security, and Exit Strategies

The Guide promotes a holistic approach to cloud resilience. It advises that institutions should combine redundant datacenter regions, hybrid or multicloud set-ups, and segregated backups to ensure continuity within maximum tolerable downtime. Disaster-recovery plans must be tested at least annually under multiple failure scenarios, and staff in both the institution and the cloud service provider should receive training with defined roles and responsibilities.

Data must be encrypted in transit, at rest and, where feasible, in use, with sound key-management and audit procedures. The Guide further provides that institutions should restrict data storage locations to approved jurisdictions and monitor compliance through traceability tools, and must explicitly assess political and legal risks of third-country jurisdictions.

According to the Guide, exit strategies should be established for all critical or important cloud services before go-live and include granular plans covering timelines, costs, resource needs, identified alternatives, and transition periods. Termination rights should cover events such as relocation of data centers, changes in applicable law or jurisdiction, and persistent service failures.

The Guide also instructs that exit plans must be tested periodically, demonstrate realistic costs, and be subject to independent review. Institutions should maintain updated lists of qualified alternative providers and verify that internal staff possess the skills needed to execute an exit.

Oversight, Monitoring, and Audit

Institutions remain fully responsible for monitoring and auditing cloud services and may not outsource the verification of compliance itself. They should use independent monitoring tools in addition to those offered by cloud service providers and retain in-house expertise to interpret results. Cloud services arrangements must define incident-reporting obligations aligned in particular with DORA Arts. 19 and 30 and the ECB's "good practice" contractual recommendations clauses (e.g., remediation rights, audit cost calculation, notification of amendments).

The Guide further provides that internal audit functions should regularly review cloud service provider risk management quality and cannot rely solely on third-party certifications or SOC reports. The ECB encourages joint audits by groups of supervised entities to reduce cost and enhance technical depth, with rotating leadership and participation of qualified technical experts.

Immediate Action Required

To reduce enforcement risk, banks and other directly supervised institutions should, in particular:

1. Conduct a gap analysis against the ECB Guide and DORA Level 2 RTS and define any required document remediation steps.
2. Update outsourcing and ICT-risk policies, ensuring they extend to all cloud assets and sub-outsourcing arrangements.
3. Review and potentially revise contracts to include audit rights, incident reporting, data location and termination clauses aligned with ECB's "good practice" recommendations.
4. Validate business-continuity and disaster-recovery capabilities, including testing against extreme scenarios of cloud service provider failure or lock-in.
5. Draft or refresh exit strategies for all critical or important cloud services and test their feasibility with independent verification.
6. Strengthen IAM and data-classification controls to cover cloud assets and align encryption and key-management processes with DORA standards.

JSTs are expected to request documented evidence of these activities as part of 2026 supervisory cycles. Institutions that fail to align face heightened operational and reputational risk—and potential findings in Supervisory Review and Evaluation Process ("SREP") assessments.

Relation to Other EU ICT-Risk Developments

The ECB Guide complements and operationalizes recent EU rulemaking and supervisory developments covered in our previous client Commentaries: "EU Standards for Threat-Led Penetration Testing" and "Uniform Standards for ICT Subcontracting in the EU Financial Sector." While the subcontracting standards define the mandatory contractual clauses and governance expectations under DORA, and the TLPT framework establishes resilience-testing obligations, the ECB Guide generally translates some of these requirements into supervisory practices that JSTs will potentially use to assess compliance in ongoing supervision and on-site inspections.