Page Contents
Related areas
Key contacts
In July 2025, the European Central Bank (ECB) and the European Securities and Markets Authority (ESMA) each published guidance to financial institutions on their outsourcing to cloud service providers. The guidance should be seen against obligations in the Digital Operational Resilience Act (DORA) which came into effect in January 2025 and, in the case of the ECB, wider regulator concerns on banks’ governance and control of major outsourcings.
ECB guidance on cloud outsourcing
The ECB’s new Guide on outsourcing cloud services to cloud service providers is addressed to credit institutions which it directly supervises through Joint Supervision Teams, but may well be taken into account by national regulators who supervise ‘Less Significant Institutions’. As indicated during the consultation process, the ECB developed the Guide in response to:
The Guide sets out the ECB’s understanding of DORA legal requirements and clarifies its supervisory expectations for credit institutions that outsource cloud services to third party service providers. Where appropriate, the ECB’s expectations are complemented by examples of good practices that are based on observations during supervisory activities and which the ECB has assessed as being adequate.
The supervisory expectations and good practice examples cover:
It is worthwhile for Legal and Compliance teams in the banking sector to review the ECB’s Guide in detail, especially as operational resilience is a key ECB priority which will be the subject of a number of on-site inspections over the coming supervisory cycle.
ESMA guidance on cloud outsourcing
ESMA published a final report containing guidelines to revise and replace its existing Guidelines on outsourcing to cloud service providers (the existing Guidelines are available here).
In light of DORA, the scope of the revised Guidelines is narrower, as they will no longer apply to entities that fall within the scope of DORA. As a result, the revised Guidelines will apply only to depositaries of alternative investment funds referred to in Article 21 of the Alternative Investment Fund Managers Directive and depositaries of UCITS referred to in Article 23 of the Undertakings for Collective Investment in Transferable Securities Directive.
Apart from the narrowed scope, the substantive content of the existing Guidelines remains unchanged, which is why ESMA did not conduct a public consultation on the changes.
The revised Guidelines will be translated in the official EU languages and published on ESMA’s website. They will apply to all in-scope cloud outsourcing arrangements entered into, renewed or amended on or after the date of publication.
Conclusion
The guidance issued by the ECB and ESMA underscores the importance of robust risk management and monitoring of cloud outsourcing arrangements. Credit institutions should carefully review and align their practices with the new supervisory expectations issued by the ECB. As the regulatory landscape continues to evolve with the implementation of DORA and relevant guidance, staying informed and proactive in adapting to these changes will be crucial for maintaining regulatory compliance and safeguarding against potential vulnerabilities.
For further information on the ECB and ESMA’s guidance or on DORA, please contact Patrick Brandt, Partner, Ciara Brady, Senior Associate, Louise Hogan, Senior Associate, Caroline O’Byrne, Senior Associate, Sarah Lee, Senior Knowledge Lawyer or any member of ALG's Financial Regulation Advisory team.
Date published: 24 July 2025
