An interest group of EU banks that was formed to assist European financial institutions with their use of public cloud technology recently suggested model terms for the compliant use of cloud technology.
On May 17, 2021, the European Cloud User Coalition ("ECUC"), an interest group of EU banks formed to assist European financial institutions ("FI") with their use of public cloud technology, published a position paper with proposed solutions to challenges in connection with the compliant use of cloud technology.
The proposals provide guidelines on how to deal with outsourcing, risk management, data security, and data privacy requirements applicable to arrangements between FIs and cloud service providers ("CSP") and include points requiring model terms for cloud service agreements.
The pertinent privacy, security, and risk management requirements outlined in the Position Paper serve as a basis for its suggested requirements on standard contractual clauses.
The Position Paper suggests that the legislature or regulatory agencies address five areas with binding model terms—these include: (i) FIs audit rights; (ii) sub-outsourcings by the CSP; (iii) limitations on unilateral changes to contractual terms via embedded URLs, and standardized provisions in service level agreements on services availability, performance metrics, reporting thereof, and communication channels; (iv) categorization of CSPs as controllers or processors; and (v) insurance coverage.
In addition, the Position Paper recommends clarifications to the scope and application of the recently proposed Digital Operational Resilience Act ("DORA"), including an alignment with existing standards.
FIs should consider the outsourcing, risk management, data security, and data privacy requirements as well as the model terms in the Position Paper as a checklist for their own cloud service agreements. They should also confirm that they adequately address the operational and legal risks associated with these arrangements. In addition, the points on DORA provide FIs with an initial overview of areas affected by the implementation of DORA.
The Position Paper's publication will be consulted for the next three months. The consultation phase serves to collect feedback from CSPs, regulatory bodies, and other regulated institutions, which will be incorporated into the paper's next version.
We will keep you posted on developments relating to the use of cloud computing services by FIs.