Model Terms Demanded for Cloud Service Agreements with European Banks

Jones Day

An interest group of EU banks that was formed to assist European financial institutions with their use of public cloud technology recently suggested model terms for the compliant use of cloud technology.

On May 17, 2021, the European Cloud User Coalition ("ECUC"), an interest group of EU banks formed to assist European financial institutions ("FI") with their use of public cloud technology, published a position paper with proposed solutions to challenges in connection with the compliant use of cloud technology.

The proposals provide guidelines on how to deal with outsourcing, risk management, data security, and data privacy requirements applicable to arrangements between FIs and cloud service providers ("CSP") and include points requiring model terms for cloud service agreements.


The pertinent privacy, security, and risk management requirements outlined in the Position Paper serve as a basis for its suggested requirements on standard contractual clauses.

The Position Paper suggests that the legislature or regulatory agencies address five areas with binding model terms—these include: (i) FIs audit rights; (ii) sub-outsourcings by the CSP; (iii) limitations on unilateral changes to contractual terms via embedded URLs, and standardized provisions in service level agreements on services availability, performance metrics, reporting thereof, and communication channels; (iv) categorization of CSPs as controllers or processors; and (v) insurance coverage.

In addition, the Position Paper recommends clarifications to the scope and application of the recently proposed Digital Operational Resilience Act ("DORA"), including an alignment with existing standards.

Key Takeaways

FIs should consider the outsourcing, risk management, data security, and data privacy requirements as well as the model terms in the Position Paper as a checklist for their own cloud service agreements. They should also confirm that they adequately address the operational and legal risks associated with these arrangements. In addition, the points on DORA provide FIs with an initial overview of areas affected by the implementation of DORA.

The Position Paper's publication will be consulted for the next three months. The consultation phase serves to collect feedback from CSPs, regulatory bodies, and other regulated institutions, which will be incorporated into the paper's next version.

We will keep you posted on developments relating to the use of cloud computing services by FIs.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.