The European Cloud User Coalition (ECUC) published a paper (the Position Paper) on May 17 recommending, among other matters, the adoption of “model clauses” for the long-term compliant use of cloud technologies.
The ECUC comprises at least 19 EU financial institutions with the objective of developing a joint position for the use by its members of public cloud technology provided by EU and non-EU cloud service providers (CSPs).
The Position Paper identifies three main challenges:
- Overall public cloud adoption for financial services institutions is challenging due to the specifics of cloud computing being regarded as outsourcing.
- Legislation such as the proposed EU Digital Operational Resilience Act (DORA) and rulings such as Schrems II currently make it difficult for financial services institutions to adopt public cloud services.
- Financial services institutions engaging CSPs individually leads to additional administrative effort and time, as well as misdirection of priorities.
The Position Paper proposes to address these challenges by making recommendations to both CSPs and EU regulatory bodies in respect of operational and contractual requirements around privacy, security, governance, and regulation.
Impact on Cloud Services Agreements
The Position Paper sets out the following key areas where the ECUC recommends alignment as part of model contractual clauses:
- Customer audit rights: CSPs’ obligations regarding audits, audit rights to data centers, and CSP services should be standardized. Note that any CSPs subject to the European Banking Authority’s (EBA’s) guidelines on outsourcing arrangements (the EBA Guidelines) will already be required to comply with stringent audit and access requirements in respect of the outsourcing of critical and important functions.
- Sub-outsourcing:The sub-outsourcing rights of CSPs should be limited to reflect the EBA Guidelines, including the right for financial institutions to terminate in the event of unsuitable subcontractors.
- Embedded URLs within contracts:Unilateral amendments to a document available via an embedded URL (i.e., website address) should not affect the agreed terms and conditions during the contract term. The ECUC also recommends that any changes proposed generally by suppliers should ensure an equal or improved service is received by the customer, or that any change or termination of the cloud service must be on at least 18 months’ notice. While the intention of these recommendations is to protect the financial institution from unexpected changes to the cost and scope of services, these recommendations could be impractical given the cloud environment and form of business as a whole.
- Service level agreements: The ECUC recommends that service level agreements should require CSPs to monitor and report on performance metrics and automate reporting deviations at no additional charge to the financial institution. Practically, CSPs may decide to incorporate such costs as part of the overall fee for the service, rather than a specific fee designated to this task.
- Data controllers or processors:CSPs must be able to justify their categorization as just a data processor in accordance with the EU General Data Protection Regulation (GDPR), rather than making an assumption that they are a data processor. This is an exercise that will typically already be undertaken by CSPs that are required to comply with the GDPR.
- Insurance:The contract should set out in its insurance clause that the value of the insurance coverage must increase as the number of assets on the cloud increases. This is an unusual requirement that is not typically included in cloud services agreements.
DORA and Impact on Financial Services Outsourcing in the EU
The Position Paper recommends certain clarifications to the application of DORA, including instances where existing regulatory guidance could be updated to align with it (for example, the EBA Guidelines and the European Securities and Markets Authority’s guidelines on outsourcing to CSPs) and where DORA could be updated to align with other industry standards. If the European Commission and EU regulators were to amend DORA and existing guidance to align with these proposals, this would impact CSPs that are currently in the process of implementing changes to their cloud infrastructures and standard contractual terms with customers to ensure compliance with regulations such as the EBA Guidelines.
Next Steps
Over the course of the next three months, the ECUC will consult on the Position Paper. Feedback is expected to be received from a broad range of market players, including CSPs, regulatory bodies, and other regulated institutions, with a view to incorporating this feedback into the next iteration of the Position Paper and the European Commission’s consultation on standard contractual clauses for cloud service agreements.