Search Options
Home Media Explainers Research & Publications Statistics Monetary Policy The €uro Payments & Markets Careers
Sort by

ECB consults on outsourcing cloud services

3 June 2024

  • ECB invites comments from banks and other stakeholders involved in cloud service outsourcing
  • Guide details supervisory expectations and best practices for banks’ outsourcing of cloud services
  • Guide became necessary after ECB found vulnerabilities in banks’ IT outsourcing strategies
  • Consultation period ends on 15 July 2024

The European Central Bank (ECB) today launches a public consultation on its new Guide on outsourcing cloud services to cloud service providers.

The Guide aims to clarify both the ECB’s understanding of related legal requirements and its expectations for the banks it supervises. This will make supervision more consistent while helping ensure a level playing field for all banks. The Guide draws on risks and best practices observed by Joint Supervisory Teams in the context of ongoing supervision and dedicated on-site inspections.

Banks are increasingly using cloud computing services offered by third-party service providers. These services are potentially cheaper, more flexible and more secure, but dependency on third parties can also expose banks to risks, for example with regard to IT security and possible business disruptions. For example, if a bank cannot easily substitute outsourced services during a failure, its functions may be interrupted. In addition, the market for cloud services is highly concentrated, with many banks relying on just a few service providers located in non-European countries. Therefore, the ECB considers it good practice for banks to explicitly take these risks into consideration.

In addition, the ECB identified various vulnerabilities in banks’ IT outsourcing arrangements during its 2023 Supervisory Review and Evaluation Process. As a result, third-party risk management, including cloud outsourcing, remains high on the list of the ECB’s Supervisory priorities for 2024-2026.

In an effort to enhance ICT related risk management, EU legislators introduced the Digital Operational Resilience Act (DORA), highlighting the need to proactively mitigate risks that could lead to the disruption of critical functions or services. Legal acts such as the DORA and the Capital Requirements Directive require banks to establish effective governance of risk stemming from outsourcing, as well as to build up frameworks for IT security and for cyber resilience. The Guide outlines the ECB’s understanding of these specific rules and how they apply to the banks it supervises.

The public consultation on the Guide on outsourcing cloud services starts today and ends on 15 July 2024. The ECB will subsequently publish the comments received, together with a feedback statement and the final Guide.

For media queries, please contact Clara Martín Marqués, tel.: +49 69 1344 17919.


  • Cloud services are services provided using cloud computing. This is a model enabling convenient, on-demand network access to a shared pool of configurable computing resources, like networks or servers, that can be provisioned rapidly and released with minimal management effort or service provider interaction.

European Central Bank

Directorate General Communications

Reproduction is permitted provided that the source is acknowledged.

Media contacts