In November 2018 the Federal Financial Supervisory Authority (“Bundesanstalt für Finanzdienstleistungsaufsicht”, “BaFin”) and Deutsche Bundesbank published a guidance on outsourcing of services to cloud service providers (“Guidance on Cloud Services”). According to BaFin and Deutsche Bundesbank the Guidance on Cloud Services has not stipulated any new requirements, but has condensed the already existing general requirements in terms of outsourcing projects and the procurement of IT-services with regard to cloud services. It is addressed to credit institutions, financial services institutions, insurance undertakings, pension funds, investment services enterprises, capital management companies, payment institutions and e-money institutions. Now, BaFin and Deutsche Bundesbank have published an official English version of the Guidance on Cloud Services which is available here. The Guidance on Cloud Services addresses important issues as (e.g.) information and audit rights; rights to issue instructions; data security/protection; termination provisions; chain outsourcing and information duties; and applicable law. Some of these points are regulated in a similar way to the current EBA Guidelines on outsouring arrangements which have integrated the former EBA Recommendations on outsourcing to cloud service providers.
