EACB and its members consider that the guidelines proposed by ESMA regarding cloud outsourcing are generally acceptable, but that some issues should be aligned to the reality of Cloud Service Providers (CPS). A general requirement on “access-to-premises” is outdated regarding cloud outsourcing. We support the idea that it should be re-defined e.g. as access to the systems, but not physical access to the infrastructure. Also, CSP is a highly standardized approach - technically, commercial and concerning contractual clauses. Individual negotiations and changes to standard agreements are state-of-the-art.
Additionally a general comment on the decision 2016/1250 of the European Court of Justice of 16.7.2020 should be made, as the decision invalidates the EU-US Data Protection Shield agreement and raises a number of question marks concerning "cloud" depending where a cloud services provider (CSP) processes the "outsourced" data (see also Q6.54). However, the ECJ decision is quite new and possible consequences are unclear.
For co-operative banks in Europe, Guideline 6.50 is important, as it mentions (i) usage of third-party certifications and (ii) pooled audits performed jointly with other clients of the same CSP, which helps the model of co-operative banks using "cloud" services of centralized datacenters owned by the co-operative banks together. EACB wants to emphasise this issue, as our “internal” clouds within the co-operative sector are an essential element of the co-operative operating model. More detailed comments can be found in the enclosed documents.