Chapter 27: Further Reading — Cloud Compliance: Regulatory Requirements for Cloud Adoption

Primary Regulatory Sources

EU: Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector (DORA) EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554

The full text of DORA. Chapter IV (Articles 28–44) covers ICT third-party risk management and is the core cloud governance framework for EU-regulated financial entities. Articles 30 (contractual requirements), 29 (concentration risk), and 31–44 (Critical ICT Third-Party Provider oversight framework) are essential reading. The Regulation is directly applicable across EU member states without implementation into national law.

DORA Level 2 Regulatory Technical Standards (RTS) European Banking Authority, ESMA, EIOPA — available at eba.europa.eu

The ESAs have published a series of RTS specifying the technical details of DORA's requirements, including the RTS on ICT third-party risk management (specifying the content of the ICT third-party register) and the RTS on contractual elements for ICT services. These technical standards fill in the operational detail that the Level 1 Regulation leaves to delegated acts.

EU: EBA Outsourcing Guidelines (2019)

EBA/GL/2019/02 — Guidelines on outsourcing arrangements European Banking Authority, February 2019: https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

The EBA Outsourcing Guidelines established the EU baseline for cloud and outsourcing governance before DORA. For firms subject to DORA, these guidelines are superseded or complemented by DORA's more specific requirements, but they remain valuable as the interpretive background to the current framework. Key provisions cover the definition of critical or important functions, the outsourcing register, contractual requirements, and the risk assessment process. The guidelines also contain the EBA's expectations on cloud-specific governance in Annex III.

EBA Cloud Recommendation (EBA/REC/2017/03) European Banking Authority, 2017: https://www.eba.europa.eu/regulation-and-policy/internal-governance/recommendations-on-cloud-outsourcing

The EBA's cloud-specific recommendation, published before the full outsourcing guidelines, addressed the application of outsourcing principles to cloud services. While largely superseded by the 2019 guidelines and DORA, it provides useful context for understanding the evolution of regulatory thinking on cloud.

UK: Bank of England Supervisory Statement SS2/21

SS2/21 — Outsourcing and third party risk management Prudential Regulation Authority, March 2021: https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss

The Bank of England's detailed supervisory expectations for outsourcing, including cloud, for PRA-regulated firms. Contains specific guidance on Important Business Service identification, impact tolerance setting, exit strategy requirements, and concentration risk management. Annex 1 provides the contractual provisions the PRA expects in outsourcing agreements. This document is the primary UK reference for cloud governance for banks and designated investment firms.

PS21/3 — Outsourcing and third party risk management (Policy Statement) Prudential Regulation Authority, March 2021

The policy statement that accompanied SS2/21, summarizing responses to the consultation and the PRA's final policy positions. Read alongside SS2/21 for full context.

UK: FCA Critical Third Parties Regime

PS23/5 — Operational resilience: Critical third parties to the UK financial sector Financial Conduct Authority and Prudential Regulation Authority, 2023: https://www.fca.org.uk/publications/policy-statements/ps23-5-operational-resilience-critical-third-parties-uk-financial-sector

The policy statement introducing the Critical Third Parties (CTP) regime, which allows the FCA and PRA to designate specific third parties — including cloud providers — as critical to UK financial stability and subject them to direct regulatory requirements. Essential reading for understanding how UK cloud governance is converging with the DORA CTPP framework.

US: Interagency Guidance on Third-Party Relationships

Interagency Guidance on Third-Party Relationships: Risk Management (2023) OCC, Federal Reserve, FDIC, June 2023: https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html

The updated interagency guidance on third-party risk management for US banks, superseding the OCC's 2013-29 bulletin. Addresses cloud-specific considerations including the shared responsibility model, concentration risk, and the right to audit. While less prescriptive than DORA, it provides the framework for how US regulators assess cloud governance at supervised institutions.

APAC: MAS Technology Risk Management Guidelines

Technology Risk Management Guidelines Monetary Authority of Singapore, January 2021: https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines

MAS's comprehensive guidelines on technology risk management for financial institutions regulated in Singapore. Contains specific provisions on cloud computing (Section 6), covering cloud service provider assessment, contractual requirements, data security, and operational resilience. The MAS guidelines are considered a leading APAC standard and are referenced by other regulators in the region.

Cloud Provider Compliance Documentation

Amazon Web Services

AWS Financial Services https://aws.amazon.com/financial-services/

AWS's central resource for financial services compliance documentation, including the AWS Financial Services Addendum, the AWS DORA compliance guide, and the AWS EU Data Boundary documentation. The DORA compliance guide maps DORA requirements to AWS services and contractual provisions. The Financial Services Addendum provides the enhanced contractual protections required for regulated workloads — not included in the standard Customer Agreement.

AWS Compliance Programs https://aws.amazon.com/compliance/programs/

Overview of AWS's compliance certifications including ISO 27001, ISO 27017 (cloud security), SOC 2 Type II, PCI DSS, and CSA STAR. Includes links to the AWS Artifact portal through which customers can access AWS's audit reports and certifications under NDA.

AWS Well-Architected Framework — Security Pillar https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html

AWS's framework for designing secure cloud architectures, covering identity and access management, detection controls, infrastructure protection, and data protection. Useful for compliance professionals assessing whether a cloud architecture meets the security expectations implicit in DORA and related frameworks.

Microsoft Azure

Microsoft Azure for Financial Services https://azure.microsoft.com/en-us/solutions/industries/financial/

Azure's central resource for financial services compliance, including the Azure Financial Services Compliance Program documentation, the DORA compliance guide, and the Azure EU Data Boundary. Contains links to Azure's audit reports and compliance certifications.

Azure Compliance Documentation https://learn.microsoft.com/en-us/azure/compliance/

Comprehensive documentation of Azure's compliance posture across all major regulatory frameworks, organized by framework and by geography. Includes specific documentation for DORA, EBA guidelines, SS2/21, GDPR, and APAC requirements.

Google Cloud Platform

Google Cloud for Financial Services Compliance https://cloud.google.com/solutions/financial-services/compliance

GCP's compliance documentation for financial services, including the GCP DORA compliance guide and data residency configurations.

Cloud Security Standards and Frameworks

Cloud Security Alliance (CSA)

CSA Security, Trust, Assurance and Risk (STAR) Registry https://cloudsecurityalliance.org/star/registry

The CSA STAR Registry provides information on cloud provider security postures at three levels: self-assessment (Level 1), third-party certification against the CSA Cloud Controls Matrix (Level 2), and continuous monitoring (Level 3). The registry allows financial firms to assess and compare the security postures of cloud providers during due diligence. The Cloud Controls Matrix (CCM) underlying STAR is one of the most comprehensive cloud security control frameworks available.

CSA Cloud Controls Matrix (CCM) https://cloudsecurityalliance.org/research/cloud-controls-matrix/

The Cloud Controls Matrix is a cybersecurity control framework for cloud computing, aligned with ISO 27001, NIST SP 800-53, and other security standards. Useful for structuring due diligence questionnaires and assessing cloud provider security posture against a recognized standard.

ISO Standards

ISO/IEC 27017:2015 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

ISO 27017 provides cloud-specific security guidance supplementing the general ISO 27001 framework. It covers shared responsibilities, virtual environment security, and cloud-specific controls. When reviewing a cloud provider's security posture, an ISO 27017 certification (or alignment) provides more specific cloud security assurance than ISO 27001 alone.

ISO/IEC 27018:2019 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO 27018 addresses the protection of personal data in public cloud environments. Relevant for assessing cloud provider practices around data handling, data subject rights, and privacy controls applicable to GDPR and UK GDPR compliance.

Academic and Industry Research

Financial Stability Board — Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships (2023) https://www.fsb.org/2023/10/fsb-publishes-report-on-regulatory-and-supervisory-issues-relating-to-outsourcing-and-third-party-relationships/

The FSB's cross-jurisdictional review of regulatory approaches to outsourcing and third-party risk, including cloud. Provides a useful comparative framework across G20 jurisdictions and identifies areas of regulatory convergence and divergence. Particularly relevant for multi-jurisdictional firms navigating different national requirements.

Bank for International Settlements — Outsourcing in Financial Services (2005, updated 2018) https://www.bis.org/publ/joint12.htm

While dated in some respects, the BIS outsourcing principles continue to underpin many national frameworks and provide the conceptual foundation for understanding why due diligence, contractual protections, and exit planning are core governance obligations.

European Systemic Risk Board — Systemic Cyber Risk (2020) https://www.esrb.europa.eu/pub/pdf/reports/esrb.report200219_systemic_cyber_risk~101a08e8d7.en.pdf

The ESRB's analysis of systemic cyber risk in the financial sector, including the concentration risk created by shared reliance on a small number of technology providers. Provides the macroprudential rationale for DORA's concentration risk provisions.

Practitioner Resources

EBA Register of Outsourcing Arrangements (Template) Available at eba.europa.eu — the EBA's standardized template for the outsourcing register, which provides a practical starting point for building the ICT third-party register required by DORA Article 28.

ENISA Cloud Security Guide for SMEs European Union Agency for Cybersecurity, 2021: https://www.enisa.europa.eu/publications/cloud-security-guide-for-smes

A practical guide to cloud security governance from the EU's cybersecurity agency, useful for smaller firms developing their first cloud governance framework.

Cloud Security Alliance — DORA Cloud Implementation Guidelines CSA's practitioner-oriented guide to implementing DORA's ICT third-party requirements for cloud-hosted workloads, with specific guidance on contractual negotiations, audit rights, and concentration risk assessment.