Chapter 27: Quiz — Cloud Compliance: Regulatory Requirements for Cloud Adoption

Instructions: Select the best answer for each question. The answer key with explanations follows the questions.

Question 1

DORA — the EU's Digital Operational Resilience Act — came into force in which year, and which category of entities does it primarily regulate?

A) 2022; only systemically important banks B) 2023; all EU-incorporated companies with IT systems C) 2025; a broad range of EU-regulated financial entities including credit institutions, investment firms, insurers, and payment institutions D) 2025; only entities designated as Critical Infrastructure Operators

Question 2

Under DORA's framework for ICT third-party risk, which entity can be designated as a Critical ICT Third-Party Provider (CTPP), subject to direct regulatory oversight by the European Supervisory Authorities?

A) Any cloud provider that experiences a service outage affecting a regulated firm B) Only EU-incorporated technology companies C) Hyperscale cloud providers such as AWS, Microsoft Azure, or Google Cloud, if their services are critical to the financial system D) Only providers that have failed to comply with DORA Article 30 contractual requirements

Question 3

DORA Article 30 specifies the minimum contractual content that financial entities must include in agreements with ICT third-party providers. Which of the following is NOT explicitly required by Article 30?

A) The financial entity's right to access, inspect, and audit the provider B) Exit assistance and transition support provisions C) A requirement that the cloud provider maintain ISO 27001 certification at all times D) Sub-outsourcing notification and approval provisions

Question 4

A UK bank is migrating its sanctions screening system to AWS. Under the shared responsibility model for IaaS (Infrastructure as a Service), which of the following security responsibilities does the bank retain?

A) Physical security of the data center B) Hypervisor security and network fabric management C) The operating system, application security, and data encryption D) All security responsibilities — the bank retains nothing under IaaS

Question 5

The Bank of England's Supervisory Statement SS2/21 introduces the concept of "impact tolerances" for Important Business Services (IBS). Which of the following best describes what an impact tolerance represents?

A) The maximum acceptable cost of a cloud provider outage expressed in monetary terms B) The maximum period of disruption to an Important Business Service before intolerable harm is caused, typically expressed as a time limit C) The minimum level of uptime that cloud providers must guarantee under SLA D) The maximum percentage of transactions that may fail during a cloud maintenance window

Question 6

A UK bank has configured its AML transaction monitoring system to run on AWS eu-west-2 (London). The bank's IT team has set up CloudWatch logging with log groups in us-east-1 (Virginia, USA). From a data residency perspective, which of the following statements is most accurate?

A) This configuration is compliant because the primary application data is in the UK B) This configuration may be non-compliant under UK GDPR because CloudWatch logs may contain personal data being transferred to the US without appropriate legal mechanism C) CloudWatch log data is operational data and is not personal data for GDPR purposes D) US data transfers are automatically covered by the AWS Customer Agreement and require no additional legal mechanism

Question 7

A financial firm's cloud exit strategy for its core regulatory reporting system states: "In the event of provider failure, we will migrate to Azure within 14 days using a manual data export process." What is the most significant regulatory deficiency in this exit strategy?

A) The exit strategy should specify Google Cloud rather than Azure as the alternative provider B) The exit strategy has not been tested, and the 14-day timeline has not been validated against the firm's Recovery Time Objective for the regulatory reporting function C) The exit strategy should be approved by the IT department, not the compliance function D) Manual data export processes are prohibited under DORA and SS2/21

Question 8

The "right to audit" is a required contractual provision under DORA Article 30. How do hyperscale cloud providers typically fulfil this requirement, given that they cannot accommodate individual firm audits of their physical data centers?

A) They exempt themselves from audit requirements through standard terms of service B) They provide audit rights only to firms with more than €10 billion in assets C) They publish regularly updated third-party audit reports (SOC 2 Type II, ISO 27001) and offer contractual provisions allowing firms to rely on those reports as fulfilling the audit right D) They grant firms direct access to conduct on-site inspections of all data center facilities

Question 9

Which of the following describes sub-outsourcing in the context of cloud compliance?

A) When a financial firm outsources multiple functions to the same cloud provider B) When a cloud provider engages its own third-party suppliers to deliver part of its services to the financial firm C) When a financial firm uses a SaaS application that is hosted on a public cloud platform D) When a financial firm migrates workloads between cloud providers

Question 10

A firm's assessment of its cloud estate reveals that six of its eight critical ICT systems are hosted on a single cloud provider. Under DORA, what is this firm primarily required to do?

A) Immediately migrate at least half of the critical systems to a different provider B) Notify the cloud provider that it must diversify its own infrastructure C) Conduct and document a concentration risk assessment, and national competent authorities may require diversification measures if the concentration is deemed excessive D) Nothing — DORA does not address concentration risk at the firm level

Question 11

Under UK FCA rules, when is a financial firm required to notify the FCA prior to completing a cloud migration?

A) For all cloud migrations, regardless of the workload's criticality B) Only when migrating to a non-UK cloud provider C) When the cloud migration constitutes material outsourcing of a critical or important function D) Only when the migration involves personal data subject to GDPR

Question 12

A RegTech vendor offers a cloud-hosted AML transaction monitoring system (SaaS). The financial firm that purchases this system must conduct due diligence on the vendor under DORA and EBA outsourcing guidelines. What additional due diligence consideration is specifically relevant to a SaaS arrangement, compared to a firm self-hosting its own application on IaaS?

A) No additional due diligence is required for SaaS because the vendor manages all security B) The firm must also assess the cloud infrastructure provider on which the SaaS vendor's application runs, since this creates a layered outsourcing chain C) SaaS arrangements are exempt from DORA Article 30 requirements because the vendor is responsible for the application layer D) The firm must obtain its own ISO 27001 certification to use a SaaS compliance tool

Question 13

The FCA's PS23/5 established the Critical Third Parties (CTP) regime in the UK. What is the primary purpose of this regime?

A) To require financial firms to use UK-incorporated cloud providers B) To allow the FCA and PRA to designate specific third parties — including cloud providers — as systemically important and subject them to direct regulatory oversight C) To create a mandatory certification programme for all cloud providers selling to UK banks D) To cap the concentration of a single cloud provider across UK financial services at twenty-five percent of market share

Question 14

A financial firm is using AWS Lambda (serverless compute, PaaS) to run a regulatory reporting pipeline. The firm's compliance officer claims: "Because Lambda is PaaS, AWS is responsible for our data security — we just write the code." Evaluate this claim.

A) The claim is correct — under PaaS, the cloud provider assumes all data security responsibilities B) The claim is partially correct — AWS manages the runtime security, but the firm retains responsibility for its application code, data handling, access controls, and configuration of the Lambda environment C) The claim is incorrect — under PaaS, the firm retains all security responsibilities including the runtime D) The claim is irrelevant because PaaS services are not subject to DORA third-party requirements

Answer Key

1. C — DORA came into force in January 2025 and applies to a broad range of EU-regulated financial entities. It does not apply only to systemically important banks or all EU companies.

2. C — Hyperscale cloud providers can be designated as CTPPs by the ESAs if their services are critical to the stability of the EU financial system. The designation is triggered by systemic significance, not individual compliance failures.

3. C — Article 30 does not require that the cloud provider maintain ISO 27001 certification. ISO 27001 is a common due diligence assessment criterion but is not mandated as a contractual provision. The required provisions include audit rights, exit assistance, sub-outsourcing notification, and incident notification.

4. C — Under IaaS, the cloud provider manages the physical infrastructure, network, and hypervisor. The firm is responsible for the operating system, middleware, application security, and data encryption. This is the core shared responsibility principle for IaaS.

5. B — An impact tolerance is the maximum period of disruption to an Important Business Service before intolerable harm results. It is typically expressed as a time duration (e.g., "four hours") and may include other parameters (e.g., maximum failed transactions). It is a regulatory commitment, not merely an aspiration.

6. B — CloudWatch logs for an AML system are likely to contain personal data (customer account identifiers, transaction references). Routing those logs to a US region transfers personal data outside the UK without a confirmed legal mechanism under UK GDPR. The primary application data location does not determine compliance for all data flows.

7. B — The critical deficiency is that the exit strategy has not been tested and the 14-day timeline has not been validated against the firm's RTO. Regulators expect exit strategies to be exercised, not merely documented. Manual data export is not prohibited — but its feasibility and timeline must be demonstrated.

8. C — Hyperscale providers fulfil the audit right through third-party audit reports (SOC 2 Type II, ISO 27001) and contractual provisions allowing firms to rely on those reports. Individual physical inspection of hyperscale data centers is not offered to customers, but the pooled audit approach is accepted by regulators when properly structured in the contract.

9. B — Sub-outsourcing occurs when a cloud provider engages its own third-party suppliers to deliver part of its contracted services. This creates a chain of dependency that the financial firm may not be aware of. DORA requires cloud providers to disclose material sub-contractors and notify firms of material changes.

10. C — DORA requires firms to assess and document concentration risk. National competent authorities may require diversification measures if they determine the concentration creates unacceptable systemic risk. Immediate forced migration is not the standard response — documented assessment is the minimum obligation.

11. C — FCA notification prior to completion is required for material outsourcing of a critical or important function. Not all cloud migrations are material — a collaboration tool migration is not — but core compliance systems (AML, sanctions, regulatory reporting) typically qualify.

12. B — SaaS creates a layered outsourcing chain: the firm outsources to the RegTech vendor, and the vendor in turn relies on a cloud provider. Due diligence must assess both layers. The firm cannot assume that the vendor's cloud infrastructure is secure simply because the vendor holds ISO 27001; the firm must understand the dependency and ensure it is appropriately governed.

13. B — PS23/5 allows the FCA and PRA to designate specific third parties as Critical Third Parties and subject them to direct regulatory requirements, including operational resilience testing. This regime addresses the regulatory gap where cloud providers had no direct accountability to financial regulators despite being central to the resilience of many regulated firms.

14. B — Under PaaS, AWS manages the runtime and underlying infrastructure. The firm retains responsibility for its application code (including any security vulnerabilities in the Lambda function), the data it processes, access controls, IAM configurations, and environment configuration. "Writing the code" means owning the application security and data handling logic — which are substantial responsibilities.