European Central Bank publishes final Guide on outsourcing cloud services to clarify DORA supervisory expectations

European Central Bank Banking Supervision has published its final Guide on outsourcing cloud services to cloud service providers, setting out how it expects supervised banks to implement relevant requirements under the Digital Operational Resilience Act (DORA). The Guide is not legally binding and does not add requirements beyond DORA, but aims to support more consistent supervision and a level playing field by outlining expectations and recommending good practices for cloud outsourcing risk management. The final text reflects feedback from a public consultation that ended in July 2024, with the ECB considering 696 comments from 26 respondents. Revisions more clearly distinguish between DORA requirements and ECB-recommended good practices, clarify how proportionality should be applied, and align terminology while setting out the Guide’s scope and legal nature. The Guide emphasises a risk-based approach to cloud outsourcing, including management of IT security and cyber risks associated with reliance on a limited number of third-party providers, and the ECB has published a feedback statement summarising comments received and its assessment.