Digital transformation is an unstoppable process that has substantially accelerated since the Covid-19 pandemic. As one of the targets of the Digital Decade, at least 75 % of EU companies are expected to use the cloud, Big Data or AI technology by 2030.
The banking sector has not remained on the sidelines of cloud technology’s growing relevance. Although the Financial Stability Board concluded in a 2019 report that cloud computing doesn’t pose an immediate risk to financial stability, a few years have since gone by and the use of the cloud by the industry is growing.
This has prompted a supervisory and regulatory response that, in the EU’s case, has translated into the adoption of the Digital Operational Resilience Act (DORA). Though DORA entered into force on 16 January 2023, it will only apply from 17 January 2025. Still, at present, there is no legal vacuum and in the case of the banking sector, the European Banking Authority’s Guidelines on Outsourcing Arrangements are indeed applicable.
Yet a number of myths have been circulating when it comes to the supervisory practices of cloud services usage by the banking sector and this CEPS Explainer refutes them. Besides, though the risk types of an on-premise or cloud model are essentially the same, it is risk governance that differs. Moreover, there are means to mitigate the two most relevant risks (concentration and vendor lock-in risks).
Finally, cloud is an opportunity for banks to really focus on their core business, which is a key reason to avoid any unwarranted protectionist measures.
