Germany: Issued Supervisory Notice on Cloud Outsourcing

On 1 February 2024, the German Federal Financial Supervisory Authority (BaFin) published a supervisory notice on outsourcing to cloud providers. The notice, based on the guidance from November 2018, provides practical insights into how BaFin assesses outsourcing to cloud providers and offers guidance for supervised companies. The notice includes updated content on cloud outsourcing governance, introduction processes, and contractual minimum standards. It also introduces two new chapters providing advice on development, operation, and cybersecurity in the cloud, as well as specific monitoring and control of the cloud provider's performance and security. The notice is directed at companies supervised in the financial sector, including credit institutions, financial services institutions, insurance companies, occupational pension institutions, pension funds, securities institutions, other securities services companies, capital management companies, payment institutions, and e-money institutions.