(i) Criminal sanctions

Senior managers of credit institutions and financial services providers have personal risk management obligations, as specified in Section 25c of the German Banking Act (Kreditwesengesetz ("KWG")). Breaches of certain risk management obligations can be a criminal act if: (i) the manager's violation threatens the viability of the institution; and (ii) the manager did not comply with an express instruction from the regulatory authority.

(ii) Administrative fines

The failure by credit institutions or financial services providers to properly notify the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) can lead to administrative fines of up to EUR 100,000 (Section 56 (2) No. 1 f) connection with Section 56 (6) No. 4 of the KWG).

Failure to notify the BaFin of an intended outsourcing of internal security measures is not sanctionable.

Otherwise, breaches of outsourcing rules are not subject to an administrative fine (other than acting contrary to an express instruction by the competent regulatory authority (BaFin or the European Central Bank)).

(iii) Supervisory tool kit

The competent regulatory authority may, however, apply the full "tool kit" of supervisory measures, including on-site audits, special audits, specific orders, warnings to senior executives, the appointment of a special representative, the removal of senior executives and, in the most egregious cases, the withdrawal of the banking or fund manager's license.

As mentioned, the new regime (in force since 2021) also allows the BaFin to apply measures directly against cloud service providers.

(iv) Civil and administrative law

A cloud service provider is fully liable for the acts or omissions of its outsourcing providers from a civil and administrative law perspective. This is regardless of whether the outsourcing company fully complied with its own duties to properly monitor and manage the cloud service provider.