Yes.
Banking Act
The use of cloud services by banks and financial services providers (e.g., leasing and factoring companies, crypto custodians and crypto securities registrars) is subject to the rules on outsourcing, which are contained in Section 25b of the German Banking Act (Kreditwesengesetz ("KWG")) and are further detailed in Circular 10/2021 (BA) Minimum Requirements for Risk Management (Rundschreiben 10/2021 (BA) — Mindestanforderungen an das Risikomanagement ("MaRisk")) issued by the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht ("BaFin")) dated 16 August 2021, last updated on 4 May 2022.
Securities Institutions Act (Wertpapierinstitutsgesetz ("WpIG"))
Since 26 June 2021, the KWG no longer primarily regulates the supervision of investment firms; rather, it is the WpIG. The KWG continues to regulate only certain large investment firms that provide investment services in the form of own account trading or underwriting and that are defined as Capital Requirements Regulation credit institutions.
The rules on outsourcing for investment firms (other than those that continue to be regulated under the KWG) are set out in Section 40 of the WpIG.
Further details on outsourcing are regulated in Articles 30 to 32 of Delegated Regulation (EU) 2017/565. Finally, some rules on outsourcing for investment firms can be found in Section 88 of the German Securities Trading Act (Wertpapierhandelsgesetz).
There is no detailed administrative guidance on risk management and outsourcing for investment firms licensed under the WpIG. The BaFin continues to apply the MaRisk in a proportionate manner to investment firms in the interim period, but it has stated that it intends to apply the European Securities and Markets Authority's Guidelines on Outsourcing to Cloud Service Providers of 10 May 2021 ("ESMA Guidelines").
Capital Investment Code (Kapitalanlagegesetzbuch ("KAGB"))
For alternative investment fund managers ("AIFMs") and for UCITS managers, outsourcing rules are defined in Section 36 of the KAGB and BaFin's Circular (Minimum Requirements for Risk Management of Capital Investment Companies (Rundschreiben 01/2017 (WA) — Mindestanforderungen an das Risikomanagement von Kapitalverwaltungsgesellschaften)) dated 10 January 2017. Moreover, outsourcing (delegation) by AIFMs is regulated in Article 75 of the Level 2 Regulation (Commission Delegated Regulation (EU) No. 231/2013 of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision). As the BaFin has stated that it intends to apply the ESMA Guidelines, these also apply (among others) to UCITS fund managers and AIFMs.
Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz ("ZAG"))
For payment services providers and e-money institutions, outsourcing is governed by Section 26 of the ZAG.
German Insurance Supervision Act (Versicherungsaufsichtsgesetz ("VAG"))
For insurance undertakings outsourcing is governed by Section 32 of the VAG.
Regulatory regime for outsourcing to cloud service providers
The BaFin summarized the rules on outsourcing specifically applicable to cloud services in a guidance note entitled "Orientation help regarding outsourcing to Cloud service providers" (Merkblatt — Orientierungshilfe zu Auslagerungen an Cloud-Anbieter ("Guidance Note on Cloud Services")), which was issued by the BaFin and the German central bank (Deutsche Bundesbank) in December 2018. The Guidance Note on Cloud Services was originally cross-sectorial and, therefore, used to apply to all entities supervised by the BaFin (credit institutions, payment and e-money institutions, investment firms, fund managers and insurance undertakings).
As regards credit institutions and financial services providers, the MaRisk was updated in August 2021 to be consistent with the European Banking Authority's ("EBA") Guidelines on Outsourcing Arrangements of 2019 ("EBA Guidelines"). While the EBA Guidelines apply only to credit institutions, payment services institutions and e-money institutions (and thus do not cover investment firms, UCITS managers, AIFMs or insurance undertakings), the Guidance Note on Cloud Services applies to cloud outsourcing for all firms regulated by the BaFin, although this has been superseded by the BaFin's statement that it intends to apply the ESMA Guidelines to investment firms, AIFMs and UCITS managers and a number of other regulated entities, such as central counterparties, trade repositories, central securities depositories and rating agencies.
The EBA Guidelines also integrate the EBA's prior recommendations on outsourcing to cloud service providers published in December 2017. Unfortunately, the BaFin has chosen to not simply replace the MaRisk by the EBA Guidelines but has updated the wording of the MaRisk to reflect the EBA Guidelines. Overall, the MaRisk are not as detailed as the EBA Guidelines.
The BaFin has not revoked its sector-generic Guidance Note on Cloud Services (drafted with the EBA's recommendation on cloud outsourcing in mind, which has now become part of the EBA's Guidelines on Outsourcing). Therefore, the Guidance Note on Cloud Services still provides the best summary of outsourcing rules governing cloud services. In addition, the ESMA Guidelines apply to investment firms, AIFMs and UCITS managers, which, however, overlap only partly with the BaFin Guidance Note on Cloud Outsourcing. This makes it quite difficult to provide a comprehensive overview.
- Supervision of cloud outsourcing arrangements
Under the MaRisk, where it is considered that the outsourcing is nonmaterial, only general organizational duties need to be observed. In contrast, the ESMA Guidelines cover nonmaterial outsourcing and impose stricter rules on the outsourcing of critical functions.
Regarding regulatory requirements on the use of IT, these will be found in the bank supervisory requirements for IT (Bankaufsichtliche Anforderungen an die IT ("BAIT")), last updated on 16 August 2021. The risk assessments regarding the purchase of IT services must be reviewed regularly and on an event-triggered basis with contracts adjusted accordingly, if necessary (Section 8.3 of the BAIT). More generally, whenever cloud services are used, the outsourcing cloud service providers will be indirectly affected, as they must follow the IT supervisory requirements applicable to their customers. The most important effect is that the risk analysis to be performed before a service is outsourced must also reflect the strict information risk management, information security and emergency management requirements and must be considered in the contractual arrangements with the cloud service providers.
The same also applies in other regulated sectors:
- For AIFMs and UCITS managers, the capital management supervisory requirements for IT (Kapitalverwaltungsaufsichtliche Anforderungen an die IT ("KAIT")) dated 1 October 2019 apply.
- For payment and e-money institutions, the payment supervisory requirements for IT (Zahlungsdiensteaufsichtliche Anforderungen an die IT ("ZAIT")) dated 18 August 2021 apply.
- For insurance undertakings, the insurance supervisory requirements for IT (Versicherungsaufsichtliche Anforderungen an die IT ("VAIT")) dated 3 March 2022 are applicable.
The BAIT, KAIT, ZAIT and VAIT all contain further specific rules on the purchase of IT services outside of outsourcing.
The ZAIT contain rules for payment and e-money institutions that mirror the rules in the MaRisk on outsourcing.