Rules for cloud outsourcing
2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes, this is governed both at a national level and EU level through the following regulatory legislation.

National level

Credit institutions:

  • Royal Decree 84/2015, dated 13 February, on the implementation of Act 10/2014, dated 26 June, on the organization, supervision and solvency of credit institutions
  • Circular 2/2016, dated 2 February, of the Bank of Spain, to credit institutions, on supervision and solvency

Investment firms:

  • Royal Decree 217/2008, dated 15 February, on the legal regime applicable to investment firms and other entities that provide investment services
  • Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive

Management companies:

  • Act 35/2003, dated 4 November, on Collective Investment Undertakings
  • Royal Decree 1082/2012, dated 13 July, approving the implementation regulation of Act 35/2003, dated 4 November, on collective investment undertakings
  • Act 22/2014, dated 12 November, regulating venture capital entities, other closed ended investment undertakings and management companies

Insurance undertakings:

  • Act 20/2015, dated 14 July 2015, on the regulation, supervision and solvency of insurance and reinsurance undertakings
  • Royal Decree 1060/2015, dated 20 November 2015, on the regulation, supervision and solvency of insurance and reinsurance undertakings

EU level

  • European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019/02)
  • European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (ESMA 50-164-4285)
  • EU Guidelines on ICT and security risk management (EBA/GL/2019/04)
  • European Insurance and Occupational Pensions Authority Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002)
  • EU regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014