After years of worrying about the operational risk that cloud concentration poses to the financial system, European Union authorities have proposed a digital finance package—a set of proposals that, among many other measures, would single out cloud providers and subject them to a unified oversight regime.
The package, which was published last week, sets out a comprehensive framework for the regulation of tech in hot-button areas, including regulatory approaches to crypto assets and blockchain, increased power for firms to dictate the terms of contracts and service level agreements, better and more standardized resilience testing, and a single EU hub for reporting cyber security breaches.
But it’s the provisions that are clearly aimed at gaining some kind of oversight of cloud providers that I found to be most interesting. Chapter V of the proposal, which is concerned with third-party resilience, would make cloud service providers like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and IBM Cloud answerable to one of the three European Supervisory Authorities (ESAs): the European Securities and Markets Authority, European Banking Authority, and European Insurance and Occupational Pensions Authority.
If the proposal became law, the ESAs would have the power to designate a cloud provider as “critical” based on a set of criteria: Is the vendor providing infrastructure and other cloud services to a massive, systemically important financial entity, such as a too-big-to-fail bank? Or, to state the problem slightly differently (as the proposal does): If the services offered were to fail—let’s say a major cloud provider suffered an outage that rendered critical data inaccessible during a critical time—would that have a devastating, knock-on impact on the entire financial system, because the bank is so interconnected with other financial institutions? At the point of disaster, would another service provider be able to step into the breach, and could customers be ported over easily and quickly, minimizing systemic disruption?
Once these vendors are designated as critical, one of the ESAs becomes its “lead overseer.” The proposal states that critical service providers “shall cooperate in good faith with the lead overseer,” which will be able to impose fines and have the right to examine data and records, request phone logs and data traffic, and conduct on-site inspections, if necessary.
Now, the proposal doesn’t explicitly say that it’s referring to the giant cloud service providers; it calls them only “critical ICT third-party service providers.” But it’s clear which companies are being targeted here, as regulatory bodies in Europe have expressed their concerns over concentration risk and that service level agreements lock in clients to particular vendors.
Firms in the EU already have the right to conduct audits of cloud providers, and they have to keep a close eye on their relationships with third parties—and their third parties’ third parties—under various rules, regulations, and guidelines. What this proposal would do is bring that all together in a much more comprehensive framework for operational resilience.
But it seems to me that this level of oversight of such firms is unprecedented in the EU.
While the major public cloud providers invest massive resources into their infrastructure, human resources, and resilience planning, you can’t plan for every scenario. Authorities are afraid of earthquakes, cyber attacks, climate events—any black swan that might swim along out of nowhere, taking down the grid and subjecting the financial system to a systemic shock or crisis.
These fears are compounded by the fact that not only do the vast majority of financial services firms have outsourcing relationships with the major cloud providers, but these companies are also all US-based entities, with their ultimate oversight conducted on another continent.
And then, of course, with this proposal the EU is trying to protect its markets. While the bloc has set the template for regulating data—with groundbreaking approaches such as the General Data Protection Regulation, which has inspired similar efforts worldwide—its leaders fear that it has fallen behind on emerging tech and innovation and is losing out to the US and China. As new EC president Ursula von der Leyen said in her first speech to the European Parliament, “We must have mastery and ownership of key technologies in Europe. These include quantum computing, artificial intelligence, blockchain, and critical chip technologies.”
The EC is collaborating with France, Germany, and about 100 companies and organizations—including Deutsche Bank and SAP—on a project to challenge the dominance of US big tech. The initiative, Project Gaia-X, aims to launch next year, and will consist of a network of cloud and data services operating across industries under the protection of European data laws. According to Wired, Gaia-X is fundamentally about “data sovereignty”—the idea that the EU will shape how data is managed and governed within its own borders.
So, perhaps what is important about this latest proposal is not just that EU supervisors are looking for ways to make the bloc safer from cloud outages; it’s also that it is part of a wider strategy to nurture tech and finance industries that can compete with the rest of the world.
Further reading
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
Bond tape hopefuls size up commercial risks as FCA finalizes tender
Consolidated tape bidders say the UK regulator is set to imminently publish crucial final details around technical specifications and data licensing arrangements for the finished infrastructure.
The Waters Cooler: A little crime never hurt nobody
Do you guys remember that 2006 Pitchfork review of Shine On by Jet?
Removal of Chevron spells t-r-o-u-b-l-e for the C-A-T
Citadel Securities and the American Securities Association are suing the SEC to limit the Consolidated Audit Trail, and their case may be aided by the removal of a key piece of the agency’s legislative power earlier this year.
BlackRock, BNY see T+1 success in industry collaboration, old frameworks
Industry testing and lessons from the last settlement change from T+3 to T+2 were some of the components that made the May transition run smoothly.
How ‘Bond gadgets’ make tackling data easier for regulators and traders
The IMD Wrap: Everyone loves the hype around AI, especially financial firms. And now, even regulators are getting in on the act. But first... “The name’s Bond; J-AI-mes Bond”
Can the EU and UK reach T+1 together?
Prompted by the North American migration, both jurisdictions are drawing up guidelines for reaching next-day settlement.
Waters Wavelength Ep. 293: Reference Data Drama
Tony and Reb discuss the Financial Data Transparency Act's proposed rules around identifiers and the industry reaction.
Clearing houses fear being classified as DORA third parties
As the 2025 deadline looms, CCP and exchange members are seeking risk information that’s usually deemed confidential.