ecit law

Articles
Blog

20 / 07 / 2021

Is your financial company ready for new guidelines in the cloud?

This summer, EIOPA (European Insurance and Occupational Pensions Supervisory Authority) and EBA (European Banking Authority) have published two sets of guidelines for financial undertakings, one set for financial undertakings in general and one set for insurance companies. These guidelines are reserved for the financial undertakings' ICT system and ICT activities, and apply when outsourcing the financial undertaking's ICT activities to cloud service providers. Finanstilsynet (FSA) has already stated that these guidelines will be implemented in Finanstilsynet's practice both with regard to licensing and supervision in accordance with the ICT regulations.

The ICT regulations apply both to the financial undertaking and to service providers

As a starting point, the ICT regulations apply to financial undertakings. This means that the duties and responsibilities imposed on the financial undertaking in accordance with the ICT regulations are the financial undertaking's own responsibility, and not external service providers.

Inside, on the other hand, the service provider also has an independent duty to prove that they act in accordance with the ICT regulations. Particularly in connection with a license application or inspection, there will be a focus on whether the service provider acts in accordance with the ICT regulations.

The guidelines will consolidate a number of directives with effect for Norway as well

The possibility for financial undertakings to be able to outsource parts or their entire ICT business is not something new and revolutionary and already follows from the ICT regulations.

The reason why the above-mentioned European body has drawn up new guidelines is mainly to bring together the core of a number of directives, including the PSD2 and Solvency II directives, into a single set of guidelines.

Does not only apply to cloud service providers

Although the guidelines mainly cover cloud service providers, such as Microsoft or Amazon, the rules also apply to service providers who depend on a cloud service to provide their own service. An example is if a service provider has developed software that is delivered and operated through Amazon Web Services or Microsoft Azure, then these are subject to the policy.

Requirements not to set too strict requirements

The guidelines derive a requirement for proportionality as a starting point. In practice, this means that a service provider must not be subject to stricter requirements than what can be reflected in the size of its delivery. So if a service provider is only responsible for a partial delivery in light of the entire ICT business, the service provider cannot be imposed too strict requirements for compliance with the ICT regulations.

Distinguishes between general and critically important operational functions

A significant difference between the new guidelines and the ICT regulations' rules is that the guidelines distinguish between general functions and critical and important operational functions, in contrast to the ICT regulations which mainly apply to ICT systems that are important for the company's operations. The distinction in the new guidelines means in practice that if a service provider delivers, for example, software that does not affect critical and important operational functions, less stringent conditions are set for conduct in accordance with the guidelines. The counterpart is that if the service provider delivers services that affect critical and important operational functions, stricter conditions are set both for the service provider and for the financial undertaking to ensure that the service provider actually acts in accordance with the guidelines.

What can be considered to be a critical and important operational function must be considered concretely. We assume that an operational function is considered critical or important if a deviation or deficiency in the service delivery significantly affects the continuous compliance imposed on the financial undertaking in accordance with, for example, the ICT regulations, or that deviations in the service delivery affect the financial undertaking to such an extent that it does not can provide their services in line with existing regulations or contracts.

Known basic principles in a new suit

Throughout the guidelines, a number of basic principles can be deduced, including requirements for access, accessibility, integrity, confidentiality, privacy and security regarding relevant data.

As an example, the guidelines state that the service provider must ensure that Finanstilsynet and the financial undertaking themselves are given access to the service provider's system, either actual access or in the form of information, in connection with supervision and license application. This can be deduced directly from the ICT regulations. However, the guidelines set out a clear distinction and clearer rules, as mentioned above, that stricter requirements are set if the service affects critical and important operational functions, in contrast to the ICT regulations where this access is more or less decided at discretion.

With regard to accessibility, the principle relates both to the fact that sensitive data should not be available to anyone, including that data should be classified according to risk and the availability of the data should be assessed with regard to who has an operational need for access. Furthermore, the principle is that there should be a continuity in access to data. Assessment of accessibility is common practice, however, the distinction between which service is provided also applies to accessibility.

Critical and important operational functions receive better protection

The guidelines do not express a new practice at Finanstilsynet. However, clear and strict rules are set, especially with regard to critical and important operational functions. The guidelines will in all probability be a necessary elaboration of the provisions of the ICT regulations. One of the main objectives of the guidelines is precisely to give financial undertakings a better understanding of the supervisory authorities' expectations of how ICT security risk should be treated.

Clear deadlines

The general guidelines came into force on 30 June 2020 and apply more or less immediately. As regards the guidelines for insurance companies, these will enter into force on 1 January 2021, with the transition period lasting until 31 December 2022.

What is clear, however, is that the guidelines apply and will apply to both existing outsourcing and outsourcing entered into in the future. As the practice does not change in principle but becomes clearer regarding what is required of the financial undertaking's ICT activities, there is a need to comply with the guidelines already now.

Please contact me, john@ecitlaw.com if you are in doubt as to whether you are acting in accordance with the guidelines or considering moving your services to the cloud.

John E. Nilsen

John E. Nilsen

Lawyer

Articles
More

See all articles

About us

Services

About

ecit logo

Blog

You will find us in Oslo:Møllergata 230179 Oslo, Norway+47 32 12 32 12
You will find us in Hønefoss:Hvervenmoveien 493511 Hønefoss+47 32 12 32 12
You will find us in Fornebu:Rolfsbuktveien 4A1364 Fornebu+47 32 12 32 12
You will find us at Gran:Storgata 282750 Gran+47 32 12 32 12
Send as a message
© Copyright Ecit Law 2021 | Privacy Policy
select language:
English
Norsk
Oslo map
Møllergata 23
Hønefoss map
Hvervenmoveien 49
Fornebu map
Rolfsbuktveien 4A
Storgata 28, Gran