European Banking Authority (EBA)

About the EBA

The European Banking Authority (EBA) is “an independent authority that works to ensure effective and consistent prudential regulation and supervision across the EU banking sector.” In December 2017, the EBA issued its Final Report: Recommendations on outsourcing to cloud services providers, which outlined a comprehensive approach to the outsourcing of cloud computing by financial institutions in the EU. The recommendations clarify when outsourcing to the cloud is permitted, apply a principles-based approach towards measuring risk from a technology-neutral perspective, and strive towards greater harmonization within Europe and beyond.

The EBA recommendations took effect in July 2018, and they build on and add clarity to the general outsourcing guidelines published in 2006 by the Committee of European Banking Supervisors. In fact, the issuance of these recommendations comes after a consultation period during which Microsoft provided substantive feedback. Many of the final recommendations account for comments Microsoft provided to the EBA.

Microsoft and the EBA

To help financial institutions in the EU follow the European Banking Authority (EBA) recommendations for cloud adoption, Microsoft published European Banking Authority Guidance Addresses Cloud Computing for the First Time. This document addresses key requirements and explains how Microsoft Azure and Microsoft 365 can be used to satisfy them. The guidance can help financial institutions adopt Azure and Microsoft with the confidence that they can meet their obligations under the EBA framework.

The Microsoft guidance addresses, point by point, each of the EBA recommendations:

  • Audit rights. Microsoft provides contractual audit rights for customers and rights of examination for regulators in its industry-leading Financial Services Amendment.
  • Notification regarding outsourcing. Microsoft can assist customers with notifying regulators of material activities to be outsourced.
  • Data residency. With 36 regions, including six in Europe, Microsoft offers the largest number of datacenters worldwide of any cloud service provider. Organizations can deploy workloads in one region without being required to host data in Europe.
  • Notification regarding subcontractors. Microsoft leads the industry with a contractual commitment to provide customers with 180-day notice of new subcontractors, and a right to terminate if the customer does not approve of the appointment of a new subcontractor.
  • Business continuity. Microsoft provides business continuity and resolution provisions in our Financial Services Amendment, including the willingness to provide transition assistance through Microsoft Consulting Services.
  • Risk assessment and security monitoring. Microsoft enables customers to conduct their own risk assessments and provides tools and dashboards so they can supervise and monitor our cloud services.

For financial institutions in the EU, Microsoft has also published Risk Assessment and Compliance Guide for Financial Institutions in the Microsoft Cloud, a checklist modeled after EBA guidance. It explains how to establish a governance model optimized to meet regulatory requirements, and efficiently evaluate the risks of using Microsoft cloud services, followed by submission for regulatory approval. Our guide includes a list of questions to be answered in a regulatory submission that are drawn from, and responsive to, EBA guidance on outsourcing to cloud service providers.

Microsoft in-scope cloud services

How to implement

  • Response to EBA guidance: Microsoft guidance helps EU financial institutions follow EBA recommendations for cloud adoption.
  • Financial use cases: Use-case overviews, tutorials, and other resources to build Azure solutions for financial services.
  • Financial Compliance Program: Financial institutions can get help assessing the risks of using Microsoft cloud services.

Frequently asked questions

What information should be included in a submission to regulators?

The Microsoft publication, Risk Assessment and Compliance Guide for Financial Institutions in the Microsoft Cloud, offers a checklist of questions that the EBA guidance recommends answering in a regulatory submission, and provides suggestions on how to answer those questions.

Resources