AWS for Industries

Introducing the AWS guide to the ECB Guide on outsourcing cloud services to cloud service providers

The European Central Bank (ECB) Guide on outsourcing cloud services to cloud service providers (the “ECB Guide“) provides the ECB’s understanding of EU legal requirements, including related to the Digital Operational Resilience Act (“DORA“), and sets out supervisory expectations for financial entities’ (“FEs“) under ECB banking supervision regarding outsourcing of cloud services. The ECB Guide is not binding legislation, but represents a source of good practices.

Today, we are excited to announce the launch of the AWS guide to the ECB Guide on outsourcing cloud services to cloud service providers (the “AWS Guide“).

This AWS Guide describes the roles that AWS and its customers play in managing operational resilience on AWS. It explains the AWS Shared Responsibility Model for Resiliency, AWS services and features, compliance programs, and guidance that FEs can follow to help them align with ECB supervisory expectations.

Who should use the guide?

The AWS Guide is a comprehensive resource designed for various stakeholders within financial services organizations:

  1. Technical decision-makers, such as technology leaders, architects, and engineers responsible for designing, implementing, and managing cloud infrastructure and services can use the guide to understand how AWS services can support alignment with ECB supervisory expectations.
  2. Risk and compliance professionals, tasked with ensuring regulatory adherence, managing risk, and overseeing governance processes, can use the guide to align their organization’s cloud initiatives with the ECB Guide.

How to use the guide

1. Understand key supervisory expectations

Start by understanding the key supervisory expectations placed on your organization by the ECB Guide, including the governance of cloud services, availability and resilience, ICT and data security, exit strategies, and oversight and monitoring.

2. Dive deep into alignment considerations

Explore our series of considerations on how FEs seeking to meet the ECB’s supervisory expectations can use AWS services and capabilities to help achieve compliance. These considerations include:

  • Governance of cloud services: How FEs can implement robust governance frameworks and control mechanisms for their use of AWS services.
  • Availability and resilience of cloud services: How FEs can use the AWS global infrastructure with its multiple independent Regions and Availability Zones to help meet their resilience targets.
  • ICT and data security, confidentiality and integrity: How FEs can implement comprehensive security controls and data protection capabilities to help protect against cyber threats.
  • Exit strategies and termination rights: How FEs can design workload portability and use data transfer mechanisms on AWS.
  • Oversight, monitoring, and internal audits: How FEs can use compliance reports and audit capabilities to understand how AWS maintains the resilience and security of the cloud.

3. Leverage AWS compliance programs

The AWS Guide highlights key AWS compliance programs and explains how FEs can access security and compliance reports on a self-service basis via AWS Artifact. AWS maintains numerous third-party attestations and certifications, including ISO 22301, ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3, PCI DSS Level 1, C5, and Pinakes that support due diligence requirements.

4. Build your operational resilience framework

Architect for reliability, observability, and operations and use AWS services such as AWS Security Hub, AWS Config, AWS Security Agent, AWS Resilience Hub, AWS Health, and AWS Backup to help facilitate operational risk management activities.

5. Design, deploy, and operate your financial services workloads on AWS

Use resources such as the AWS Well-Architected Framework – Financial Services Lens for guidance on the design and operation of financial services workloads.

Next steps

Explore the AWS guide to the ECB Guide on outsourcing cloud services to cloud service providers and discover how AWS can support your organization’s alignment with ECB supervisory expectations. If you have questions or need further assistance, please reach out to your AWS account team.

Additional resources

James Greenwood

James Greenwood

James Greenwood is Principal Security Solutions Architect and helps AWS financial services customers manage security, risk and compliance, specializing in AI security, operational resilience, identity and access management, application security, data protection and privacy, confidential computing, threat detection and incident response, security operations, and cyber event prevention and recovery.

Eduardo Vilela

Eduardo Vilela

Eduardo Vilela is Head of FSI Regulatory Enablement EMEA and helps AWS financial services customers with regulatory requirements relating to risk, resiliency, AI, and cybersecurity. Eduardo joined AWS after working more than 25 years working in financial services and consultancy. Eduardo works with boards of directors and financial services leadership on matters of governance and regulatory compliance and is well-versed in helping customers meet stringent regulatory requirements as they operate in the cloud.