
EU Proposal Takes Aim at Major Cloud Providers
Jo writes that the EU’s new digital package could find large cloud providers operating in the bloc subject to potentially invasive oversight, as the EU strives for “data sovereignty”.
After years of worrying about the operational risk that cloud concentration poses to the financial system, European Union authorities have proposed a digital finance package—a set of proposals that, among many other measures, would single out cloud providers and subject them to a unified oversight regime.
The package, which was published last week, sets out a comprehensive framework for the regulation of tech in hot-button areas, including regulatory approaches to crypto assets and blockchain, increased power for firms to dictate the terms of contracts and service level agreements, better and more standardized resilience testing, and a single EU hub for reporting cyber security breaches.
But it’s the provisions that are clearly aimed at gaining some kind of oversight of cloud providers that I found to be most interesting. Chapter V of the proposal, which is concerned with third-party resilience, would make cloud service providers like Amazon Web Services, Microsoft Azure, Google Cloud Platform, and IBM Cloud answerable to one of the three European Supervisory Authorities (ESAs): the European Securities and Markets Authority, European Banking Authority, and European Insurance and Occupational Pensions Authority.
If the proposal became law, the ESAs would have the power to designate a cloud provider as “critical” based on a set of criteria: Is the vendor providing infrastructure and other cloud services to a massive, systemically important financial entity, such as a too-big-to-fail bank? Or, to state the problem slightly differently (as the proposal does): If the services offered were to fail—let’s say a major cloud provider suffered an outage that rendered critical data inaccessible during a critical time—would that have a devastating, knock-on impact on the entire financial system, because the bank is so interconnected with other financial institutions? At the point of disaster, would another service provider be able to step into the breach, and could customers be ported over easily and quickly, minimizing systemic disruption?
Once these vendors are designated as critical, one of the ESAs becomes its “lead overseer.” The proposal states that critical service providers “shall cooperate in good faith with the lead overseer,” which will be able to impose fines and have the right to examine data and records, request phone logs and data traffic, and conduct on-site inspections, if necessary.
Now, the proposal doesn’t explicitly say that it’s referring to the giant cloud service providers; it calls them only “critical ICT third-party service providers.” But it’s clear which companies are being targeted here, as regulatory bodies in Europe have expressed their concerns over concentration risk and that service level agreements lock in clients to particular vendors.
Firms in the EU already have the right to conduct audits of cloud providers, and they have to keep a close eye on their relationships with third parties—and their third parties’ third parties—under various rules, regulations, and guidelines. What this proposal would do is bring that all together in a much more comprehensive framework for operational resilience.
But it seems to me that this level of oversight of such firms is unprecedented in the EU.
While the major public cloud providers invest massive resources into their infrastructure, human resources, and resilience planning, you can’t plan for every scenario. Authorities are afraid of earthquakes, cyber attacks, climate events—any black swan that might swim along out of nowhere, taking down the grid and subjecting the financial system to a systemic shock or crisis.
These fears are compounded by the fact that not only do the vast majority of financial services firms have outsourcing relationships with the major cloud providers, but these companies are also all US-based entities, with their ultimate oversight conducted on another continent.
And then, of course, with this proposal the EU is trying to protect its markets. While the bloc has set the template for regulating data—with groundbreaking approaches such as the General Data Protection Regulation, which has inspired similar efforts worldwide—its leaders fear that it has fallen behind on emerging tech and innovation and is losing out to the US and China. As new EC president Ursula von der Leyen said in her first speech to the European Parliament, “We must have mastery and ownership of key technologies in Europe. These include quantum computing, artificial intelligence, blockchain, and critical chip technologies.”
The EC is collaborating with France, Germany, and about 100 companies and organizations—including Deutsche Bank and SAP—on a project to challenge the dominance of US big tech. The initiative, Project Gaia-X, aims to launch next year, and will consist of a network of cloud and data services operating across industries under the protection of European data laws. According to Wired, Gaia-X is fundamentally about “data sovereignty”—the idea that the EU will shape how data is managed and governed within its own borders.
So, perhaps what is important about this latest proposal is not just that EU supervisors are looking for ways to make the bloc safer from cloud outages; it’s also that it is part of a wider strategy to nurture tech and finance industries that can compete with the rest of the world.
Further reading
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
Citi’s internal cloud project gets open-sourced
Through Finos, a project that started internally to help Citi get a better handle on its cloud controls now includes the likes of Goldman Sachs, Morgan Stanley, RBC, BMO and LSEG.
Using genAI for post-trade processing could reduce failures, fines
Shortening settlement times are pressuring firms to do more, faster. IBM’s Soren Mortensen argues that genAI and ML can help eliminate errors and speed up post-trade processes.
ECB’s Lagarde sets out vision for integrated European capital market
The president of the European Central Bank argues for a more ambitious, top-down approach to the capital markets union.
Industry unsure of SEC’s new short-selling transparency rule
Does the SEC’s recent 10C-1a rule provide sufficient transparency while protecting traders’ short-sale positions from a GameStop-style backlash? The data will be key.
Settlement ‘instructions’: Firms look to US for guidance as Europe braces for T+1
Operations professionals in Europe look across the pond for lessons in managing shorter settlement cycles.
New crypto Isins seen as ‘really important’ step for TradFi adoption
Execs at TP Icap and Societe Generale say the identifier removes a major barrier for crypto acceptance.
In ‘unusual’ move, Virtu fights $25m SEC fine for data safeguarding breach
Virtu disputes the regulator’s claim that employees had ‘unfettered’ access to consumer data.
What firms should know ahead of the DSB’s UPI launch
Six jurisdictions have set deadlines for firms to implement the derivatives identifier, with more expected to follow.