The ECB understands for the purposes of compliance with Article 6(6) of DORA, the
internal audit functions of the institutions should regularly review the risks stemming
from the use of a CSP’s cloud services. That review should cover, among other
things, adequacy of the application of internal guidelines, the appropriateness of the
risk assessment conducted and the quality of the provider’s management. The
outsourcing contract should clearly specify that the institution, its internal audit
function, and the competent authorities and resolution authorities have the right to
inspect and audit the CSP.
With cloud infrastructure and services becoming increasingly complex, there is an
increased need to pool expertise and resources given the skills and resources
required for audits and the costs involved. That expertise needs to be updated
frequently given the fast pace of technological progress. An institution’s internal audit
function should ensure that risk assessments are not based solely on narratives and
certifications provided by the CSP without independent assessments/reviews and
the incorporation of input provided by third parties (e.g. security analysts).
It is good practice for institutions to work together to audit a CSP, putting together a
joint inspection team containing at least one technical expert from each institution.
The inspection plan could be agreed by the institutions concerned on a consensual
basis. If, during such a joint audit, specific issues are only relevant to a single
institution, institutions should have the ability to follow up individually with the CSP
on a bilateral basis. To prevent blind spots in the conduct of audits, leadership of
those inspection teams should rotate among the supervised entities involved,
changing every year.
2.5.1 Need for independent expert monitoring of CSPs
Under Article 6(10) of DORA, financial entities may, in accordance with Union and
national sectoral law, outsource the task of verifying compliance with ICT risk
management requirements to intra-group or external undertakings. That Article
further provides that in such a case, the institution remains fully responsible for the
verification of compliance with the ICT risk management requirements. The ECB
understands this to mean that even where cloud services are provided as managed
services, with the CSP responsible for keeping operations running and complying
with security standards, accountability for verification of compliance with the ICT risk
management requirements by the outsourced function cannot itself be outsourced. In
order to ensure an adequate level of quality, the institution should monitor the cloud
services provided by the CSP. Relying solely on monitoring tools provided by a CSP
in order to assess performance might not be sufficient in the case of outsourcing of
critical or important functions. In such a scenario, the monitoring tools provided
should be complemented by independent tools to prevent manipulation by the CSP.
In order to perform appropriate monitoring, supervised institutions should retain
expertise in-house, with a centralised function or department being recommended for
the monitoring of CSPs. The monitoring and oversight metrics used should give the
relevant team a comprehensive overview and should be the basis for internal