Financial services providers adopt the cloud to be able to leverage new technological developments and provide innovative solutions to their clients in a secure manner. However, with many regulatory approaches the resulting fragmentation raises hurdles to the use of cloud solutions. This paper presents several considerations of how EU policy makers could develop the cloud services market, increase harmonization and provide financial institutions with the certainty needed in their digitization process.
To reach these objectives, the EFR has the following recommendations to EU policymakers:
- Regulatory fragmentation should be tackled by taking harmonized approaches at EU level, while avoiding divergent initiatives at national levels. This implies establishing a framework for mutual recognition of outsourcing agreements approval, and mechanisms to solve frictions related to extraterritorial reach of rules.
- Any supervision of Cloud Service Providers (CSPs) should be undertaken at the CSP level, rather than by financial supervision authorities. In that regard, the EFR considers the EU should adopt an objective, outcomes-based approach, rather than implementing specific requirements. It would indeed give organizations enough flexibility to be agile in reaching the stated outcome while preventing a competitive disadvantage for EU financial services firms operating in other markets.
- The financial services sector is supportive of EU ambitions to foster Europe’s own capabilities in cloud computing since it could address current market imbalances by introducing greater competition. CSPs are becoming critical infrastructure and Europe needs to establish capabilities to remain competitive in the long term. However, significant investments in the long run are needed to enable the emergence of European CSPs offering the same level of technologies and services as existing providers. In any case, companies and individuals within the EU should remain able to freely choose cloud services providers.
- Finally, reducing fragmentation at EU-level requires establishing minimum baseline requirements avoiding gold-plating, and consistently harmonizing supervisory practices across jurisdictions. To that end, a harmonized European approach proposing minimum requirements for cloud providers based on supplements to the provisions of the GDPR, as well as coordination among national competent authorities will be critical to ensure legal certainty and prevent inconsistencies within the European market.