Banks outsourcing to the cloud: The economic drivers and regulatory implications

Why are banks choosing to move their data off-premises to the cloud?

There are at least two key drivers that are influencing banks to decide to outsource their data processing and storage to the cloud and away from traditional on-premises models: lower cost and increased technical operational resilience.

Cost

On-premises storage (including space at a third-party data centre site) requires expensive upfront outlay on suitable property (or lease costs) and equipment. Other costs include the installation and ongoing maintenance of the equipment, along with staffing of the premises, connectivity and cooling. Some of these costs are sunk capital costs (such as hardware), which quickly become depreciating assets on a bank’s balance sheet.

In contrast, cloud storage does not require an initial capital outlay, with the cost of the service being spread out over monthly payments to the CSP. Ongoing hardware maintenance and repair ceases to be the bank’s responsibility, as do at least some of the other legal responsibilities of operating a physical data centre (for more information about the requirements for operating a physical data centre, see our article, Navigating regulatory challenges in data centres).

The conversion of capital expenditure (capex) to operational expenditure (opex) may sometimes deliver economic efficiencies for a bank. Depreciating assets are removed from the balance sheet and are replaced with an expense line item (the CSP’s fees) on the bank’s profit and loss statement, enabling the bank to offset the fees against revenue and so, potentially, reducing taxable profits. (Against this is a potential VAT cost on any payments to the CSP.) Such a strategy will require appropriate tax and regulatory advice.

Having migrated to the cloud, a bank with its own (now redundant) on-premises data centre facilities may choose to divest itself of them or perhaps even lease them out to other businesses (subject to appropriate security and other bank safeguarding requirements), and so offset the cost of the new service.

Technical operational resilience 

Technical operational resilience is a key priority for banks – particularly in light of the EU’s Digital Operational Resilience Act (DORA),  which requires improved ICT risk management (including through contractual provisions with third-party suppliers).

How can processing and storage in the cloud lead to enhanced technical operational resilience for banks? There are a number of factors to consider:

• Data redundancy: Data redundancy occurs when data is duplicated and stored in more than one location within a storage system. There can be benefits to data redundancy (for example, for back-ups, enhanced availability and fault tolerances) as well as downsides (for example, the cost of duplication and the risk of there being inconsistent copies). CSPs tend to have superior, more advantageous redundancy capabilities over what is achievable from a bank’s single on-premises facility. For example, due to the geographical distribution of storage (i.e. the CSP may store the data at different locations), banks and their customers can access their data in the event of an incident affecting one location.
• Load balancing: Owing to their scale, CSPs are often also able offer better load balancing capabilities than a bank might be able to provide to itself on-premises. Load balancing is the process of allocating network traffic across multiple database servers. This method of distribution supports reliable handling of variable traffic levels.
• Technology refresh: Having incurred initial capex in setting up its own on-premises data centre(s), a bank may be reluctant to incur additional capex over time to refresh the technology it has purchased (particularly hardware). A bank wishing to achieve the benefits of a technology refresh might choose to migrate  to the cloud and take advantage of an enhanced technology offering from a CSP, often with heightened security features. In this way a bank can in effect “amortise” (or spread) the cost of the technology refresh across the life of the contract with its CSP.

Implemented appropriately, these various factors may go some way to improving a bank’s technical operational resilience, as well as delivering on wider commercial imperatives (such as supporting long-term customer trust).  

Barriers to uptake of cloud outsourcing

Despite the economic and operational drivers in favour of outsourcing to the cloud, there are several legal and practical considerations which a bank will have to consider when deciding whether to make the change. 

Regulatory requirements

Ensuring that engagements with CSPs (including contract terms) comply with global regulatory requirements can be a complex exercise. Here we consider a few key ones that a bank may need to address (the requirements vary jurisdictionally):

• DORA: As mentioned above, moving to the cloud from on-premises solutions has the potential to assist banks in enhancing technical operational resilience. However, it is crucial for banks to assess whether the specific solution proposed will meet their regulatory operational resilience obligations under DORA. 
  • DORA applies to a wide range of regulated financial entities (including banks) incorporated in the EU and/or with a licensed branch office in the EU. In addition to conducting pre-contractual due diligence assessments and ongoing monitoring of their CSPs, banks must ensure that their contracts with CSPs contain the prescribed provisions, which are more detailed if the bank classifies the CSP as supporting a “critical or important function” of the bank. Key topics include:
    
    • Security of and access to data.
    • Contingency plans.
    • Exit strategies.
    • Audit rights; and
    • Subcontracting. 
  • DORA obliges financial entities to undertake a balancing exercise of the benefits and risks between alternative ICT solutions when making a procurement decision. For example, financial entities should consider the impact of using CSPs who subcontract important functions, particularly where sub-contractors are established in a third country (for more information on the requirements of DORA in this regard, see our blog, Commission adopts DORA RTS specifying the elements that a financial entity has to determine when subcontracting ICT services). 
  • ICT third-party service providers that are critical to the financial sector will themselves be subject to direct regulatory oversight under DORA. The European Supervisory Authorities have collected Registers of Information on ICT third-party arrangements from national authorities and, as at the date of publication, are currently assessing which providers will be designated as critical (for more details, see our blog, ESAs provide a roadmap towards the designation of CTPPs under DORA).
  • Banks should consider how their cloud solution will fit into their wider governance, risk and incident management obligations under DORA. They will need to be able to comply with their incident reporting requirements and timelines (within four hours from the classification of the ICT-related incident as a major ICT-related incident, and no later than 24 hours from the moment the financial entity has become aware of the ICT-related incident), as well as ensuring that contracts with CSPs include the required terms on assistance when an incident occurs.

• NIS2: Besides DORA, banks may also be subject to cybersecurity risk management, governance and incident notifications under the EU’s revised Network and Information Security Directive (NIS2).⁵
  •  Recognising that there will be substantial overlap with other legislation, NIS2 allows for sector-specific Union Acts to apply instead of NIS2 when they are equivalent in effect to NIS2. The Commission has confirmed that DORA takes precedence in relation to ICT risk management and management of ICT-related incidents (in particular, major ICT-related incident reporting), as well as on digital operational resilience testing, information-sharing arrangements and ICT third-party risk.  However, banks looking to migrate their data to the cloud will still need to assess NIS2 applicability and conduct a gap analysis, as they may have NIS2 obligations in addition to their sector-specific obligations.
  • In addition to its application to banks, NIS2 also applies to managed IT service providers, including on an intra-group basis.  In practice, the way the service is provided to the bank’s related entities may mean that the bank has additional obligations under NIS2 and additional regulatory supervision.
• GDPR and other data protection laws globally: Banks will need to ensure that they continue to comply with their obligations under the General Data Protection Regulation (GDPR).⁶
  • The GDPR requires specific contractual protections to be put in place with data processors, including CSPs. Banks must ensure that the terms they enter into allow them to continue to comply with their obligations to protect the personal data they control and the fundamental rights of the relevant individuals – as with financial regulatory and operational resilience obligations, these obligations cannot be outsourced.
  • International flows of personal data, in particular, present specific challenges when outsourcing to the cloud. Under the GDPR, transfers of personal data to third parties are restricted to ensure that the data continues to receive an essentially equivalent level of protection (as at the date of publication, there are changes pending in the UK, but it will retain similar restrictions to the EU). Hyperscalers will generally offer customers the option to host data in their region, but may not be able to guarantee that the data would never be accessed from elsewhere – and remote access is considered a transfer for GDPR purposes.
  • It will therefore be necessary to confirm that the CSP has an appropriate safeguard in place for transfers to third countries (for example, standard contractual clauses), and assess the risk of transfers to that jurisdiction.
  • The EU and UK landscape for international transfers has the potential to become still more complex, with a review pending on the UK’s EU adequacy status (for transfers to the UK without the need for additional contractual protections and accompanying risk assessments) and the potential for changes around transfers to the US.
  • Beyond the EU and UK, a number of other jurisdictions have restrictions on international transfers of personal data that may be relevant. Data localisation laws may also be applicable to the financial services sector or more widely.
• Outsourcing regulations:
  • Most use of CSPs by EU banks for data processing and storage currently falls within the scope of the European Banking Authority’s (EBA) Guidelines on outsourcing arrangements, which contains specific requirements on outsourcing to CSPs (in addition to those that apply to outsourcing arrangements in general and the more prescriptive requirements for outsourcing critical or important functions).⁷ The cloud-specific requirements relate primarily to security, data location and audit. The EBA is currently consulting on revised guidelines which, if adopted in their current form, will no longer apply to service arrangements covered by DORA including the use of CSPs.⁸ For more information on the revised guidelines, see our article, Another contract remediation exercise for EU financial entities? [LINK TO BE ADDED]
  • Banks located in particular EU Member States may be subject to additional requirements imposed by their local banking regulators.
  • Until recently, the European Securities and Markets Authority’s (ESMA) guidelines on outsourcing to CSPs⁹ applied to EU banks in their conduct of activities regulated by ESMA. The guidelines contain broadly the same requirements on engaging CSPs as those set out in the EBA’s current Guidelines on outsourcing arrangements, including with respect to requirements of contractual terms, with a particular focus on security, exit, audit and subcontracting. Many of the requirements overlap with those now codified in DORA and on 11 July 2025, ESMA announced that these guidelines will no longer apply to financial entities that are subject to DORA.
  • The UK’s Prudential Regulation Authority (PRA) has set out its expectations in a Supervisory Statement on outsourcing and third-party risk management (SS2/21).¹⁰ SS2/21 reminds financial entities that regulatory obligations cannot be contracted out, and reasonable supervision of outsourced functions is required. The PRA expects banks using CSPs to implement a combination of cloud resiliency options, such as a hybrid cloud solution (i.e. retaining some on-premises storage) and engaging with multiple CSPs. 

Banks who fail to comply with regulatory requirements such as these are typically at risk of facing regulatory investigations (and potentially sizeable fines and penalties), along with reputational damage. Legal advice sourced from across a number of jurisdictions may be required in order to mitigate such risks in the contract with the CSP.

Contract negotiations and bargaining power 

Banks typically bring a lot of negotiation heft to the negotiation table. However, the more a cloud service sought to be procured is commoditised or uncustomised, the more likely a bank may struggle to have its CSP depart from its standard contractual terms. 

The largest tech providers, in particular, may be very reluctant to do so in the absence of compelling commercial reasons. A bank will therefore need to balance its commercial imperatives against the need to manage and allocate risk appropriately in such negotiations. 

Ceding control? 

On-premises data facilities allow banks to retain a high degree of control over their data storage and processing operations. Entrusting a CSP with its data is a decision not to be taken lightly.  Banks will typically conduct extensive due diligence over the CSP’s service offering, including logical and physical security requirements, and will seek to implement governance arrangements that safeguard the interests of the bank and its customers.

How can banks safely move their data to the cloud?

Before engaging with CSPs in contract negotiations, banks should ensure that they are aware of:

• The typical market norms in relation to the allocation of risk in such contracts.  For information in relation to liability norms in relation to outsourcing, see our knowledge hub, Outsourcing, technology and transitional services agreements: what you need to know about liability and indemnification.
• What regulatory obligations they will need to make “back to back” with the CSP in the contract (or determine other ways to ensure ongoing regulatory compliance). For more information in relation to addressing regulatory risk in relation to outsourcing, see our NRF Outsourcing Toolkit.

Want more information?

For more information in relation to:

• Cyber security in relation to the cloud, see our website, Cybersecurity and data privacy, and our blog, Data Protection Report.
• Liability in relation to technology and outsourcing contracts, see our global survey, Liability schemes in outsourcing and technology contracts.