Skip to main content
European Insurance and Occupational Pensions Authority
News article27 March 2019

EIOPA calls for principle based regulation of cloud computing

Today, the European Insurance and Occupational Pensions Authority (EIOPA) published its Report on Outsourcing to the Cloud: EIOPA's Contribution to the European Commission Fintech Action Plan.

The European Commission's FinTech Action Plan requested that the European Supervisory Authorities (ESAs) explore the need for guidelines on outsourcing to cloud service providers by the end of the first quarter of 2019.

In the European financial regulatory landscape, the purchase of cloud computing services falls within the broader scope of outsourcing. For the (re)insurance sector, the current Solvency II regulatory framework includes measures on outsourcing to ensure it does not impact the financial stability and policyholder protection objectives of the framework. EIOPA's guidelines on System of Governance provide some further principle based guidance.

Cloud computing is a fast developing service. Based on a survey conducted by the National Supervisory Authorities (NSAs), it is not yet extensively used by (re)insurance undertakings. It is used mainly by newcomers, within a few market niches and by larger undertakings for non-critical functions. However, as part of their wider digital transformation strategies many European large (re)insurers are expanding using the cloud.

While cloud computing falls under existing regulatory measures on outsourcing, current guidance on these measures, including at the national level, is not homogenous. At the same time, the majority of the NSAs responsible for both banking and (re)insurance supervision are considering the Recommendations issued by the European Banking Authority (EBA), which have been integrated into further Guidelines on outsourcing arrangements as a reference for the management of cloud outsourcing.

The results of the survey confirm the alignment of the usage of cloud computing services by (re)insurance undertakings to the banking sector. This is also true for the risks arising from the usage of cloud computing by (re)insurance undertakings, with few minor (re)insurance specificities.

In order to avoid potential regulatory arbitrage and to support market participants in the course of the first half of 2019 EIOPA has concluded in favour of developing Guidelines on Cloud Outsourcing, building on the substance of the EBA Recommendations. EIOPA will seek stakeholders' input via a public consultation and a roundtable discussion with the aim to issue the final guidelines by the end of 2019.

To guarantee cross-industry harmonization within the European financial sector and to continue keeping the fruitful alignment, EIOPA agreed with the other European Supervisory Authorities, the European Banking Authority and the European Security Markets Authority, to start in the second half of 2019 a joint market monitoring activity. The objective of this monitoring activity is to gather input for policy views for how in the future to treat cloud outsourcing in the financial sector taking into account the increasing use of the cloud and the potential for large cloud service providers to be a single point of failure.


Publication date
27 March 2019