Dear colleagues,
In this issue, we look at the latest guidance from the European supervisory authorities on technology and outsourcing risks as well as strategic impetus in the areas of data protection and money laundering prevention. The ECB and ESMA specify their requirements for cloud outsourcing, while the AMLA’s work program places a regulatory focus on the crypto sector. In addition, the BfDI opens a consultation process on data protection issues relating to the use of AI systems.
Table of Contents
- ESMA publishes final guidelines on cloud outsourcing
- ECB publishes guidance on cloud outsourcing for significant institutions
- AMLA publishes work program 2025 – focus on crypto and financial crime
- BfDI launches consultation on data protection challenges posed by AI models
- Now receive the most important compliance notifications every week free of charge
ESMA publishes final guidelines on cloud outsourcing
Applicable for:
Custodian banks under AIFMD and UCITSD that are not covered by the DORA Regulation; compliance and outsourcing officers in asset management; IT and risk management functions
On July 11, 2025, the European Securities and Markets Authority (ESMA) published its revised guidelines on outsourcing to cloud service providers. The new version responds to the changed regulatory landscape following the entry into force of the Digital Operational Resilience Regulation (DORA).
The new guidelines are specifically limited to custodian banks in accordance with AIFMD and UCITSD, which are not subject to DORA. For all other financial institutions subject to the DORA regime, the previous 2021 guidelines are no longer applicable in order to avoid duplication and conflicts. ESMA is thus providing legal certainty and clarity as to which requirements still apply to cloud outsourcing outside the DORA framework – especially for players with a central function in fund administration.
Measures required:
- Check whether your own institution is covered by the scope of the DORA Regulation
- For custodian banks not subject to DORA: Review and, if necessary, adapt cloud outsourcing processes and contractual documentation based on the updated ESMA guidelines
- Ensure that risk analyses, exit strategies and control rights for cloud outsourcing comply with the new regulatory expectation
ECB publishes guidance on cloud outsourcing for significant institutions
Applicable for:
Significant institutions under direct ECB supervision, IT management, outsourcing officers, information security officers, internal audit, compliance departments
The European Central Bank has published its revised guidelines on outsourcing to cloud service providers. It is aimed at directly supervised banks in the Single Supervisory Mechanism (SSM) and specifies requirements for risk management, due diligence, data access, exit strategies and contract controls. The aim is a uniform implementation of secure, controlled cloud use in the banking sector.
Measures required:
- Review existing cloud outsourcing agreements for compliance with ECB requirements
- Adaptation of governance and control processes for the use of cloud services
- Documentation and evaluation of cloud service providers in accordance with the new risk-based requirements (e.g. audit rights, location of data processing, exit concepts)
AMLA publishes work program 2025 – focus on crypto and financial crime
Applicable for:
Crypto service providers (VASPs), credit institutions with crypto offerings, anti-money laundering officers, supervisory contact points, compliance and AML functions
The European Anti-Money Laundering Authority (AMLA) has published its work program for 2025. In it, it announces that it will press ahead with the development of its supervisory framework – with a particular focus on high-risk sectors such as the crypto market. Operational standards, methods for cross-sector risk analyses and technical tools for data processing are to be developed. The AMLA also emphasizes that it has high expectations for the effectiveness of existing AML systems – particularly with regard to transparency and transaction tracking.
Measures required:
- Strategic preparation for future AMLA supervisory measures in the crypto sector
- Evaluation of existing crypto compliance and due diligence obligations with regard to transparency, monitoring and suspicious activity reports
- Monitoring of planned regulatory steps for integration into internal AML strategies
BfDI launches consultation on data protection challenges posed by AI models
Applicable for:
Data protection officers, developers of AI systems, data controllers, IT and compliance departments in data-processing organizations
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has launched a consultation process on data protection issues relating to the use of AI models. The central topics are the lawfulness of the processing of personal data, transparency obligations and the protection of data subjects’ rights. The aim is to establish a sound classification of AI systems under applicable data protection law.
Measures required:
- Check existing AI applications for GDPR compliance, in particular with regard to data minimization, purpose limitation and lawfulness of processing
- Establishment of internal assessment procedures for new AI applications with the involvement of data protection, IT and specialist departments
- Training development teams and data protection coordinators on the specific GDPR risks when using AI
Now receive the most important compliance notifications every week free of charge
Many compliance officers already use our free service and receive the most important news from the areas of compliance, money laundering prevention, data protection and IT security. We provide a weekly overview of the most important reports and categorize them.
Subscribe now free of charge.
Would you like to be up to date every day?
Our legal rights monitoring software gives you access to all notifications and allows you to filter them by relevance, type and area. You can create and download summaries. Get in touch with us.
We wish you a successful week.
Your Riscreen team