NBH recommendation on cloud services

The National Bank of Hungary (’NBH’) issued a recommendation [Recommendation No. 2/2017. (I. 12.)] on cloud services. The recommendation is intended to provide practical guidelines for financial institutions on risk management and the uniform application of regulations relating to the usage of community and public cloud services.

Under the recommendation the financial institution is liable for both identifying the risks regarding each phase of using cloud services and taking proportionate security measures.

Accordingly cloud services consist of several phases (preparation for decision making, risk management, contractual requirements, introducing the service, operation, exit phase) and the recommendation regulates requirements and security guidelines for financial institutions regarding each phase.

The recommendation includes the following requirements and guidelines (non-exhaustive list):

• If the service affects personal data the use of could services qualifies as outsourcing.
• The exact location of data processing, managing and storing has to be determined.
• An exit strategy needs to be in place for mitigating the potential risks arising from leaving the cloud.
• The contract concluded with the cloud service provider shall provide for the right of the NBH to audit the cloud service provider, however the contractual parties are entitled to restrict the audit scope to a reasonable extent.
• The financial institution is required to ascertain whether the cloud service provider complies with the data protection rules applicable to the financial institution.
• The contract concluded with the cloud service provider shall contain rules for security incident procedures. 

Back to news