The Hungarian National Bank’s (MNB) has issued a new guidance on how financial institutions should use social and public cloud services.

The New Cloud Guidance, which goes into effect on May 1, is based on European Banking Authority (EBA) recommendations on outsourcing and cloud computing, and revises previous cloud guidance No 2/2017. Based on the new guidance, financial institutions will need to carry out analyses, evaluations, prepare documentation and review system security.

The most important obligations include:

  • verifying whether cloud service agreements contain provisions on the –
    • destruction of data upon termination, o obligation of the cloud service provider to obtain certification based on Government Decree No. 42/2015,
    • IT security and data protection tasks and liabilities of subcontractors,
    • warranty provisions for data processing and data storage,
    • service provider obligations to notify financial institutions when subcontractors are changed (to carry out risk analysis), and an institution’s right of termination if it deems the change to offer unacceptable risk,
    • cooperation obligation subcontractors have with the MNB, and
    • MNB’s right to audit subcontractor activity, including performing onsite audits.
  • evaluating which cloud services qualify as “outsourcing” (since the new guidance does not define all cloud services as “outsourcing”).
  • preparing advantage-disadvantage analyses (instead of cost-benefit analyses).
  • assessing which cloud services qualify as “material” (note: the guidance lists the material activities, which require a MNB licence).
  • making an additional risk analysis of data processing affected by cloud services.
  • documenting how cloud services are prepared and carried out.
  • keeping up-to-date records on all activities affected by cloud services that handled the institution's data, particularly customer data. Record keeping must be based on EBA outsourcing recommendations (EBA/REC/2017/3).
  • notifying the MNB about the use of cloud services, including the data of the cloud service provider’s parent company, the activities and data categories affected by cloud services, the location of data processing and data storage for cloud services, contract dates, renewal dates and applicable laws.
  • submitting cloud contract advantages-disadvantages analyses, evaluations of cloud services and outsourcing, risk analyses, and termination strategies to the MNB.
  • evaluation of multi-factor authentication systems for privileged users.
  • broader security management including the establishment of a regulated network-connection rule system and its enforcement through technology, data leakage protection protocols and intrusion detection and prevention systems.

The New Cloud Guidance is available in Hungarian at: For more information on this eAlert, please contact one of the following CMS local experts: