Recently, the Polish Financial Supervision Authority (“KNF”) presented a draft communiqué on cloud computing operations involving legally protected information (“Draft”). The Draft relates to a large group of supervised entities (including banks, insurance companies, investment fund managers, pension fund managers, payment institutions). It also indirectly concerns providers who offer cloud computing services to such supervised entities.
Legal nature of the Draft
The legal nature of KNF’s communiqués is not entirely clear. In principle, their aim is to present the KNF’s expectations and standpoint on the interpretation of the applicable legislation. However, they are not generally applicable laws or recommendations addressed to the given sector (interestingly enough – according to the Draft, the new communiqué is intended to supplement certain KNF recommendations/guidelines regarding outsourcing). In practice, however, supervised entities comply with the ‘interpretative guidelines’ contained in them.
The Draft represents the “national approach” on use of cloud computing by financial sector entities. Therefore, national supervised entities will not be subject to guidelines or other EBA, ESMA or EIOPA documents which apply or could apply to cloud computing (the KNF may refrain from applying them but must justify why it has chosen that course of action).
The key takeaways from the Draft include:
- Clarifying basic concepts such as “legally protected information” and “cloud computing outsourcing”. A new category of “special outsourcing of cloud computing” was also introduced into the Draft. This applies to actions and/or functions of a particularly important nature. These new definitions should make it easier to identify the situations to which the Draft will apply, and those in which it will not be necessary.
- The requirement that a supervised entity carry out a classification and evaluation of information and a risk estimation, i.e. identification, analysis and evaluation of threats, the likelihood of their occurring and the impact of such an occurrence on the supervised entity and conducted activity in relation to use of cloud computing.
- Requirements relating to agreements concluded with cloud computing services providers. According to the KNF, a supervised entity’s right to carry out an inspection in the provider’s locations should be contractually secured only if such a need follows from the risk estimation. On the other hand, the KNF presents quite a rigorous approach as regards the choice of the governing law – departing from Polish law in an agreement with a provider will only be feasible if the other law to be choosen by the parties allows for an effective implementation of not only the agreement itself, but also all the requirements of Polish law applicable to the supervised entity.
- An obligation to inform the KNF about each outsourcing agreement concluded with a cloud computing services provider to which the Draft will apply.
- Restrictions on the use of data centre locations in countries outside the European Economic Area, and even outside of Poland.
- Extensive technical requirements, including those concerning data encryption. The expectations towards cloud computing service providers have also been more clearly specified as regards the applicable standards (e.g. PN-EN ISO/IEC 27001, PN-EN ISO 22301 and ISO/IEC 27018).
- The need to document actions taken by a supervised entity (e.g. documentation concerning technical issues, such as network architecture, systems and applications, as well as legal issues, including compliance management).
- Application of the provisions of the Draft should factor in the principle of proportionality (i.e. bearing in mind the scale, nature and complexity of the risk of a given supervised entity). This principle should not be interpreted as permission for smaller supervised entities to use less effective forms of security than those described in the Draft.
Deadline to adapt
According to the Draft, supervised entities should inform the KNF about their cloud computing operations, including in particular about fulfilment of the requirements contained in the communication, within 90 days of when the communication comes into force. However, those of them which are only now planning to use cloud computing should, in principle, furnish this information 14 days before the commencement of cloud computing operations. Taking into account the level of detail of the requirements presented in the draft, the deadlines set by the KNF seem to be very short.
Though work on the Draft is still underway (the official deadline for submitting comments lapsed on 15 the November 2019 , and its ultimate content may change), in view of the above deadlines and the scope of the requirements it is worth starting with roll out of new requirements already now.