Repeal of the “Cloud Communication” - what next?

The DORA Regulation, which became effective on 17 January 2025, introduced new comprehensive rules for technology risk management and cyber security for financial entities across the European Union. In order to avoid contradictions between national soft law and uniform EU regulations, the Polish Financial Supervision Authority (hereinafter: PFSA) decided to repeal several resolutions containing guidelines, hitherto relevant for the regulation of supervised markets. From the point of view of cloud services, the most significant decision was the repeal (also on 17 January 2025) of the Cloud Communication (hereinafter: Cloud Communication) .

In relation to entities deciding to use cloud solutions, the Cloud Communication addressed a wide range of issues, such as requirements for risk analysis, ensuring appropriate technical and organisational safeguards, the obligation to notify the planned use of the cloud to the PFSA, or how to deal with crisis or emergency situations.

How then is the regulatory reality after the repeal of the Cloud Communication?

The repeal of the Cloud Communication means that supervised entities wishing to use cloud computing must adapt to the DORA Regulation. In particular, the obligation to report to the FSA the intention to use the cloud has been replaced by more general operational reporting requirements under DORA.

In addition, another field to be considered at present is the EBA's Guidelines on Outsourcing, a source of soft law regulation directed at financial institutions and enacted in 2019. In its current form, the DORA Regulation implements a similar level of regulation of outsourcing as the Guidelines, nevertheless, it should be borne in mind that the EBA has already announced that it will enact future updates to the Guidelines in connection with the entry into force of the DORA Regulation.

In summary, the repeal of the Cloud Communication by no means implies discretion for supervised entities from the use of cloud services, obliging them to adapt their solutions in this respect to the DORA Regulation.