EU Financial Regulations & Guidelines

EU Financial Regulations & Guidelines

Financial Regulatory Requirements

Financial Regulatory Requirements

The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA), issued by the European Parliament and the Council of the European Union, is a unified regulatory framework that requires EU financial institutions and ICT suppliers to strengthen their digital operational resilience and comprehensively control ICT risks, including third-party risks. This act is intended to promote information sharing and ensure financial service continuity and market stability.

European Banking Authority,EBA

EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.


EBA Guidelines on ICT and security risk management: Released by EBA on November 29, 2019. These draft Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market.


EBA Guidelines on outsourcing arrangements: Released by EBA on February 25, 2019. These Guidelines provide a clear definition of outsourcing and specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important.

European Securities and Markets Authority(ESMA)

ESMA is an independent EU authority whose purpose is to enhance investor protection, promote orderly financial markets, and safeguard financial stability.


Outsourcing Guidelines to cloud service providers: Released by ESMA on May 10, 2021. The objectives of these guidelines are to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision (ESFS) and to ensure the common, uniform, and consistent application of the requirements. In particular, these guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements, from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies.

European Insurance and Occupational Pensions Authority (EIOPA)

EIOPA is at the heart of insurance and occupational pensions supervision in the EU. Its mission is to protect the public interest. EIOPA does this by helping ensure the short-, medium- and long-term stability and effectiveness of the financial system for the EU's economy, businesses and people.



Guidelines on outsourcing to cloud service providers: Released by EIOPA on January 31, 2020. It sets out the final text of the EIOPA Guidelines on outsourcing to cloud service providers.


Guidelines on information and communication technology security and governance:

Released by EIOPA on October 8, 2020. The objective of these Guidelines is to:

a) Provide clarification and transparency to market participants on minimum expected information and cybersecurity capabilities.

b) Avoid potential regulatory arbitrage.

c) Foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.

FAQs About the European Financial Industry

FAQs About the European Financial Industry

Can European financial institutions use Huawei Cloud?

Huawei Cloud has been launched in Europe. Financial institutions can purchase and use Huawei Cloud products and services after registering on the Huawei Cloud website. However, when using Huawei Cloud services, financial institutions must comply with all applicable laws and regulatory requirements.

Do EU financial institutions need to comply with DORA when using Huawei Cloud?

Since January 17, 2025, EU financial institutions and their critical information and communications technology (ICT) providers must be prepared to comply with The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554. Huawei Cloud, as a cloud service provider for EU financial institutions, provides comprehensive capabilities and services to help EU financial institutions create cloud environments that meet DORA requirements. We help financial institutions in the EU fully leverage cloud computing while also ensuring compliance with regulatory requirements, enhancing their digital operations and competitiveness.

What are the responsibilities of EU financial institutions and Huawei Cloud in terms of compliance with DORA?

Although DORA does not directly apply to Huawei Cloud (unless formally designated as a critical ICT provider by EU regulators), Huawei Cloud is committed to providing resources and services to our customers to help them meet applicable DORA requirements.


Huawei Cloud is committed to providing EU financial institutions with secure and compliant infrastructure and services. Each service has built-in security features and is guaranteed to run securely through continuous O&M. Huawei Cloud ensures that the infrastructure and services it provides have been assessed by authoritative, independent, third-party agencies and reviewed by relevant certifying bodies.


EU financial institutions are responsible for their compliance with applicable DORA requirements. When using Huawei Cloud services, you are responsible for security and compliance of internal applications, custom deployment, and cloud service settings, including data security settings, based on their cloud service features to effectively ensure confidentiality, integrity, availability, and data access authentication and authorization. You are also responsible for compliance with the relevant regulatory requirements for your workloads on the cloud.


You can download Huawei Cloud Security White Paper and HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines (EU, Ireland, Spain, Hungary, Romania and Germany) to learn more details about Huawei Cloud and customer security responsibilities. For any other security and compliance questions, contact your account manager or Huawei Cloud.

What industry regulatory requirements should EU financial institutions comply with when using Huawei Cloud?

The Digital Operational Resilience Act (DORA), issued by the European Parliament and the Council of the European Union, is a unified regulatory framework that requires EU financial institutions and ICT suppliers to strengthen their digital operational resilience and comprehensively control ICT risks, including third-party risks. This act is intended to promote information sharing and ensure financial service continuity and market stability. The related regulatory requirements and guidelines include:


•REGULATION (EU) 2022/2554 Digital Operational Resilience Act: This act creates a regulatory ICT risk management framework and provides consistent regulations to help regulated financial institutions comply with technical standards for digital operational resilience with the aim of enhancing the digital resilience of the EU financial system.


•REGULATION (EU) 2024/1772 Regulatory Technical Standards on criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents: These standards specify the criteria for the classification criteria of major ICT-related incidents, the criteria and materiality thresholds for determining significant cyber threats, and the details of reports of major incidents.


•REGULATION (EU) 2024/1773 Regulatory Technical Standards on the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers: These standards specify detailed regulatory technical standards for contractual arrangements on the use of ICT services supporting critical or important functions provided by third-party ICT service providers.


•REGULATION (EU) 2024/1774 Regulatory Technical Standards on ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework: These standards specify the technical standards for the regulation of ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.

HUAWEI CLOUD User Guide to Digital Operational Resilience Act (DORA) Regulations & Guidelines (EU) elaborates how Huawei Cloud will help financial institutions meet DORA requirements.

How does Huawei Cloud comply and help me comply with EBA's Guidelines on ICT and security risk management?

On November 29, 2019, the European Banking Authority (EBA) published the Final report on the guidelines on ICT and security risk management to establish requirements for credit institutions, investment firms, and payment service providers (PSPs) on the mitigation and management of ICT and security risks. These guidelines cover information security, ICT operations, ICT project change and management, and business continuity.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 5 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines Industry summarizes the CSP-related requirements in the EBA's guidelines and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with EBA's Guidelines on outsourcing arrangements?

On February 25, 2019, EBA released Guidelines on outsourcing arrangements. These guidelines provide a clear definition of outsourcing and specify due diligence, contract phases, data and system security, access, information, and audit rights, requirements for termination rights and supervision of outsourced functions.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 6 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements in the EBA's guidelines and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with ESMA's Guidelines on outsourcing to cloud service providers?

On May 10, 2021, the European Securities and Market Authority (ESMA) launched Guidelines on outsourcing to cloud service providers. These guidelines specify requirements on pre-outsourcing analysis and due diligence, key contract elements, information security, exit policies, access and audit permissions, and secondary outsourcing.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 7 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with EIOPA's Guidelines on outsourcing to cloud service providers?

On January 31, 2020, the European Insurance and Occupational Pensions Authority (EIOPA) released the Guidelines on outsourcing to cloud service providers. These guidelines specify the requirements on due diligence, contracts, access and audit rights, and data and system security, sub-outsourcing of critical or important operational functions or activities, monitoring and supervision of cloud outsourcing arrangements, termination rights, and exit strategies.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 8 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with EIOPA's Guidelines on information and communication technology security and governance?

On October 8, 2020, the European Insurance and Occupational Pension Administration (EIOPA) released Guidelines on information and communication technology security and governance. These guidelines cover logical security, personal safety, ICT operation security, security monitoring, information security review, evaluation, and testing, and ICT operation management, ICT incident and problem management, ICT system acquisition and development, business impact analysis, business continuity planning, response and recovery planning, plan testing, and crisis communication.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 9 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

Central Bank of Ireland

The Central Bank of Ireland is a financial service regulator of the Republic of Ireland. It supervises credit institutions, securities markets and brokers, fund managers, payment service providers, investment companies, and insurance and reinsurance companies. Its mission is to serve the public interest by safeguarding monetary and financial stability and by working to ensure that the financial system operates in the best interests of consumers and the wider economy.


Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks: Issued by Central Back of Ireland in September 2016, sets out guidance on information technology ("IT") and cybersecurity governance and risk management for regulated firms in Ireland. The guidance also articulates some observations that combine practices of regulatory work undertaken by the central bank during 2015 and 2016 to assess operational, governance, and strategic risks related to IT and cybersecurity in regulated firms. The guidance sets out the current thinking of the central bank as to best practices that regulated firms should use to develop effective IT and cybersecurity governance and risk management frameworks.


Cross Industry Guidance on Outsourcing: Issued by the Central Bank of Ireland in December 2021, outlines the bank's expectations in outsourcing risk management for regulated financial service providers (RFSPs or firms) to promote higher standards of operational resilience.

How does Huawei Cloud comply and help me comply with Ireland's Cross Industry Guidance in Respect of Information Technology and Cybersecurity Risks?

In September 2016, the Central Bank of Ireland published Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks, which sets out the requirements on risk management, cyber security, and IT system and service outsourcing.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 10 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements in this guidance and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with Ireland's Cross-Industry Guidance on Outsourcing?

The Cross-Industry Guide - Outsourcing released by the Central Bank of Ireland in December 2021 specifies the management requirements on sub-outsourcing risks, sensitive data risks, data security, availability, and integrity, due diligence, outsourcing arrangements and service level agreements (SLAs), and continuous monitoring and challenges, disaster recovery, and business continuity.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 11 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements in this guidance and describes how Huawei Cloud helps customers meet these requirements.

The Bank of Spain (Banco de España)

The Bank of Spain is the national central bank responsible for regulating Spanish banks. Under the framework of the Single Supervisory Mechanism (SSM), the Bank of Spain along with the European Central Bank is the regulator of the Spanish banking system. Its activities are regulated by the Law of Autonomy of the Bank of Spain.


The Bank of Spain has confirmed its intention to apply EBA Guidelines on ICT and security risk management and EBA Guidelines on outsourcing arrangements, issued by European Banking Authority (EBA) on February 25, 2019, in Spain.

The Hungarian National Bank (Magyar Nemzeti Bank)

The Hungarian National Bank, or Magyar Nemzeti Bank (MNB), in Hungarian; is the regulatory body of Hungarian financial markets and a member of the European System of Central Banks. MNB oversees credit institutions, securities markets and brokers, fund managers, payment service providers, investment companies, and insurance and reinsurance companies. The primary objective of MNB is to achieve and maintain price stability and use monetary policy to support the government's economic policy.


Government Decree 42/2015 (III.12.) on protecting the information system of financial institutions, insurance undertakings, reinsurance undertakings, investment firms and commodity dealers: Issued by the Hungarian government on January 1, 2016, outlines supervision measures, data protection controls, information security certification procedures, and system integrity inspection and control regulations for protecting the security of information systems of financial institutions, insurance undertakings, reinsurance undertakings, investment firms, and commodity dealers.

How does Huawei Cloud comply and help me comply with Hungary's Government Decree No. 42/2015 (III.12.) on Protecting the Information System of Financial Institutions, Insurance Undertakings, Reinsurance Undertakings, Investment Firms and Commodity Dealers?

Government Decree No. 42/2015 (III.12.) on Protecting the Information System of Financial Institutions, Insurance Undertakings, Reinsurance Undertakings, Investment Firms and Commodity Dealers issued by the Hungarian National Bank (MNB) on January 1, 2016 specifies requirements on information technology monitoring, regulations on data security protection, and information technology system integrity control.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 12 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements in this decree and describes how Huawei Cloud helps customers meet these requirements.

The National Bank of Romania (Banca Națională a României)

The National Bank of Romania (NBR) is the central bank of Romania. Its main objective is to ensure and maintain price stability and support the general economic policy of the government. The main tasks of NBR are to develop and implement the monetary and exchange rate policies, to authorize, regulate, and prudently supervise credit institutions, and to promote and oversee smooth operations of the payment systems to ensure financial stability.


Regulation no. 3/2018 on the monitoring of financial market infrastructures and payment instruments: Issued by the National Bank of Romania on August 1, 2018, sets out requirements on the authorization and supervision of the financial market infrastructure and its managers and participants, as well as the circulation, issuance, and supervision of payment instruments, and payment service providers.


Instructions from 20.01.2020 on outsourcing: Issued by the National Bank of Romania on January 20, 2020, clarifies that payment institutions and electronic money institutions should consider adopting EBA Guidelines on outsourcing arrangements released by the European Banking Authority (EBA) on February 25, 2019.

How does Huawei Cloud comply and help me comply with Romania's NBR Regulation No. 3/2018 on Financial Market Infrastructures and Payment Instruments Oversight?

NBR Regulation No. 3/2018 on Financial Market Infrastructures and Payment Instruments Oversight issued on August 1, 2018 sets out the requirements on operational risk management, efficiency and effectiveness, IPF managers ensuring cyber resilience, and financial market infrastructure participants.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 13 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements in this regulation and describes how Huawei Cloud helps customers meet these requirements.

Polish Financial Supervision Authority

As an EU member state, Poland’s financial regulatory framework operates under the EU’s unified regulatory architecture, while the Polish Financial Supervision Authority (KNF: Komisja Nadzoru Finansowego) retains authority for localized implementation.

KNF has previously issued guidelines on ICT risk management for regulated entities, which it oversees. On January 16, 2025, KNF announced the repeal of its prior requirements, aligning its supervisory approach with the Digital Operational Resilience Act (DORA) and its complementary legal instruments, including Implementing Acts, Regulatory Technical Standards (RTS), and Implementing Technical Standards (ITS).

The Commission de Surveillance du Secteur Financier

Luxembourg, as an EU member state, operates under the EU’s unified financial regulatory framework, while the Luxembourg Financial Sector Supervisory Commission (CSSF: Commission de Surveillance du Secteur Financier) retains localized implementation authority.

On January 17, 2025, the CSSF issued a notice stating that the Digital Operational Resilience Act (DORA), including its complementary Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), takes precedence over any overlapping provisions in previous CSSF circulars. However, requirements not addressed by DORA remain governed by existing regulations. The CSSF is currently updating its relevant texts (guidelines and circulars) and will publish them in due course.


Ongoing requirements under implementation include:

·CSSF Circular 20/750: Specifying Requirements for Information and Communication Technology (ICT) and Security Risk Management

·CSSF Circular 22/806: On Outsourcing Arrangements (ICT Outsourcing Arrangements)

·CSSF Circular 24/847: On ICT-Related Incident Reporting Framework

How does Huawei Cloud comply and help me comply with Luxembourg's CSSF Circular 22/806: On Outsourcing Arrangements?

Find out more about how Huawei Cloud responds to CSSF 22/806 on outsourcing arrangements.

Federal Financial Supervisory Authority

Federal Financial Supervisory Authority is the German financial industry regulator that centrally regulates banks and financial service providers, insurance companies and securities transactions. Its main objective is to ensure the proper functioning, stability and integrity of the German financial system.


BaFin Guidance on Outsourcing to Cloud Service Providers: Officially released in November 2018. It provides guidance for BaFin and Deutsche Bundesbank to financial institutions on the risk control assessment process and key contract elements for cloud service providers when adopting cloud services.


Circular 10/2017 on The Banking Supervisory Requirements for IT: First released on November 6, 2017 and revised in August 2021, it provides a flexible and practical framework for institutions' technical and organizational resources, especially in IT resource management, information risk management, and information security management.


Circular 11/2019 on Supervisory Requirements for IT in Capital Management Companies: This circular was officially released in October 2019. The circular covers the technical and organizational resources of German capital managers, in particular IT resource management and IT risk management. In addition, it specifies requirements related to organizational requirements, risk management and outsourcing to determine minimum regulatory requirements for information technology for German capital managers.


Circular 10/2018 on Supervisory Requirements for IT in Insurance Undertakings: Officially released in November 2018. Based on the German Insurance Supervision Law, this circular describes the technical and organizational resources that BaFin considers appropriate as IT systems, especially the requirements on information security and information risk management.

How does Huawei Cloud comply and help me comply with BaFin's Guidance on Outsourcing to Cloud Service Providers?

In November 2018, BaFin's Guidance on Outsourcing to Cloud Service Providers was officially released, which provides guidance for BaFin and Deutsche Bundesbank to financial institutions in terms of analysis and materiality assessment, audit rights, data security, and termination rights when adopting cloud services.

When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 14 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with BaFin's Circular 10/2017 on The Banking Supervisory Requirements for IT?

On November 6, 2017, the Federal Financial Supervisory Authority released the Circular 10/2017 on The Banking Supervisory Requirements for IT. The regulatory requirements specify security requirements such as information security, operational security, identity and access management, IT project and application development, outsourcing IT services, and IT business continuity.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 15 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with BaFin's Circular 11/2019 on Supervisory Requirements for IT in Capital Management Companies?

In October 2019, the Circular 11/2019 on Supervisory Requirements for IT in Capital Management Companies was officially released, which stipulates security requirements such as information risk management, information security, identity and access management, IT project and application development, and outsourcing IT services.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 16 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

How does Huawei Cloud comply and help me comply with BaFin's Circular 10/2018 on Supervisory Requirements for IT in Insurance Undertakings?

In November 2018, the Federal Financial Supervisory Authority released the Circular 10/2018 on Supervisory Requirements for IT in Insurance Undertakings, which specifies security requirements for information risk management, information security, identity and access management, IT project and application development, and outsourcing IT services.


When financial institutions follow the guidelines, Huawei Cloud, as a CSP, may participate in some activities related to the requirements.


Chapter 17 of the HUAWEI CLOUD User Guide to Financial Services Regulations & Guidelines summarizes the CSP-related requirements and describes how Huawei Cloud helps customers meet these requirements.

Compliance Resources

Compliance Resources

These are compliance documents applicable to financial institutions in European. For more documents, visit the Resource Center.

These are compliance documents applicable to financial institutions in European. For more documents, visit the Resource Center.

HUAWEI CLOUD User Guide to Digital Operational Resilience Act (DORA) Regulations & Guidelines (EU)

This white paper shares Huawei's experience in privacy protection under the requirements of the EU Digital Operational Resilience Act (DORA) and describes how Huawei Cloud will help you meet DORA requirements.

Huawei Cloud User Guide to Financial Services Regulations & Guidelines(EU: Ireland, Spain, Hungary, Romania and Germany)

Huawei Cloud helps financial customers meet these regulatory requirements, and continues to provide financial customers with cloud services and business operation environments that comply with financial industry standards.