EU Industry Compliance Guidelines

EU Industry Compliance Guidelines

Providing you with guidelines on laws, regulations, and regulatory requirements applicable to the EU industry

Providing you with guidelines on laws, regulations, and regulatory requirements applicable to the EU industry

Financial Regulatory Requirements

Financial Regulatory Requirements

DORA

DORA

The Digital Operational Resilience Act (DORA), issued by the European Parliament and the Council of the European Union, is a unified regulatory framework that requires EU financial institutions and ICT suppliers to strengthen their digital operational resilience and comprehensively control ICT risks, including third-party risks. This act is intended to promote information sharing and ensure financial service continuity and market stability.

DORA

European Banking Authority(EBA)

EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.


EBA Guidelines on ICT and security risk management: Released by EBA on November 29, 2019. These draft Guidelines establish requirements for credit institutions, investment firms and payment service providers (PSPs) on the mitigation and management of their information and communication technology (ICT) risks and aim to ensure a consistent and robust approach across the Single market.


EBA Guidelines on outsourcing arrangements: Released by EBA on February 25, 2019. These Guidelines provide a clear definition of outsourcing and specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important.

DORA

European Securities and Markets Authority(ESMA)

ESMA is an independent EU authority whose purpose is to enhance investor protection, promote orderly financial markets, and safeguard financial stability.


Outsourcing Guidelines to cloud service providers: Released by ESMA on May 10, 2021. The objectives of these guidelines are to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision (ESFS) and to ensure the common, uniform, and consistent application of the requirements. In particular, these guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements, from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies.

DORA

European Insurance and Occupational Pensions Authority (EIOPA)

EIOPA is at the heart of insurance and occupational pensions supervision in the EU. Its mission is to protect the public interest. EIOPA does this by helping ensure the short-, medium- and long-term stability and effectiveness of the financial system for the EU's economy, businesses and people.



Guidelines on outsourcing to cloud service providers: Released by EIOPA on January 31, 2020. It sets out the final text of the EIOPA Guidelines on outsourcing to cloud service providers.


Guidelines on information and communication technology security and governance:

Released by EIOPA on October 8, 2020. The objective of these Guidelines is to:

a) Provide clarification and transparency to market participants on minimum expected information and cybersecurity capabilities.

b) Avoid potential regulatory arbitrage.

c) Foster supervisory convergence regarding the expectations and processes applicable in relation to ICT security and governance as a key to proper ICT and security risk management.

DORA

Central Bank of Ireland

The Central Bank of Ireland is a financial service regulator of the Republic of Ireland. It supervises credit institutions, securities markets and brokers, fund managers, payment service providers, investment companies, and insurance and reinsurance companies. Its mission is to serve the public interest by safeguarding monetary and financial stability and by working to ensure that the financial system operates in the best interests of consumers and the wider economy.


Cross Industry Guidance in respect of Information Technology and Cybersecurity Risks: Issued by Central Back of Ireland in September 2016, sets out guidance on information technology ("IT") and cybersecurity governance and risk management for regulated firms in Ireland. The guidance also articulates some observations that combine practices of regulatory work undertaken by the central bank during 2015 and 2016 to assess operational, governance, and strategic risks related to IT and cybersecurity in regulated firms. The guidance sets out the current thinking of the central bank as to best practices that regulated firms should use to develop effective IT and cybersecurity governance and risk management frameworks.


Cross Industry Guidance on Outsourcing: Issued by the Central Bank of Ireland in December 2021, outlines the bank's expectations in outsourcing risk management for regulated financial service providers (RFSPs or firms) to promote higher standards of operational resilience.

DORA

The Bank of Spain (Banco de España)

The Bank of Spain is the national central bank responsible for regulating Spanish banks. Under the framework of the Single Supervisory Mechanism (SSM), the Bank of Spain along with the European Central Bank is the regulator of the Spanish banking system. Its activities are regulated by the Law of Autonomy of the Bank of Spain.


The Bank of Spain has confirmed its intention to apply EBA Guidelines on ICT and security risk management and EBA Guidelines on outsourcing arrangements, issued by European Banking Authority (EBA) on February 25, 2019, in Spain.

DORA

The Hungarian National Bank (Magyar Nemzeti Bank)

The Hungarian National Bank, or Magyar Nemzeti Bank (MNB), in Hungarian; is the regulatory body of Hungarian financial markets and a member of the European System of Central Banks. MNB oversees credit institutions, securities markets and brokers, fund managers, payment service providers, investment companies, and insurance and reinsurance companies. The primary objective of MNB is to achieve and maintain price stability and use monetary policy to support the government's economic policy.


Government Decree 42/2015 (III.12.) on protecting the information system of financial institutions, insurance undertakings, reinsurance undertakings, investment firms and commodity dealers: Issued by the Hungarian government on January 1, 2016, outlines supervision measures, data protection controls, information security certification procedures, and system integrity inspection and control regulations for protecting the security of information systems of financial institutions, insurance undertakings, reinsurance undertakings, investment firms, and commodity dealers.

DORA

The National Bank of Romania (Banca Națională a României, BNR)

The National Bank of Romania (NBR) is the central bank of Romania. Its main objective is to ensure and maintain price stability and support the general economic policy of the government. The main tasks of NBR are to develop and implement the monetary and exchange rate policies, to authorize, regulate, and prudently supervise credit institutions, and to promote and oversee smooth operations of the payment systems to ensure financial stability.


Regulation no. 3/2018 on the monitoring of financial market infrastructures and payment instruments: Issued by the National Bank of Romania on August 1, 2018, sets out requirements on the authorization and supervision of the financial market infrastructure and its managers and participants, as well as the circulation, issuance, and supervision of payment instruments, and payment service providers.


Instructions from 20.01.2020 on outsourcing: Issued by the National Bank of Romania on January 20, 2020, clarifies that payment institutions and electronic money institutions should consider adopting EBA Guidelines on outsourcing arrangements released by the European Banking Authority (EBA) on February 25, 2019.

DORA

Federal Financial Supervisory Authority

Federal Financial Supervisory Authority is the German financial industry regulator that centrally regulates banks and financial service providers, insurance companies and securities transactions. Its main objective is to ensure the proper functioning, stability and integrity of the German financial system.


BaFin Guidance on Outsourcing to Cloud Service Providers: Officially released in November 2018. It provides guidance for BaFin and Deutsche Bundesbank to financial institutions on the risk control assessment process and key contract elements for cloud service providers when adopting cloud services.


Circular 10/2017 on The Banking Supervisory Requirements for IT: First released on November 6, 2017 and revised in August 2021, it provides a flexible and practical framework for institutions' technical and organizational resources, especially in IT resource management, information risk management, and information security management.


Circular 11/2019 on Supervisory Requirements for IT in Capital Management Companies: This circular was officially released in October 2019. The circular covers the technical and organizational resources of German capital managers, in particular IT resource management and IT risk management. In addition, it specifies requirements related to organizational requirements, risk management and outsourcing to determine minimum regulatory requirements for information technology for German capital managers.


Circular 10/2018 on Supervisory Requirements for IT in Insurance Undertakings: Officially released in November 2018. Based on the German Insurance Supervision Law, this circular describes the technical and organizational resources that BaFin considers appropriate as IT systems, especially the requirements on information security and information risk management.

DORA

Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF)

As a member of the European Union, Poland's financial regulatory system must adhere to the unified framework of the EU, while the local regulatory authority, the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF), retains the power to implement localized regulations. The KNF has issued guidelines related to ICT risks for regulated entities, which are to be implemented by the KNF. On January 16, 2025, the KNF announced the termination of the previous set of requirements and will regulate based on DORA and its accompanying implementing acts, Regulatory Technical Standards (RTS), and Implementing Technical Standards (ITS).

DORA

Luxembourg Financial Supervisory Authority (Commission de Surveillance du Secteur Financier)

As a member state of the European Union, Luxembourg's financial regulatory system must adhere to the unified framework of the EU, while the local regulatory authority, the Commission de Surveillance du Secteur Financier (CSSF), retains the power to implement localized regulations. On January 17, the CSSF issued a notice stating that DORA (including RTS, ITS, and other supporting requirements) takes precedence over any overlapping elements in previous CSSF circulars. However, for requirements not covered by DORA, the current regulations remain in effect. Meanwhile, the CSSF is updating relevant texts (guidelines and circulars) and will release them in due course.

The requirements still in effect include:

- CSSF 20/750, Specifying the requirements regarding information and communication technology (ICT) and security risk management

- CSSF 22/806, On outsourcing arrangements (regarding ICT outsourcing arrangements)

- CSSF 24/847, On ICT-related incident reporting framework

FAQs About the European Financial Industry

FAQs About the European Financial Industry

Automotive Industry Regulatory Requirments

Automotive Industry Regulatory Requirments

European Automotive Industry Security and Privacy Compliance Guide

This white paper will provide a detailed explanation of the specific measures Huawei Cloud takes to assist customers in meeting regulatory requirements, as well as showcase Huawei Cloud's own compliance, in response to the regulatory requirements and guidelines that European automotive companies typically need to follow when using cloud services.

Frequently Asked Questions About the European Automotive Industry

Frequently Asked Questions About the European Automotive Industry

What are the advantages of Huawei Cloud providing cloud services to entities in the European automotive industry?

With its outstanding technology and forward-looking strategies, Huawei Cloud is actively expanding its presence in the European market. It has already launched cloud services in Ireland and established local excellence operations and technical support teams in Ireland and Hungary. Additionally, Huawei Cloud has local customer operation teams in several European countries, providing 7×24 localized services to automotive industry entities in Europe, ensuring efficient and stable operations of automotive businesses.

Huawei Cloud continues to deepen its efforts in areas such as security, compliance, privacy protection, resilience, and transparency, comprehensively demonstrating its reliability. To date, Huawei Cloud's infrastructure and cloud services have successfully passed over 140 global authoritative certifications, including the TISAX (Trusted Information Security Assessment Exchange) certification for the European automotive industry. In the process of using cloud services, automotive industry entities must also comply with applicable regulatory requirements and industry standards.

What are the applicable compliance requirements, industry standards, and guidelines for European automotive industry entities using Huawei Cloud?

European automotive industry entities are required to comply with safety and privacy compliance requirements and industry standards, which mainly include:

- United Nations Regulation No. 155 "Cyber Security and Cyber Security Management System" (UNECE R155): This regulation, issued by the United Nations Economic Commission for Europe (UNECE) World Forum for Harmonization of Vehicle Regulations (WP.29), specifies the requirements related to automotive cybersecurity and mandates the establishment of a Cyber Security Management System (CSMS).

- United Nations Regulation No. 156 "Software Update and Software Update Management System" (UNECE R156): Also issued by UNECE WP.29, this regulation outlines the requirements for software updates of Electronic Control Units (ECUs) in vehicles.

In 2020, UNECE R155 and R156 were adopted, requiring certified Cyber Security Management Systems (CSMS) and Software Update Management Systems (SUMS) as prerequisites for automotive manufacturers to obtain vehicle type approval and sell new models.

- ISO/SAE 21434 "Road Vehicles - Cyber Security Engineering": This standard covers all electronic systems and software equipment within vehicles, stipulating the engineering requirements for cybersecurity risk management throughout the entire lifecycle of road vehicle electrical and electronic (E/E) systems (including their components and interfaces) during the concept, product development, production, operation, maintenance, and decommissioning phases.

- TISAX (Trusted Information Security Assessment Exchange): Developed by the German Association of the Automotive Industry (VDA) in collaboration with the European Automotive Industry Security Data Exchange Association (ENX), TISAX is a security standard for information security assessment and data exchange in the automotive industry. It addresses organizational security, personnel security, access control, system development and maintenance, physical security, communication, and network security. TISAX aims to ensure that all segments of the automotive supply chain, including manufacturers, component suppliers, and third-party service providers, achieve a specific level of information security to address the increasing complexity of global automotive supply chain information security risks.

- "Guidelines on Personal Data Protection in the Internet of Vehicles" (Guidelines 01/2020): These guidelines provide recommendations for the protection of personal data in the context of connected vehicles.

In the process of complying with regulatory requirements and industry standards, what are the respective responsibilities of European automotive industry entities and Huawei Cloud?

Huawei Cloud is committed to providing secure and compliant infrastructure and services for European automotive industry entities. All services are built with security features and ensure the safety and reliability of cloud services through continuous operation and maintenance. Huawei Cloud ensures that the infrastructure and services provided have been evaluated by independent third-party security authorities and reviewed by security certification bodies.

European automotive industry entities are the masters of compliance. When using Huawei Cloud services, customers need to consider the characteristics of their cloud-based businesses, comprehensively evaluate internal applications, and customize the deployment and configuration of cloud services, including data security configurations. They must effectively safeguard the confidentiality, integrity, availability, and identity verification and authentication of data access. Additionally, based on business characteristics, Huawei Cloud customers must ensure that their operations meet the corresponding compliance requirements and industry standards.

European automotive industry entities can download the "Huawei Cloud Security White Paper" to view details of Huawei Cloud's security responsibilities and your own. For more questions regarding security and compliance, you can consult your account manager or contact Huawei Cloud.