Oracle Cloud Compliance

Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.

Shared Management Model

Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).

Before deploying Oracle cloud services, Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services in light of their own legal and regulatory compliance obligations. Making this determination remains solely the responsibility of customers.

Attestations

Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it is important that you consider they are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region. Clicking on a compliance framework retrieves the relevant detail. Please note that this information is subject to change and may be updated frequently, is provided “as-is” and without warranty and is not incorporated into contracts.

Customers can obtain more information about available attestations by contacting their Oracle sales representative.

Global

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Health

CSA STAR
Cloud Security Alliance Security Trust Assurance and Risk
CSA STAR

The Cloud Security Alliance (CSA) is an organization that promotes best practices for providing security assurance in cloud computing. The CSA Security Trust, Assurance and Risk (STAR) attestation provides for an assessment to be performed by a reputable third-party that affirms implementation of necessary security controls. This assessment is based on the CSA Cloud Controls Matrix (CCM) and controls from SOC 2 and ISO/IEC 27001. For more information, see https://cloudsecurityalliance.org/star/

yes
yes
GSMA SAS-SM
GSMA SAS-SM Data Centre Operations and Management
GSMA SAS-SM

Global System for Mobile communications Association (GSMA) is a global organization that represents the interests of mobile network operators and related companies in the telecommunications industry. The GSMA’s Security Accreditation Scheme (SAS) is intended to enable mobile operators to assess the security of their Universal Integrated Circuit Card (UICC )and embedded UICC (eUICC) suppliers, and of their eUICC subscription management service providers. For more information, see https://www.gsma.com/security/security-accreditation-scheme/

yes
ISO 9001
ISO 9001: Quality Management Systems
ISO 9001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. The ISO 9001 standard family is based on a number of quality management principles including a strong customer focus. It is intended “to help organizations demonstrate its ability to consistently provide customers good quality products and services.” For more information, see https://www.iso.org/standard/62085.html

yes
yes
ISO/IEC 20000-1
ISO/IEC 20000-1: Service Management Systems
ISO/IEC 20000-1

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 20000-1 service management system (SMS) standard. It is intended to help design, transition, deliver and improve services to fulfil agreed service requirements. For more information, see https://www.iso.org/standard/70636.html

yes
ISO/IEC 27001
ISO/IEC 27001: Information Security Management Systems
ISO/IEC 27001

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 27001 Standard. It is intended to provide guidance for establishment and continuous improvement of an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. For more information, see https://www.iso.org/isoiec-27001-information-security.html

yes
yes
yes
yes
yes
ISO/IEC 27017
ISO/IEC 27017: Cloud Specific Controls
ISO/IEC 27017

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27017, a set of guidelines for information security controls applicable to the provision and use of cloud services. It is intended to provide additional implementation guidance for relevant controls specified in ISO/IEC 27002 and guidance that specifically relates to cloud services. For more information, see https://www.iso.org/standard/82878.html

yes
yes
yes
ISO/IEC 27018
ISO/IEC 27018: Personal Information Protection Controls
ISO/IEC 27018

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27018, to be used in conjunction with the information security objectives and controls in ISO/IEC 27002. It is intended to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a Personally Identifiable Information (PII) processor. For more information, see https://www.iso.org/standard/76559.html

yes
yes
yes
yes
yes
ISO/IEC 27701
ISO/IEC 27701: Privacy Information Management
ISO/IEC 27701

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27701. It is intended to provide guidance for the establishment and continuous improvement of a Privacy Information Management System (PIMS) which is processing Personally Identifiable Information (PII). This standard is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. For more information, see https://www.iso.org/standard/71670.html

yes
PCI DSS
Payment Card Industry Data Security Standard
PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It is intended to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security practices globally. The PCI DSS standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI SSC). For more information, see https://www.pcisecuritystandards.org/

yes
yes
yes
yes
yes
SOC 1
System and Organization Controls 1
SOC 1

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 1 report helps companies to establish trust and confidence in their service delivery processes and controls. The intent of these reports focuses on Internal Controls over Financial Reporting (ICFR). For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1

yes
yes
yes
yes
yes
SOC 2
System and Organization Controls 2
SOC 2

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 2 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy Trust Criteria. The intent of this report is to provide detailed information and assurance about the controls relevant to security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2

yes
yes
yes
yes
yes
SOC 3
System and Organization Controls 3
SOC 3

The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy. These reports are shorter than SOC 2 reports and have less details. For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-3

yes
yes
yes

Americas

Attestation

Oracle Cloud Infrastructure

Oracle Applications

NetSuite

Oracle Industries

Oracle Health

DoD DISA SRG
Department of Defense, Defense Information Systems Agency, Systems Requirement Guide
DoD DISA SRG

The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the US Department of Defense (DoD) will assess the security posture of non-DoD cloud service providers (CSPs). Additionally, the CC SRG explains how non-DoD CSPs can show they meet the security controls and requirements before handling any DoD data.

CC SRG provides for the following categorization:

  • Impact Level 2: Data cleared for public release (note: Level 1 was combined with Level 2)
  • Impact Level 4: Controlled unclassified information (CUI) over the Non-Secure Internet Protocol Router Network (NIPRNet). CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4)
  • Impact Level 5: Higher sensitivity CUI, mission-critical information, or NSS over NIPRNet
  • Impact Level 6: Classified data over Secret Internet Protocol Router Network (SIPRNet)
  • For more information, see https://dl.dod.cyber.mil/wp-content/uploads/cloud/zip/U_Cloud_Computing_SRG_V1R4.zip

    yes
    yes
    FedRAMP
    Federal Risk and Authorization Management Program
    FedRAMP

    The Federal Risk and Authorization Management Program (FedRAMP) is a US government program designed to provide a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.

    FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides a catalog of security controls for all US federal information systems. FedRAMP requires cloud service providers (CSPs) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).

    For more information, see https://marketplace.fedramp.gov/#!/products?sort=productName&productNameSearch=oracle

    yes
    yes
    FIPS 140
    Federal Information Processing Standards Publication 140
    FIPS 140

    The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard published by the National Institute of Standards and Technology (NIST) that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. For more information, see https://csrc.nist.gov/publications/detail/fips/140/2/final

    Learn more about Oracle's FIPS certifications: https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications.html

    Not applicable Not applicable Not applicable Not applicable  
    HITRUST CSF
    Health Information Trust Alliance Common Security Framework
    HITRUST CSF

    The Health Information Trust Alliance (HITRUST) is an organization representing the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a framework against which cloud service providers (CSPs) and covered health entities can demonstrate compliance to US Health Insurance Portability and Accountability Act (HIPAA) requirements. For more information, see https://hitrustalliance.net/

    yes
    yes
    HIPAA
    Health Insurance Portability and Accountability Act
    HIPAA

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law. It requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For more information, see https://www.hhs.gov/hipaa/

    yes
    yes
    yes
    yes
    yes
    State RAMP: TX-RAMP
    Texas Risk and Authorization Management Program (TX-RAMP)
    State RAMP: TX-RAMP

    The Texas Risk and Authorization Management Program (TX-RAMP) is “a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation.” For more information, see https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp

    yes
    yes
    yes

    Europe, Middle East, and Africa

    Attestation

    Oracle Cloud Infrastructure

    Oracle Applications

    NetSuite

    Oracle Industries

    Oracle Health

    ACN
    Italian Public Administration Directorial Decree Prot. N. 5489
    ACN

    The Italian National Cybersecurity Agency (Agenzia Per La Cybersicurezza nazionale or ACN) is an Italian government body that manages “Catalog of qualified Cloud services for the Public Administration (PA)”. ACN provides “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability”. For more information, see https://www.acn.gov.it/portale/en/cloud/regolamento-cloud-per-la-pa

    yes
    yes
    C5
    Cloud Computing Compliance Controls Catalog
    C5

    The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) in 2016. The intent of this standard is to establish a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with the government. For more information, see https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Einfuehrung/C5_Einfuehrung_node.html

    yes
    yes
    CST CCRF
    Cloud Computing Regulatory Framework (CST CCRF)
    CST CCRF

    The Communications, Space & Technology Commission (CST) of Saudi Arabia has issued the Cloud Computing Regulatory Framework (CCRF). The Regulatory Framework applies to the cloud computing services provided to subscribers residing in or having a subscriber’s address in the Kingdom and establishes a number of security and privacy requirements. For more information, see https://www.cst.gov.sa/en/RulesandSystems/RegulatoryDocuments/ Documents/CCRF_En.pdf

     
    Cyber Essentials
    Cyber Essentials
    Cyber Essentials

    The Cyber Essentials is a UK government scheme intended to help participating organizations protect themselves against a whole range of the most common cyber-attacks. The scheme intends to establish more rigorous testing of the organization’s cyber security systems where cyber security experts carry out vulnerability tests to make sure the organization is protected against basic hacking and phishing attacks. For more information, see https://www.ncsc.gov.uk/cyberessentials/overview

    yes
    yes
    yes
     
    DESC CSPSS
    Dubai Electronic Security Center (DESC) Cloud Service Provider (CSP) Security Standard
    DESC CSPSS

    The Cloud Service Provider (CSP) Security Standard produced by Dubai Electronic Security Center (DESC) is a set of requirements and guidance for CSPs and organizations using cloud services.
    The CSP Security Standard includes requirements for alignment to international best practices for cloud services, which are based on global information security standards such as ISO/IEC 27001:2013; ISO/IEC 27002:2013; ISO/IEC 27017:2015; ISR:2017 v.02 and CSA Cloud Control Matrix 3.0.1. For more information, see https://www.desc.gov.ae/regulations/certifications/

    yes
    yes
    ENS
    Esquema Nacional de Seguridad (Law 11/2007)
    ENS

    Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with the ISO/IEC 27001 Standard, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. For more information, see https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/pae_Seguridad_Inicio/pae_Esquema_Nacional_de_Seguridad.html?idioma=en#.YH9f2edlCUm

    yes
    yes
    yes
     
    EU Cloud CoC
    European Union (EU) Cloud Code of Conduct
    EU Cloud CoC

    'The European Union (EU) Cloud Code of Conduct is a set of requirements that can help Cloud Service Provider (CSPs) document their controls in relation to the European Union's General Data Protection Regulation (GDPR). The EU’s intention is "to make it easier for cloud customers to determine whether certain cloud services are appropriate for their designated purpose". For more information, see https://eucoc.cloud/en/about/about-eu-cloud-coc/

    yes
    yes
    HDS
    Hébergeur de Données de Santé
    HDS

    Hébergeur de Données de Santé (HDS) is a formal certification required by French laws. It is required for any commercial organizations who control, store, process, or transmit personally identifiable healthcare information in France. For more information, see https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante

    yes
    yes
    yes
    TISAX
    Trusted Information Security Assessment Exchange
    TISAX

    The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants. It is maintained by the ENX Association, an organization consisting of automobile manufacturers, suppliers and national automotive associations. For more information, see https://enx.com/en-US/TISAX/

    yes
    yes
    UAE IAR Information Security Requirements
    United Arab Emirates (UAE) Information Assurance Regulation (IAR) Information Security Requirements
    UAE IAR Information Security Requirements

    The United Arab Emirates (UAE) Telecommunication Regulatory Authority (TRA) has issued Information Assurance Regulation (IAR) to provide information security requirements for the critical infrastructure sectors in UAE. TRA-designated entities are required to implement the IAR framework and apply its requirements to the use, processing, storage, and transmission of information or data. For more information, see https://www.tdra.gov.ae/en/about-tra/telecommunication-sector/regulations-and-ruling/details.aspx#documents

    yes
    yes

    Asia Pacific

    Attestation

    Oracle Cloud Infrastructure

    Oracle Applications

    NetSuite

    Oracle Industries

    Oracle Health

    Hosting Certification Framework
    Australia Hosting Certification Framework (the Framework)
    Hosting Certification Framework

    The Australian Government’s Hosting Certification Framework is intended to provide “guidance to Australian Government customers enabling them to identify and source hosting services that meet enhanced privacy, sovereignty and security requirements.” For more information, see https://www.hostingcertification.gov.au/framework

    yes
    IRAP
    Information Security Registered Assessor Program
    IRAP

    The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative. IRAP is the assessors' program developed by the Australian government Cyber Security Centre (ASD/ACSC) for assessing cloud services for government and non-government agency use. It is intended “to provide the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments”. For more information, see https://www.cyber.gov.au/irap

    yes
    yes
     
    ISMAP
    Information System Security Management and Assessment Program
    ISMAP

    The Information System Security Management and Assessment Program (ISMAP) is a Japanese government program for assessing the security of public cloud services. It is intended “to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement.” For more information, see https://www.oracle.com/jp/cloud/compliance/ismap/

    yes
    ISMS (formerly K-ISMS)
    Information Security Management System
    ISMS (formerly K-ISMS)

    The Korean Information Security Management System (formerly K-ISMS, now ISMS) is a country-specific ISMS framework. It is intended to define a set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets. For more information, see https://elaw.klri.re.kr/eng_service/ebook.do?hseq=38422#68

    yes
    MeitY IT Security Guidelines
    Ministry of Electronics and Information Technology (MeitY) Information Technology (IT) Security Guidelines
    MeitY IT Security Guidelines

    India's Ministry of Electronics and Information Technology (MeitY) has defined the Information Technology Security Guidelines as a set of standards and guidelines that cloud services can be certified against in areas including security, interoperability, data portability, service level agreement, contractual terms and conditions. These guidelines are based on global information security standards such as ISO/IEC 27001:2013; ISO/IEC 20000:1; ISO/IEC 27017:2015; ISO/IEC 27018:2014; and TIA-942/ UPTIME (Tier III or higher). For more information, see https://www.meity.gov.in/writereaddata/files/act2000_0.pdf

    yes
    MTCS
    Singapore Multi-Tier Cloud Security Standard
    MTCS

    The Multi-Tier Cloud Security (MTCS) Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA). It is intended “to promote and facilitate national programs to standardize IT and communications, and Singapore's participation in international standardization activities.” For more information, see https://www.imda.gov.sg/regulations-and-licensing-listing/ict-standards-and-quality-of-service/it-standards-and-frameworks/compliance-and-certification

    yes
    yes
    OSPAR
    Outsourced Service Provider’s Audit Report (OSPAR)
    OSPAR

    The Association of Banks in Singapore (“ABS”) provides Guidelines on Control Objectives and Procedures for the Financial Institution’s Outsourced Service Providers (“OSPs”) operating in Singapore. ABS defines guidance for providers of outsourced services which are material to banks or have access to the financial institution clients’ information. For more information, refer https://www.abs.org.sg/industry-guidelines/outsourcing

    yes

    Advisories and General Information

    Oracle provides general information about some of the compliance frameworks listed below in the form of “advisories.” These advisories are provided to help you in your determination of the suitability of using specific Oracle cloud services as well as to assist you in implementing specific technical controls that may help you meet your compliance obligations. These advisories are not legal advice and you remain solely responsible for determining if a specific Oracle cloud service or configuration, or both, meets your legal and regulatory obligations.

    Region Country Advisories
    Global  

    GxP Good Practice Guidelines

    GxP Good Practice Guidelines
    The Good Practice (GxP) guidelines and regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada | Santé Canada (HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see https://www.fda.gov/drugs/guidance-compliance-regulatory-information.

    Americas Brazil

    Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements

    Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements
    The Central Bank of Brazil (BACEN) issued Resolution No. 4,893 of February 26, 2021, which describes several digital service requirements for regulated financial institutions, including cybersecurity policy, contracting data processing, storage, and cloud computing services. This Resolution is intended to guide financial institutions in evaluating cloud service providers and establish controls to manage this relationship. For more information, see https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolução CMN&numero=4893

    Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18

    Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18
    Brazil’s Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see https://www.gov.br/esporte/pt-br/acesso-a-informacao/lgpd

    Canada

    Canadian Security Requirements for Protected B information

    Canadian Security Requirements for Protected B information
    Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. For more information, see https://www.tpsgc-pwgsc.gc.ca/esc-src/protection-safeguarding/niveaux-levels-eng.html

    Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10)

    Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10)
    The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Canadian government that supervises and regulates federally registered financial institutions in Canada. As part of its role as a regulator, OSFI publishes guidelines for financial institutions. Guideline B-10 on Outsourcing of Business Activities, Functions and Processes (Guideline B-10) was first issued by OSFI in 2001 and revised in 2009. It sets out expectations for federally regulated entities (FREs) that outsource business activities to service providers. These expectations serve as prudent practices, procedures or standards that should be applied according to the characteristics of the outsourcing arrangement and the circumstances of each entity. For more information, see https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b10.aspx

    Personal Information Protection and Electronic Documents Act (PIPEDA)

    Personal Information Protection and Electronic Documents Act (PIPEDA)
    The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the course of commercial business.” For more information, see https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

    Mexico

    Circular Única de Seguros y Fianzas (CUSF)

    Circular Única de Seguros y Fianzas (CUSF)
    Law on Insurance and Surety institutions (LISF) and Circular Única de Seguros y Fianzas (CUSF) Provides guidelines to financial institutions on outsourcing of services, audit rights, compliance, security, business continuity and subcontracting. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LISF.pdf
    https://www.gob.mx/cnsf/documentos/circular-unica-de-seguros-y-fianzas

    Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO)

    Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO)
    Mexico’s General Law for the Protection of Personal Data in Possession of Obliged Subjects (LGPDPPSO) applies to data processing by ‘Obliged Subjects’, i.e., governmental entities at the Mexican federal, state and municipal levels, including authorities, agencies or bodies of the Executive, Legislative or Judicial branches, as well as autonomous bodies, political parties, trusts and public funds. The stated purpose of the LGPDPPSO is to establish principles for guaranteeing the right to the protection of personal data including the right to access, rectification, deletion and opposition to the data processing. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LGPDPPSO.pdf

    Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB)

    Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB)
    Disposiciones de Carácter General Aplicables a las Instituciones de Crédito (LIC) & Circular única de bancos (CUB) defines rules on corporate governance and internal controls for banking services and the organisation and operation of banking institutions. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley de Instituciones de Crédito.pdf
    https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las instituciones de crédito.pdf

    Ley del Mercado de Valores (LMV)

    Ley del Mercado de Valores (LMV)
    The Ley del Mercado de Valores (LMV) sets forth the general operational framework for securities-related commercial acts, and the general rules and regulations issued by the National Banking Securities Commission, the Central Bank and the Stock Exchange. These include requirements for monitoring of service, subcontracting, confidentiality, audit and access rights, business continuity and data portability. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley del Mercado de Valores.pdf
    https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las casas de bolsa.pdf

    Ley Para Regular Las Instituciones De Tecnologia Financiera

    Ley Para Regular Las Instituciones De Tecnologia Financiera
    National Banking Securities Commission, Mexican Central Bank and Ministry of Finance in Mexico issued a 2018 Law (“Fintech Law”) to regulate financial technology institutions and to provide guidance to crowdfunding institutions, electronic money institutions and innovative model startups for conducting fintech operations in Mexico. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley para Regular las Instituciones de Tecnología Financiera.pdf

    United States

    California Consumer Privacy Act (CCPA)

    California Consumer Privacy Act (CCPA)
    The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following:

    • The right of Californians to know what personal information is being collected about them.
    • The right of Californians to know whether their personal information is sold or disclosed and to whom.
    • The right of Californians to say no to the sale of personal information.
    • The right of Californians to access their personal information.
    • The right of Californians to equal service and price, even if they exercise their privacy rights.
    For more information, see https://cppa.ca.gov/regulations/pdf/cppa_act.pdf

    Criminal Justice Information Services Security Policy (CJIS)

    Criminal Justice Information Services Security Policy (CJIS)
    The US Federal Bureau of Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

    Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012

    Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012
    The Defense Federal Acquisition Regulation Supplement (DFARS) encompasses the Department of Defense (DoD) requirements for contractors and suppliers to follow when providing cloud computing services in the performance of a covered contract. For more information, see https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS_252.204-7010

    Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool

    Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool
    The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of Cybersecurity Maturity. For more information, see https://www.ffiec.gov/cyberassessmenttool.htm.

    Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503

    Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503
    The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management, Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see https://www.dni.gov/files/documents/ICD/ICD-503.pdf.

    Internal Revenue Service (IRS) Publication 1075

    Internal Revenue Service (IRS) Publication 1075
    The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see https://www.irs.gov/pub/irs-pdf/p1075.pdf

    International Traffic in Arms Regulations (ITAR)

    International Traffic in Arms Regulations (ITAR)
    The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US national security and further US foreign policy objectives. For more information, see https://www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii

    Minimum Acceptable Risk Standards for Exchanges (MARS-E)

    Minimum Acceptable Risk Standards for Exchanges (MARS-E)
    The U.S. Department of Health and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see https://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20

    NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

    NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
    The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see https://csrc.nist.gov/pubs/sp/800/171/r3/final

    North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

    North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
    The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see https://www.nerc.com/comm/RSTC/Pages/default.aspx

    Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements

    Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements
    Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For more information, see the following resources: SEC 17a-4(f) - https://www.sec.gov/rules/interp/34-47806.htm
    FINRA Rule 4511(c) - https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
    CFTC Rule 1.31(c)-(d) - https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm

    Europe, Middle East, and Africa European Union

    Digital Operational Resilience Act (DORA)

    Digital Operational Resilience Act (DORA)
    The Digital Operational Resilience Act (DORA) was adopted as European Union (EU) Regulation 2022/2554 to establish rules governing the use of information and communication technology (ICT) by financial entities operating in the EU. DORA aims to address the risks resulting from “increased digitalisation and interconnectedness” related to the use of ICT in the financial sector. It also creates an oversight framework for ICT service providers to the financial sector that are deemed critical. DORA provisions apply from 17 January 2025, to accommodate a 24-month implementation period. For more information, see: https://eur-lex.europa.eu/eli/reg/2022/2554/oj.

    Network and Information Security Directive II (NIS2)

    Network and Information Security Directive II (NIS2)
    In 2022, the EU enhanced its cybersecurity framework with the Network and Information Security Directive II (NIS2) . It builds on the original NIS directive (NIS1) in an attempt to address existing gaps and strengthen cybersecurity across the region. NIS2 defines measures for cybersecurity risk management and reporting, across sectors that include critical infrastructure and cloud providers. For more information, see https://eur-lex.europa.eu/eli/dir/2022/2555.

    European Banking Authority (EBA) Guidelines on Outsourcing Arrangements

    European Banking Authority (EBA) Guidelines on Outsourcing Arrangements
    The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

    European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework

    European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework
    European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:

    • Assess the risk of adopting cloud services
    • Compare different cloud providers offerings
    • Obtain assurances from the selected cloud providers
    • Reduce the assurance burden on cloud providers
    For more information, see https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework

    General Data Protection Regulation (GDPR)

    General Data Protection Regulation (GDPR)
    The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see https://ec.europa.eu/info/law/law-topic/data-protection_en

    Germany

    BaFin Guidance on Outsourcing to Cloud Service Providers

    BaFin Guidance on Outsourcing to Cloud Service Providers
    The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) is responsible for the supervision of banks, credit institutions, insurers, funds and financial institutions in Germany. BaFin and the Deutsche Bundesbank issued guidance on outsourcing with the intended goal “to create greater transparency into the supervisory assessment of the financial sector with outsources to cloud providers". For more information, see https://www.bafin.de/SharedDocs/Downloads/EN/Merkblatt/BA/
    dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba_en.html?nn=9866146

    IT Grundschutz

    IT Grundschutz
    The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz). IT-Grunschutz comprises:

    • BSI Standard 200-1: provides the general requirements for an ISMS
    • BSI Standard 200-2: explains how an ISMS can be built based on one of three different approaches
    • BSI Standard 200-3: contains all risk-related tasks
    • BSI Standard 100-4: covers Business Continuity Management (BCM)
    For more information, see https://www.bsi.bund.de

    Kritische Infrastrukturen - Abschnitt 8a

    Kritische Infrastrukturen - Abschnitt 8a
    The German Federal Government office for Information Security (BSI) issued Section 8a of BSIG (Act on the Federal Office for Information Security) that pertains to Kritis which stands for “Kritische Infrastruckturen” or critical infrastructures. It provides guidelines for identifying critical infrastructures, conducting risk assessments, implementing security measures, reporting incidents, undergoing audits & continuously improving security to safeguard essential services in Germany. For more information, see https://www.gesetze-im-internet.de/bsig_2009/BJNR282110009.html

    Kenya

    Guidelines on Cybersecurity for Payment Service Providers

    Guidelines on Cybersecurity for Payment Service Providers
    The Central Bank of Kenya has issued cybersecurity guidelines for Payment Service Providers (PSPs) related to risk assessment, data protection, incident response, and third-party security. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2019/07/GuidelinesonCybersecurityforPSPs.pdf

    Prudential Guidelines for Institutions Licensed under the Banking Act

    Prudential Guidelines for Institutions Licensed under the Banking Act
    Under Section 33(4) of the Banking Act, the Central Bank of Kenya has issued guidelines for institutions. Some of these guidelines are intended to establish minimum standards of data and network security and business continuity. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf

    Prudential Guideline on Outsourcing (CBK/PG/16)

    Prudential Guideline on Outsourcing (CBK/PG/16)
    As part of its supervisory function, the Central Bank of Kenya issued Prudential Guidelines for Institutions Licensed Under the Banking Act, which includes guidance on Outsourcing (CBK/PG/16). The Guideline applies to all licensed banks which outsource activities.  They encompass outsourcing policies, governance, risk management, business continuity, data security, and contracts with service providers. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf

    Kuwait

    Cloud Computing Regulatory Framework (CITRA CCRF)

    Cloud Computing Regulatory Framework (CITRA CCRF)
    Kuwait’s Communication and Information Technology Regulatory Authority established a framework to govern the use of cloud computing services within Kuwait. It provides guidelines for data protection, privacy, and security, facilitating the adoption of cloud services. For more information, see https://www.citra.gov.kw/sites/en/LegalReferences/Cloud_computing_regulatory_framework.pdf

    Netherlands

    Government Information Security Baseline (BIO)

    Government Information Security Baseline (BIO)
    Baseline informatiebeveiliging overheid (BIO) is an information security standard for the Dutch public sector, including government agencies, municipalities, provinces and water boards. It is based on internationally accepted standards and best practices in information security, such as ISO 27001 and ISO 27002. Since BIO was issued by the Ministerial Board, BIO is the sole baseline for the entire government. For more information, see https://bio-overheid.nl/media/1572/bio-versie-104zv_def.pdf

    NEN 7510 Information Security Management in Healthcare

    NEN 7510 Information Security Management in Healthcare
    The NEN 7510 standard was developed by the Royal Netherlands Standardization Institute (Stichting Koninklijk Nederlands Normalisatie Instituut, or NEN). Nen 7510 provides guidelines and basic principles for the determining, establishing and maintaining of measures for health care organisations to secure the health information. For more information, see https://www.nen.nl/en/nen-7510-1-2017-a1-2020-nl-267179

    Wet op het financieel toezicht or Wft

    Wet op het financieel toezicht or Wft
    The Financial Supervision Act (FSA) in the Netherlands serves as a comprehensive regulatory framework to uphold the stability and integrity of the financial system. The WFT comprises a large number of rules and regulations for financial markets and their supervision, including Good Practices Outsourcing Insurers and Good Practices for Managing Outsourcing Risks. For more information, see https://wetten.overheid.nl/BWBR0020368/2023-07-01

    Good Practices Outsourcing Insurers - https://www.dnb.nl/media/rikf4hxv/good-practice-outsourcing-insurers.pdf

    Good Practices for Managing Outsourcing Risks - https://www.dnb.nl/en/sector-information/open-book-supervision/open-book-supervision-themes/prudential-supervision/governance/good-practices-for-managing-outsourcing-risks/

    Norway

    Forskrift om bruk av informasjons- og kommunikasjonsteknologi

    Forskrift om bruk av informasjons- og kommunikasjonsteknologi
    The Norwegian regulations on the use of Information and Communication Technology (ICT) provides guidelines to ensure responsible and secure utilization of digital tools and platforms. These regulations prioritize data protection, privacy, cybersecurity, and accessibility across both public and private sectors. For more information, see https://lovdata.no/dokument/SF/forskrift/2003-05-21-630

    Veiledning om utkontraktering

    Veiledning om utkontraktering
    Circular 7/2021 issued by Norwegian Financial Supervisory Authority (Finanstilsynet) provides guidelines on outsourcing activities and promotes responsible business practices. For more information, see https://www.finanstilsynet.no/contentassets/9f76ac1a390a44218b285b61bb13e19a/veiledning-om-utkontraktering.pdf

    Saudi Arabia

    National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)

    National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)
    The National Cybersecurity Authority (NCA) developed the Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see https://nca.gov.sa/ecc-en.pdf.

    Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF)

    Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF)
    The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf

    Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing

    Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing
    Saudi Arabian Monetary Authority (SAMA) is the central bank of the Kingdom of Saudi Arabia and the supervisory authority for banks, payment providers, insurance companies, finance companies and credit bureaus operating within the Kingdom. The SAMA Rules on Outsourcing apply to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), and require these banks to appropriately manage risks arising from outsourcing, including ensuring their outsourcing arrangements are subject to appropriate due diligence, approval and ongoing monitoring. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/FinanceRules/Outsourcing%20Rules%20-%20Revised%20v2%20Final%20Draft-Dec-2019.pdf

    South Africa

    Directive 159.A.i

    Directive 159.A.i
    The Financial Services Board of South Africa, part of the Financial Sector Conduct Authority, implemented Directive 159.A.i, which specifies the rules applicable to outsourcing by insurers in South Africa. For more information, see https://www.fsca.co.za/Enforcement-Matters/Directives/Forms/DispForm.aspx?ID=436.

    Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014)

    Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014)
    The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 5 of 2014 (G5/2014). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2014/6320.

    Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017)

    Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017)
    The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 4 of 2017 (G4/2017). For more information, see https://www.resbank.co.za/content/dam/sarb/publications/prudential-authority/pa-deposit-takers/banks-guidance-notes/2017/7803/G4-of-2017.pdf.

    Protection of Personal Information Act (POPIA)

    Protection of Personal Information Act (POPIA)
    The Protection of Personal Information Act (POPIA) is a South African law intended to "promote the protection of personal information processed by public and private bodies." POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information. For more information, see https://www.justice.gov.za/legislation/acts/2013-004.pdf

    Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018)

    Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018)
    The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued a directive pertaining to cloud computing and offshoring of data in the financial services sector referred to as Directive 3 of 2018 (D3/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-directives/2018/8749.

    Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018)

    Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018)
    The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued guidance pertaining to cloud computing and offshoring of data in the financial services sector referred to as Guidance Note 5 of 2018 (G5/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2018/8747.

    Spain

    Pinakes

    Pinakes
    Created by the Centre for Interbank Cooperation (CCI), a non-profit professional association, Pinakes is a platform that provides qualification, management and monitoring of services to financial service providers. It is intended to allow organisations to verify the levels of cybersecurity of the services they use, enable vendors to demonstrate their security benefits to customers, and help organisations comply with EBA’s supplier security assessment guidelines. For more information, see https://asociacioncci.es/pinakes/

    Switzerland

    Financial Market Supervisory Authority (FINMA) Circular 2018/3

    Financial Market Supervisory Authority (FINMA) Circular 2018/3
    The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en.

    United Arab Emirates

    United Arab Emirates (UAE) Federal Law No. 2 of 2019

    United Arab Emirates (UAE) Federal Law No. 2 of 2019
    The United Arab Emirates issued Federal Law No. 2 of 2019 on 6 February 2019 Concerning the Use of the Information and Communication Technology ("ICT") in Health Fields (“Health Data Law”). The Health Data Law applies to all ICT methods and usages in the health fields in the UAE, including free zones. The Law aims at the following: (1) ensuring the optimal use of the ICT in health fields; (2) ensuring compatibility of the principles, standards, and practices applicable in the State with their internally recognized counterparts; (3) enabling the Ministry of Health and Prevention to collect, analyze and keep the health information at the UAE level; and (4) ensuring the safety and security of health data and information. For more information, see https://mohap.gov.ae/app_content/legislations/php-law-en-77/mobile/index.html.

    United Kingdom

    Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation)

    Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation)
    The Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 (Solvency II Delegated Regulation) forms part of the framework for a solvency and supervisory regime for insurers and reinsurers. It sets out organizational requirements and procedures for various matters including outsourcing arrangements. The UK version of the Solvency II Delegated Regulation became part of UK law by virtue of the European Union (Withdrawal) Act 2018 and related legislation. For more information, see https://www.legislation.gov.uk/uksi/2019/407/contents/made

    ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014

    ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014
    The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mifid-ii

    Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance

    Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance
    The Financial Conduct Authority (FCA) is responsible for the authorization and conduct supervision of financial institutions in the UK. The FCA Handbook sets out the FCA’s legislative and other provisions made under powers given to it by the Financial Services and Markets Act 2000. The Senior Management Arrangements, Systems and Controls (SYSC) and Supervision (SUP) parts of the FCA Handbook contain rules and guidance relevant to outsourcing arrangements. For more information, see https://www.handbook.fca.org.uk/.

    National Cyber Security Centre IT Health Check (ITHC)

    National Cyber Security Centre IT Health Check (ITHC)
    The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance.

    Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management

    Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management
    The Prudential Regulation Authority (PRA) is responsible for prudential supervision of banks, insurance companies, building societies, credit unions and major investment firms in the UK. The PRA’s remit includes supervising firms’ outsourcing and other third-party arrangements. The PRA’s Supervisory Statement 2/21 on outsourcing arrangements and third-party risk management published on 29 March 2021 (SS2/21) sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management. For more information, see https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss.

    UK Government G-Cloud Framework

    UK Government G-Cloud Framework
    The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see https://www.gov.uk/digital-marketplace.

    UK National Cyber Security Centre (NCSC) Cloud Security Principles

    UK National Cyber Security Centre (NCSC) Cloud Security Principles
    The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles.

    UK NHS Data Security and Protection Toolkit (DSPT)

    UK NHS Data Security and Protection Toolkit (DSPT)
    The Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see https://www.dsptoolkit.nhs.uk/.

    Asia Pacific Australia

    Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231

    Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231
    The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on Outsourcing Involving Cloud Computing Services. For more information, see https://www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf.

    Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234

    Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234
    The Australian Prudential Regulation Authority (APRA) regulates financial services in Australia. APRA issued standards that regulate banks, credit unions, and insurance companies. APRA’s Prudential Standard CPS 234 defines requirements for entities to implement information security measures to protect their information assets, including the handling of data breaches and cybersecurity incidents. For more information, see https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf

    Hong Kong

    Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1

    Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1
    The Hong Monetary Authority (HKMA) sets out minimum standards for authorized institutions (AIs) to attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business. The Supervisory Policy TM-G-1 General Principles for Technology Risk Management is guidance which the HKMA expects regulated entities to consider when managing technology-related risks. For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf

    Hong Kong Monetary Authority (HKMA) Outsourcing SA-2

    Hong Kong Monetary Authority (HKMA) Outsourcing SA-2
    The Hong Monetary Authority (HKMA) sets out minimum standards that authorized institutions (AIs) must attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business.  The Supervisory Policy Manual Outsourcing SA-2 is the approach to risk management when outsourcing and the major points which the HKMA recommends that regulated entities address when outsourcing activities.  For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf

    India

    ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act

    ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act
    The Companies Act 2013 regulates the formation and functioning of corporations or companies in India. Administered by the Ministry of Corporate Affairs (MCA), the law governs incorporation, dissolution and the running of companies and defines requirements for corporate governance. Subsequently, the Auditing and Assurance Standards Board of The Institute of Chartered Accountants of India (ICAI) issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” on March 2023. Rule 11(g) focuses on reporting on the use of accounting software for maintaining a company’s books of accounts, including audit trails. For more information about the Companies Act, see https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf. For more information about ICAI’s Rule11(g) guidance, see https://resource.cdn.icai.org/73438aasb59254.pdf 

    Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers

    Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers
    The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see https://irdai.gov.in/document-detail?documentId=822221.

    Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018)

    Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018)
    The Reserve Bank of India (RBI) issued a set of guidelines for Primary (Urban) Cooperative Banks (UCBs) to enhance security and resilience, protecting their assets against cyber security attacks on a continuous basis. It highlights the need to implement a robust cyber security/resilience framework and recommends specific security controls to support adequate cyber security preparedness. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397&Mode=0.

    Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016)

    Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016)
    The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS. CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016. These guidelines are intended as a robust cyber security/resilience framework to ensure adequate cyber-security preparedness among banks on a continuous basis. The RBI Guidelines related to Cyber Security framework will enable banks to formalize and adopt cyber security policy and cyber crisis management plan. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0.

    Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds

    Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
    The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf.

    Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006)

    Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006)
    The Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by banks is intended to address the RBI’s expectations for banks managing the risks in outsourcing to third-parties. The RBI guidelines provide specific guidance on risk management practices for outsourced financial services and foreign outsourcing of financial services. For more information see: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.PDF

    Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015)

    Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015)
    The guidelines are intended to ensure depositories do not outsource their Core and critical activities, ensure proper audit of implementation of risk assessment and mitigation measures, monitor and have checks and overall controls over the outsourced entity on a real-time basis. For information see: https://www.sebi.gov.in/legal/circulars/dec-2015/outsourcing-by-depositories_31219.html

    Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017)

    Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017)
    The Circular on Outsourcing of activities by Stock Exchanges and Clearing Corporations provide specific guidance on: due diligence, sub-contracting, contracts with service providers, monitoring of the service provider’s performance, business continuity, confidentiality, termination, access to information and other records and audit. For information see: https://www.sebi.gov.in/legal/circulars/sep-2017/outsourcing-of-activities-by-stock-exchanges-and-clearing-corporations_35932.html

    Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011)

    Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011)
    The Guidelines on Outsourcing of activities by Intermediaries provide specific guidance on: audit rights, confidentiality and data security, monitoring outsourced services, subcontracting and business continuity. For more information, see https://www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on-outsourcing-of-activities-by-intermediaries_21752.html

    Japan

    Financial Industry Information Systems (FISC) Security Guidelines

    Financial Industry Information Systems (FISC) Security Guidelines
    The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see https://www.fisc.or.jp

    National Center of Incident Readiness and Strategy for Cybersecurity (NISC)

    National Center of Incident Readiness and Strategy for Cybersecurity (NISC)
    The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see https://www.nisc.go.jp/eng/

    Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act

    Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act
    The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see https://www.ppc.go.jp/files/pdf/en3.pdf.

    Three Ministries Guidelines: Healthcare Sector

    Three Ministries Guidelines: Healthcare Sector
    Three Japanese Ministries provide guidance for the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information on guidelines see, The Safety Management Guideline for Information Systems and Service Providers Handling Medical Information - https://www.meti.go.jp/policy/mono_info_service/healthcare/01gl_20230707.pdf

    Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank

    Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank
    The Financial Services Agency (FSA) in Japan provides comprehensive guidelines on risk management, corporate governance, compliance, internal controls, financial and supervisory reporting for the supervision of major banks. For more information, see https://www.fsa.go.jp/common/law/guide/kantokushishin.pdf

    Malaysia

    Risk Management in Technology (RMiT)

    Risk Management in Technology (RMiT)
    Bank Negara Malaysia regulates the risk management practices in technology for the financial services sector in Malaysia. The RMiT guidelines are intended to provide banks a framework to effectively manage technology related risks in areas such as cybersecurity, operational risk, data governance, cloud risk management and emerging technologies. For more information, see https://www.bnm.gov.my/documents/20124/938039/PD-RMiT-June2023.pdf

    Singapore

    Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide

    Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide
    The Association of Banks in Singapore (ABS) is an industry association representing commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see https://abs.org.sg/industry-guidelines/outsourcing

    Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines

    Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines
    The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/trm-guidelines-18-january-2021.pdf.

    Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655

    Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655
    The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/notices/pdf/mas-notice-655.pdf.

    South Korea

    Financial Security Initiative (FSI) Cloud Guidelines

    Financial Security Initiative (FSI) Cloud Guidelines
    The Financial Security Initiative (FSI) issued its Guidelines on the Use of Cloud Computing Services in the Financial Industry in 2019. The guidelines provide procedures and security measures that financial companies in Korea are required to implement when employing the use of cloud services. For more information, see https://www.fsec.or.kr/en.

    Thailand

    Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559)

    Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559)
    The Bank of Thailand introduced regulations for outsourcing in financial institutions that include requirements for obtaining prior approval, conducting risk assessments, conducting due diligence on suppliers, outsourcing contracts, monitoring supplier performance, establishing business continuity plans and ensuring compliance with data protection laws. For more information, see https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2560/ThaiPDF/25600035.pdf.

    Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561)

    Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561)
    The Capital Market Supervisory Board issued regulations regarding the outsourcing of securities and derivative transactions to third parties that specify the requirements, conditions and procedures for outsourcing and contain provisions for the selection and monitoring of service providers. For more information, see https://publish.sec.or.th/nrs/7820s.pdf