Oracle Cloud Compliance

GxP Good Practice Guidelines

The Good Practice (GxP) guidelines and regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada | Santé Canada (HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see https://www.fda.gov/drugs/guidance-compliance-regulatory-information.

Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements

The Central Bank of Brazil (BACEN) issued Resolution No. 4,893 of February 26, 2021, which describes several digital service requirements for regulated financial institutions, including cybersecurity policy, contracting data processing, storage, and cloud computing services. This Resolution is intended to guide financial institutions in evaluating cloud service providers and establish controls to manage this relationship. For more information, see https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolução CMN&numero=4893

Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18

Brazil’s Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see https://www.gov.br/esporte/pt-br/acesso-a-informacao/lgpd

Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10)

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Canadian government that supervises and regulates federally registered financial institutions in Canada. As part of its role as a regulator, OSFI publishes guidelines for financial institutions. Guideline B-10 on Outsourcing of Business Activities, Functions and Processes (Guideline B-10) was first issued by OSFI in 2001 and revised in 2009. It sets out expectations for federally regulated entities (FREs) that outsource business activities to service providers. These expectations serve as prudent practices, procedures or standards that should be applied according to the characteristics of the outsourcing arrangement and the circumstances of each entity. For more information, see https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b10.aspx

Personal Information Protection and Electronic Documents Act (PIPEDA)

Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the course of commercial business.” For more information, see https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

Circular Única de Seguros y Fianzas (CUSF)

Law on Insurance and Surety institutions (LISF) and Circular Única de Seguros y Fianzas (CUSF) Provides guidelines to financial institutions on outsourcing of services, audit rights, compliance, security, business continuity and subcontracting. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LISF.pdf
https://www.gob.mx/cnsf/documentos/circular-unica-de-seguros-y-fianzas

Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO)

Mexico’s General Law for the Protection of Personal Data in Possession of Obliged Subjects (LGPDPPSO) applies to data processing by ‘Obliged Subjects’, i.e., governmental entities at the Mexican federal, state and municipal levels, including authorities, agencies or bodies of the Executive, Legislative or Judicial branches, as well as autonomous bodies, political parties, trusts and public funds. The stated purpose of the LGPDPPSO is to establish principles for guaranteeing the right to the protection of personal data including the right to access, rectification, deletion and opposition to the data processing. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LGPDPPSO.pdf

Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB)

Carácter General Aplicables a las Instituciones de Crédito (LIC) & Circular única de bancos (CUB) defines rules on corporate governance and internal controls for banking services and the organisation and operation of banking institutions. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley de Instituciones de Crédito.pdf
https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las instituciones de crédito.pdf

Ley del Mercado de Valores (LMV)

The Ley del Mercado de Valores (LMV) sets forth the general operational framework for securities-related commercial acts, and the general rules and regulations issued by the National Banking Securities Commission, the Central Bank and the Stock Exchange. These include requirements for monitoring of service, subcontracting, confidentiality, audit and access rights, business continuity and data portability. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley del Mercado de Valores.pdf
https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las casas de bolsa.pdf

Ley Para Regular Las Instituciones De Tecnologia Financiera

National Banking Securities Commission, Mexican Central Bank and Ministry of Finance in Mexico issued a 2018 Law (“Fintech Law”) to regulate financial technology institutions and to provide guidance to crowdfunding institutions, electronic money institutions and innovative model startups for conducting fintech operations in Mexico. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley para Regular las Instituciones de Tecnología Financiera.pdf

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following:

• The right of Californians to know what personal information is being collected about them.
• The right of Californians to know whether their personal information is sold or disclosed and to whom.
• The right of Californians to say no to the sale of personal information.
• The right of Californians to access their personal information.
• The right of Californians to equal service and price, even if they exercise their privacy rights.

For more information, see https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf

Criminal Justice Information Services Security Policy (CJIS)

The US Federal Bureau of Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012

The Defense Federal Acquisition Regulation Supplement (DFARS) encompasses the Department of Defense (DoD) requirements for contractors and suppliers to follow when providing cloud computing services in the performance of a covered contract. For more information, see https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS_252.204-7010

Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of Cybersecurity Maturity. For more information, see https://www.ffiec.gov/cyberassessmenttool.htm.

Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503

The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management, Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see https://www.dni.gov/files/documents/ICD/ICD-503.pdf.

Internal Revenue Service (IRS) Publication 1075

The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see https://www.irs.gov/pub/irs-pdf/p1075.pdf

International Traffic in Arms Regulations (ITAR)

The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US national security and further US foreign policy objectives. For more information, see https://www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii

Minimum Acceptable Risk Standards for Exchanges (MARS-E)

The U.S. Department of Health and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see https://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see https://csrc.nist.gov/pubs/sp/800/171/r3/final

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see https://www.nerc.com/comm/RSTC/Pages/default.aspx

Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements

Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For more information, see the following resources: SEC 17a-4(f) - https://www.sec.gov/rules/interp/34-47806.htm
FINRA Rule 4511(c) - https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
CFTC Rule 1.31(c)-(d) - https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) was adopted as European Union (EU) Regulation 2022/2554 to establish rules governing the use of information and communication technology (ICT) by financial entities operating in the EU. DORA aims to address the risks resulting from “increased digitalisation and interconnectedness” related to the use of ICT in the financial sector. It also creates an oversight framework for ICT service providers to the financial sector that are deemed critical. DORA provisions apply from 17 January 2025, to accommodate a 24-month implementation period. For more information, see: https://eur-lex.europa.eu/eli/reg/2022/2554/oj.

Network and Information Security Directive II (NIS2)

In 2022, the EU enhanced its cybersecurity framework with the Network and Information Security Directive II (NIS2) . It builds on the original NIS directive (NIS1) in an attempt to address existing gaps and strengthen cybersecurity across the region. NIS2 defines measures for cybersecurity risk management and reporting, across sectors that include critical infrastructure and cloud providers. For more information, see https://eur-lex.europa.eu/eli/dir/2022/2555.

European Banking Authority (EBA) Guidelines on Outsourcing Arrangements

The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

European Banking Authority (EBA) Guidelines on Outsourcing Arrangements

European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:

• Assess the risk of adopting cloud services
• Compare different cloud providers offerings
• Obtain assurances from the selected cloud providers
• Reduce the assurance burden on cloud providers

For more information, see https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework

General Data Protection Regulation (GDPR)

The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see https://ec.europa.eu/info/law/law-topic/data-protection_en

BaFin Guidance on Outsourcing to Cloud Service Providers

The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) is responsible for the supervision of banks, credit institutions, insurers, funds and financial institutions in Germany. BaFin and the Deutsche Bundesbank issued guidance on outsourcing with the intended goal “to create greater transparency into the supervisory assessment of the financial sector with outsources to cloud providers”. For more information, see https://www.bafin.de/SharedDocs/Downloads/EN/Merkblatt/BA/
dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba_en.html?nn=9866146

IT Grundschutz

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz). IT-Grunschutz comprises:

• BSI Standard 200-1: provides the general requirements for an ISMS
• BSI Standard 200-2: explains how an ISMS can be built based on one of three different approaches
• BSI Standard 200-3: contains all risk-related tasks
• BSI Standard 100-4: covers Business Continuity Management (BCM)

For more information, see https://www.bsi.bund.de

Kritische Infrastrukturen - Abschnitt 8a

The German Federal Government office for Information Security (BSI) issued Section 8a of BSIG (Act on the Federal Office for Information Security) that pertains to Kritis which stands for “Kritische Infrastruckturen” or critical infrastructures. It provides guidelines for identifying critical infrastructures, conducting risk assessments, implementing security measures, reporting incidents, undergoing audits & continuously improving security to safeguard essential services in Germany. For more information, see https://www.gesetze-im-internet.de/bsig_2009/BJNR282110009.html

Guidelines on Cybersecurity for Payment Service Providers

The Central Bank of Kenya has issued cybersecurity guidelines for Payment Service Providers (PSPs) related to risk assessment, data protection, incident response, and third-party security. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2019/07/GuidelinesonCybersecurityforPSPs.pdf

Prudential Guidelines for Institutions Licensed under the Banking Act

Under Section 33(4) of the Banking Act, the Central Bank of Kenya has issued guidelines for institutions. Some of these guidelines are intended to establish minimum standards of data and network security and business continuity. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf

Prudential Guideline on Outsourcing (CBK/PG/16)

As part of its supervisory function, the Central Bank of Kenya issued Prudential Guidelines for Institutions Licensed Under the Banking Act, which includes guidance on Outsourcing (CBK/PG/16). The Guideline applies to all licensed banks which outsource activities.  They encompass outsourcing policies, governance, risk management, business continuity, data security, and contracts with service providers. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf

Cloud Computing Regulatory Framework (CITRA CCRF)

Kuwait’s Communication and Information Technology Regulatory Authority established a framework to govern the use of cloud computing services within Kuwait. It provides guidelines for data protection, privacy, and security, facilitating the adoption of cloud services. For more information, see https://www.citra.gov.kw/sites/en/LegalReferences/Cloud_computing_regulatory_framework.pdf

Government Information Security Baseline (BIO)

Baseline informatiebeveiliging overheid (BIO) is an information security standard for the Dutch public sector, including government agencies, municipalities, provinces and water boards. It is based on internationally accepted standards and best practices in information security, such as ISO 27001 and ISO 27002. Since BIO was issued by the Ministerial Board, BIO is the sole baseline for the entire government. For more information, see https://bio-overheid.nl/media/1572/bio-versie-104zv_def.pdf

NEN 7510 Information Security Management in Healthcare

The NEN 7510 standard was developed by the Royal Netherlands Standardization Institute (Stichting Koninklijk Nederlands Normalisatie Instituut, or NEN). Nen 7510 provides guidelines and basic principles for the determining, establishing and maintaining of measures for health care organisations to secure the health information. For more information, see https://www.nen.nl/en/nen-7510-1-2017-a1-2020-nl-267179

Wet op het financieel toezicht or Wft

The Financial Supervision Act (FSA) in the Netherlands serves as a comprehensive regulatory framework to uphold the stability and integrity of the financial system. The WFT comprises a large number of rules and regulations for financial markets and their supervision, including Good Practices Outsourcing Insurers and Good Practices for Managing Outsourcing Risks. For more information, see https://wetten.overheid.nl/BWBR0020368/2023-07-01

Good Practices Outsourcing Insurers - https://www.dnb.nl/media/rikf4hxv/good-practice-outsourcing-insurers.pdf

Good Practices for Managing Outsourcing Risks - https://www.dnb.nl/en/sector-information/open-book-supervision/open-book-supervision-themes/prudential-supervision/governance/good-practices-for-managing-outsourcing-risks/

Forskrift om bruk av informasjons- og kommunikasjonsteknologi

The Norwegian regulations on the use of Information and Communication Technology (ICT) provides guidelines to ensure responsible and secure utilization of digital tools and platforms. These regulations prioritize data protection, privacy, cybersecurity, and accessibility across both public and private sectors. For more information, see https://lovdata.no/dokument/SF/forskrift/2003-05-21-630

Veiledning om utkontraktering

Circular 7/2021 issued by Norwegian Financial Supervisory Authority (Finanstilsynet) provides guidelines on outsourcing activities and promotes responsible business practices. For more information, see https://www.finanstilsynet.no/contentassets/9f76ac1a390a44218b285b61bb13e19a/veiledning-om-utkontraktering.pdf

National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)

The National Cybersecurity Authority (NCA) developed the Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see https://nca.gov.sa/ecc-en.pdf.

Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF)

The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf

Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing

Saudi Arabian Monetary Authority (SAMA) is the central bank of the Kingdom of Saudi Arabia and the supervisory authority for banks, payment providers, insurance companies, finance companies and credit bureaus operating within the Kingdom. The SAMA Rules on Outsourcing apply to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), and require these banks to appropriately manage risks arising from outsourcing, including ensuring their outsourcing arrangements are subject to appropriate due diligence, approval and ongoing monitoring. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/FinanceRules/Outsourcing%20Rules%20-%20Revised%20v2%20Final%20Draft-Dec-2019.pdf

Directive 159.A.i

The Financial Services Board of South Africa, part of the Financial Sector Conduct Authority, implemented Directive 159.A.i, which specifies the rules applicable to outsourcing by insurers in South Africa. For more information, see https://www.fsca.co.za/Enforcement-Matters/Directives/Forms/DispForm.aspx?ID=436.

Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014)

The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 5 of 2014 (G5/2014). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2014/6320.

Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017)

The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 4 of 2017 (G4/2017). For more information, see https://www.resbank.co.za/content/dam/sarb/publications/prudential-authority/pa-deposit-takers/banks-guidance-notes/2017/7803/G4-of-2017.pdf.

Protection of Personal Information Act (POPIA)

The Protection of Personal Information Act (POPIA) is a South African law intended to "promote the protection of personal information processed by public and private bodies." POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information. For more information, see https://www.justice.gov.za/legislation/acts/2013-004.pdf

Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018)

The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued a directive pertaining to cloud computing and offshoring of data in the financial services sector referred to as Directive 3 of 2018 (D3/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-directives/2018/8749.

Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018)

The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued guidance pertaining to cloud computing and offshoring of data in the financial services sector referred to as Guidance Note 5 of 2018 (G5/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2018/8747.

Pinakes

Created by the Centre for Interbank Cooperation (CCI), a non-profit professional association, Pinakes is a platform that provides qualification, management and monitoring of services to financial service providers. It is intended to allow organisations to verify the levels of cybersecurity of the services they use, enable vendors to demonstrate their security benefits to customers, and help organisations comply with EBA’s supplier security assessment guidelines. For more information, see https://asociacioncci.es/pinakes/

Financial Market Supervisory Authority (FINMA) Circular 2018/3

The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en.

United Arab Emirates (UAE) Federal Law No. 2 of 2019

The United Arab Emirates issued Federal Law No. 2 of 2019 on 6 February 2019 Concerning the Use of the Information and Communication Technology ("ICT") in Health Fields (“Health Data Law”). The Health Data Law applies to all ICT methods and usages in the health fields in the UAE, including free zones. The Law aims at the following: (1) ensuring the optimal use of the ICT in health fields; (2) ensuring compatibility of the principles, standards, and practices applicable in the State with their internally recognized counterparts; (3) enabling the Ministry of Health and Prevention to collect, analyze and keep the health information at the UAE level; and (4) ensuring the safety and security of health data and information. For more information, see https://uaelegislation.gov.ae/en/legislations/1209/download.

Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation)

The Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 (Solvency II Delegated Regulation) forms part of the framework for a solvency and supervisory regime for insurers and reinsurers. It sets out organizational requirements and procedures for various matters including outsourcing arrangements. The UK version of the Solvency II Delegated Regulation became part of UK law by virtue of the European Union (Withdrawal) Act 2018 and related legislation. For more information, see https://www.legislation.gov.uk/uksi/2019/407/contents/made

ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014

The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mifid-ii

Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance

The Financial Conduct Authority (FCA) is responsible for the authorization and conduct supervision of financial institutions in the UK. The FCA Handbook sets out the FCA’s legislative and other provisions made under powers given to it by the Financial Services and Markets Act 2000. The Senior Management Arrangements, Systems and Controls (SYSC) and Supervision (SUP) parts of the FCA Handbook contain rules and guidance relevant to outsourcing arrangements. For more information, see https://www.handbook.fca.org.uk/.

National Cyber Security Centre IT Health Check (ITHC)

The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance.

Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management

The Prudential Regulation Authority (PRA) is responsible for prudential supervision of banks, insurance companies, building societies, credit unions and major investment firms in the UK. The PRA’s remit includes supervising firms’ outsourcing and other third-party arrangements. The PRA’s Supervisory Statement 2/21 on outsourcing arrangements and third-party risk management published on 29 March 2021 (SS2/21) sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management. For more information, see https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss.

UK Government G-Cloud Framework

The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see https://www.gov.uk/digital-marketplace.

UK National Cyber Security Centre (NCSC) Cloud Security Principles

The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles.

UK NHS Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see https://www.dsptoolkit.nhs.uk/.

Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231

The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on Outsourcing Involving Cloud Computing Services. For more information, see https://www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf.

Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234

The Australian Prudential Regulation Authority (APRA) regulates financial services in Australia. APRA issued standards that regulate banks, credit unions, and insurance companies. APRA’s Prudential Standard CPS 234 defines requirements for entities to implement information security measures to protect their information assets, including the handling of data breaches and cybersecurity incidents. For more information, see https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf

Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1

The Hong Monetary Authority (HKMA) sets out minimum standards for authorized institutions (AIs) to attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business. The Supervisory Policy TM-G-1 General Principles for Technology Risk Management is guidance which the HKMA expects regulated entities to consider when managing technology-related risks. For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf

Hong Kong Monetary Authority (HKMA) Outsourcing SA-2

The Hong Monetary Authority (HKMA) sets out minimum standards that authorized institutions (AIs) must attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business.  The Supervisory Policy Manual Outsourcing SA-2 is the approach to risk management when outsourcing and the major points which the HKMA recommends that regulated entities address when outsourcing activities.  For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf

ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act

The Companies Act 2013 regulates the formation and functioning of corporations or companies in India. Administered by the Ministry of Corporate Affairs (MCA), the law governs incorporation, dissolution and the running of companies and defines requirements for corporate governance. Subsequently, the Auditing and Assurance Standards Board of The Institute of Chartered Accountants of India (ICAI) issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” on March 2023. Rule 11(g) focuses on reporting on the use of accounting software for maintaining a company’s books of accounts, including audit trails. For more information about the Companies Act, see https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf. For more information about ICAI’s Rule11(g) guidance, see https://resource.cdn.icai.org/73438aasb59254.pdf

Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers

Activities by Indian Insurers
The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see https://irdai.gov.in/document-detail?documentId=822221.

Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018)

The Reserve Bank of India (RBI) issued a set of guidelines for Primary (Urban) Cooperative Banks (UCBs) to enhance security and resilience, protecting their assets against cyber security attacks on a continuous basis. It highlights the need to implement a robust cyber security/resilience framework and recommends specific security controls to support adequate cyber security preparedness. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397&Mode=0.

Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016)

The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS. CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016. These guidelines are intended as a robust cyber security/resilience framework to ensure adequate cyber-security preparedness among banks on a continuous basis. The RBI Guidelines related to Cyber Security framework will enable banks to formalize and adopt cyber security policy and cyber crisis management plan. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0.

Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds

Management and Cyber Frauds
The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf.

Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006)

The Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by banks is intended to address the RBI’s expectations for banks managing the risks in outsourcing to third-parties. The RBI guidelines provide specific guidance on risk management practices for outsourced financial services and foreign outsourcing of financial services. For more information see: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.PDF

Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015)

The guidelines are intended to ensure depositories do not outsource their Core and critical activities, ensure proper audit of implementation of risk assessment and mitigation measures, monitor and have checks and overall controls over the outsourced entity on a real-time basis. For information see: https://www.sebi.gov.in/legal/circulars/dec-2015/outsourcing-by-depositories_31219.html

Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017)

The Circular on Outsourcing of activities by Stock Exchanges and Clearing Corporations provide specific guidance on: due diligence, sub-contracting, contracts with service providers, monitoring of the service provider’s performance, business continuity, confidentiality, termination, access to information and other records and audit. For information see: https://www.sebi.gov.in/legal/circulars/sep-2017/outsourcing-of-activities-by-stock-exchanges-and-clearing-corporations_35932.html

Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011)

The Guidelines on Outsourcing of activities by Intermediaries provide specific guidance on: audit rights, confidentiality and data security, monitoring outsourced services, subcontracting and business continuity. For more information, see https://www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on-outsourcing-of-activities-by-intermediaries_21752.html

Financial Industry Information Systems (FISC) Security Guidelines

The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see https://www.fisc.or.jp

National Center of Incident Readiness and Strategy for Cybersecurity (NISC)

The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see https://www.nisc.go.jp/eng/

Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act

The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see https://www.ppc.go.jp/files/pdf/en3.pdf.

Three Ministries Guidelines: Healthcare Sector

Three Japanese Ministries provide guidance for the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information on guidelines see, The Safety Management Guideline for Information Systems and Service Providers Handling Medical Information - https://www.meti.go.jp/policy/mono_info_service/healthcare/01gl_20230707.pdf

• The Guideline for Safety Management of Medical Information Systems Version 5.2 - https://www.mhlw.go.jp/stf/shingi/0000516275_00002.html
• The Ministry of Economy, Trade and Industry (METI) - https://www.meti.go.jp/
• The Ministry of Internal Affairs and Communications (MIC) - https://www.soumu.go.jp/
• The Ministry of Health, Labour & Welfare (MHLW) - https://www.mhlw.go.jp/index.html

Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank

The Financial Services Agency (FSA) in Japan provides comprehensive guidelines on risk management, corporate governance, compliance, internal controls, financial and supervisory reporting for the supervision of major banks. For more information, see https://www.fsa.go.jp/common/law/guide/kantokushishin.pdf

Risk Management in Technology (RMiT)

Bank Negara Malaysia regulates the risk management practices in technology for the financial services sector in Malaysia. The RMiT guidelines are intended to provide banks a framework to effectively manage technology related risks in areas such as cybersecurity, operational risk, data governance, cloud risk management and emerging technologies. For more information, see https://www.bnm.gov.my/documents/20124/938039/PD-RMiT-June2023.pdf

Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide

The Association of Banks in Singapore (ABS) is an industry association representing commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see https://abs.org.sg/industry-guidelines/outsourcing

Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines

The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/trm-guidelines-18-january-2021.pdf.

Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655

The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/notices/pdf/mas-notice-655.pdf.

Financial Security Initiative (FSI) Cloud Guidelines

The Financial Security Initiative (FSI) issued its Guidelines on the Use of Cloud Computing Services in the Financial Industry in 2019. The guidelines provide procedures and security measures that financial companies in Korea are required to implement when employing the use of cloud services. For more information, see https://www.fsec.or.kr/en.

Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559)

The Bank of Thailand introduced regulations for outsourcing in financial institutions that include requirements for obtaining prior approval, conducting risk assessments, conducting due diligence on suppliers, outsourcing contracts, monitoring supplier performance, establishing business continuity plans and ensuring compliance with data protection laws. For more information, see https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2560/ThaiPDF/25600035.pdf.

Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561)

The Capital Market Supervisory Board issued regulations regarding the outsourcing of securities and derivative transactions to third parties that specify the requirements, conditions and procedures for outsourcing and contain provisions for the selection and monitoring of service providers. For more information, see https://publish.sec.or.th/nrs/7820s.pdf