The National Bank of Ukraine to regulate the use of cloud technologies by financial institutions

24.01.2025

The National Bank of Ukraine (hereinafter – the "NBU") has proposed to determine the procedure of cloud computing technology application and use by the financial institutions pursuant to the Law of Ukraine "On Cloud Services". The respective draft resolution ("Resolution") was published for public discussion here. Comments and suggestions to the draft resolution were invited until 19 January 2025. 

The Resolution defines, along with the general principles of the IaaS, PaaS, SaaS, SECaaS and other cloud services application and use, the requirements to a cloud service contract, organisational support for the use of cloud services, risk assessment for financial institutions' activities when using cloud services, as well as guidelines for informing the NBU about the use of cloud services. 

The key novelties include:

_
Resolution will apply only to banks, financial service providers, payment system operators, payment system participants, technological payment service operators that use cloud services ("Cloud Users").

_
Cloud service provider ("Cloud Provider") is allowed to involve another cloud service provider to service the Cloud User (i.e., "Multi-Cloud").

_
Cloud Provider must not only comply with international information security standards but also have independent certification of compliance. The Cloud Provider is obliged to provide a certificate annually throughout the term of the Cloud Services Agreement ("CS Agreement").

_
Cloud Users are obliged to enable a business continuity plan, which must comprise: 

  • resuming the work in case of the Cloud Provider shutdown; 
  • restoring the backup system for guaranteed recovery of the Cloud User data systems and the preservation of information with restricted access; 
  • protocol to ensure continuity in case of terminating cloud services and/or transitioning to a different Cloud Provider.

_
Cloud Users have to implement their own controls of the Cloud Provider’s security system, and the Cloud Users are also responsible for monitoring of access to information with restricted access (such as data subject to a banking secrecy regime).

_
Cloud Users must analyse at least the following risks before using cloud services: 

  • disruption of business continuity, data integrity and accessibility during transit from one Cloud Provider to another; 
  • insufficient control of the Cloud Provider’s activities; 
  • increased impact of potential failures in the Cloud Provider’s activities; 
  • disruption, following sudden stoppage of the Cloud Provider activity, of the Cloud User operations - due to unavailability of the information systems, services, and data; 
  • Cloud Provider’s incompliance with the terms of the CS Agreement; 
  • conflict of laws of Ukraine and the country of the Cloud Provider's registration that regulate the processing of restricted-access information; 
  • data separation breaches during the use of a shared infrastructure; 
  • cybersecurity; 
  • Multi-Cloud legal structure and technical architecture. 

The Cloud Service User is required to notify the NBU within one month after executing the CS Agreement. Identical one-month deadline for notifying the NBU applies after amendment or termination of the CS Agreement. 

The Resolution will cause changes to the laws that improve cloud service experience, enhance control over its quality as well as tighten security of the financial market actors through more efficient operational risk management practices. 

Despite the absence of conflict-of-law provisions on cross-border personal data transfers in the Resolution, such application of restrictions under the Law of Ukraine "On Personal Data Protection," we believe that such reservations apply based on the systemic interpretation. Notably, largest Cloud Providers (aggregated share of AWS, MS Azure and Google Cloud exceeds two thirds of the global market) all have data centers outside Ukraine, and the Cloud User bears the risk of non-compliance with Ukrainian legislation regarding data transfer channels. 

In addition to the personal data law constraints, the statutory law on cloud services also imposed restrictions on the Cloud Providers:  

  • no technical devices for cloud services can be placed on the occupied territories of Ukraine, on the territory of aggressor or occupying state,  
  • technical means cannot be used as long as they are in possession of the natural and legal persons (including the states) that are under the sanctions of the Government of Ukraine.
Zurück