Features Hub

A comprehensive guide to cloud adoption in Europe’s banking sector

Thu 31 Oct 2019

Julian Schmücker is the European Banking Federation expert on cloud computing and organiser of the federation’s Cloud Banking Forum – a policy hub for European banks, cloud service providers and EU observers. Ahead of his appearance at Tech Week Frankfurt 2019, Julian breaks down the best practices for banking in the cloud

European banks fully understand the importance of cloud and are keen to take advantage of this promising technology’s innovative potential. They are looking at cloud closely and are aware of the effects that technological advancement can have on the future of IT, the emergence of an ecosystem and the overall evolution of the sector.

Banks are chiefly aware of the cloud’s potential for improved processing power. Instead of pre-purchasing capacity at the maximum expected computing need, the on-demand usage of cloud allows banks to ‘burst into cloud’ instead, a speed increase that makes IT results available to banks faster. At this year’s EBF European Banking Summit a British internationally operating financial institution revealed how it cuts down processing time for liquidity reporting from 48 hours to about 3 hours using the cloud.

In addition to making existing applications cloud-ready, banks can breed entirely new cloud-based applications, using innovative development partners. In this scenario, European banks tend to follow a strategic approach before making such applications operational. A proof-of-concept from the cooperating partners is just one phase in a step-by-step process for the introduction of a new solution.

Cloud adoption does not stand on its own but combines the computing power and data storage possibilities with – for example – AI solutions for data analysis or the Internet of things (IoT). Information can be processed faster, which helps to tailor services to customers.

Think of a credit-related data-driven pay-per-use loan, such as an investment loan for machines in hardware production. The repayment of such a loan could cost less than a traditional linear repayment, once machines’ production count is considered for repayment calculation, via IoT data sharing. If the machine is used less than planned, the repayment of a loan would cost less than that of a traditional linear repayment loan and vice versa. In such a scenario, the cloud could enable timely and secure data transfers. While this use case may not reflect widely-used cloud applications, it reflects the possibilities available.

Further, with AI and machine learning, cloud technology can enable real-time information collection and analysis. Consider an information warning system for credit risk analysts that uses an AI service to collect publicly available information, and external data from commercial information providers, and then store it on the cloud. With AI-based language processing and translation, machine-learning algorithms could then extract warnings according to the end-user’s preferences.


Numbers show a slow rise in cloud adoption among European enterprises, including in financial services. According to Eurostat, 26 percent of enterprises were using cloud computing in December 2018. Despite a sizable increase compared to 2014 (19 percent), the numbers do not mirror the rise in sophistication of cloud itself over the same period. In part, this difference is linked to the complexity of cloud migration under existing regulation, especially in the financial sector.

The current EU rules require banks to consider a large number of conditions before moving their business to the cloud. These rules are mainly targeted at preserving financial stability. An example are the rules implemented by national supervisors to oversee the outsourcing to cloud service providers, following 2019 guidelines and earlier recommendations by the European Banking Authority (EBA).

Join Julian at TechWeek Frankfurt, 14 November, Messe Frankfurt

The EBF Cloud Banking Forum: Supporting a harmonised supervisory approach to cloud in Europe
09:30 – 10:00
Cloud Strategies and Innovation Theatre

Data location is a critical part of conversations of banks have with cloud service providers, who are obliged to report information on outsourcing arrangements to national supervisors. The EBA made clear in its guideline requirements that locations (i.e. countries or regions) for data storage and for service performance must be reported. Consequently, such information must be provided to banks by cloud service providers. In the EBF Cloud Banking Forum, banks and cloud service providers engaged with EU authorities and institutions and discuss practical guidance on how reporting can include data location.

Banks are operating within the given set of requirements and considering the steps of cloud migration thoroughly, and dialogue between banks, national supervisors and cloud service providers is ongoing. Because of these legal considerations and the time required to manage cloud adoption, progress is not as fast as the technological possibilities allow.


As banks are mindful of their responsibilities, cloud services are selected consciously and core functions kept on-premises. Migration is a step-by-step journey, where banks start from a traditional IT system, adding only selected public cloud services. Later in the process, further capacities are built, using private cloud as well as third-party specialist services, leveraging cloud as an IT commodity (‘managed cloud’) rather than a business solution on its own. This landscape can then later be transformed by increasing the share of service applications in all categories: Public, private and managed.

Embracing this hybrid cloud reality might someday lead to cloud-based IT solutions for a bank that are comparable to on-premise architecture. But it is up to individual banks to run through the cloud migration process according to their business model, identify their own needs and adopt a risk-based approach in line with regulatory obligations.

By operating in a hybrid cloud environment, banks can utilise cloud solutions by multiple cloud service providers, forming a multi-cloud approach. Different cloud solutions address the specific needs of a bank. Use cases are versatile and range from office software, including email service solutions; document storage and HR management systems; IT processes with high-compute capacity, and multi-cloud service platforms for marketing.

Changing the core

It is difficult to think of a bank with a sophisticated core banking system not looking at ways to support it by cloud services.

A big advantage that cloud affords is specialisation. When cloud is deployed for non-core capabilities – like infrastructure management – banks can dedicate top talent to business challenges and development instead. And it is unlikely that such capabilities will outright exclude critical functions.

The 2019 EBA Guidelines on outsourcing provide definitions for critical or important functions. Under the guidelines’ approach, the outsourcing of those critical functions is permitted but triggers advanced regulatory requirements (e.g. more in-depth reporting to national supervisors). European banks must carefully consider the supervisory framework and make a thorough assessment of the critical part of the process before application migration.


Looking at past and recent data breaches, one must carefully assess the actual reason for the vulnerability in question.  A closer inspection reveals that breaches were not necessarily caused by the hasty migration of services to the cloud. In the case of Capital One, the exploited weakness was traced back to a firewall misconfiguration within a web application. While cyber security efforts should certainly dedicate significant attention to such configurations, this implies no systemic vulnerability in the cloud per se. Indeed, the opposite is true. In terms of security measures, cloud service providers offer increasingly sophisticated security offerings that other, particularly smaller enterprises may not be able to deliver at the same level and scale.

Cloud service providers have made cloud security part of their core business, dedicating extensive resources and personnel to security challenges. European banks are aware of the merit such services and expertise can bring in addition to their own security capabilities. Due diligence when selecting cloud services is a permanent step European banks’ cloud strategies, reflecting not only regulatory obligations but their dedication to cyber security.

What recent data breaches do highlight is the importance of incident reporting. In Europe, banks find themselves confronted with several different Incident Reporting Requirements (e.g. NIS Directive, GDPR, eIDAS, PSD2, ECB). The landscape is fragmented, introducing different taxonomies, timelines and lack of clarity on communication channels between public bodies and authorities such as Europol. Additional regulatory burden for banks is the wrong way to remedy this situation. The EBF rather calls for the establishment of a central reporting hub in each Member State, which we explored further in a recently published position paper.

Don’t miss Julian’s presentations at this year’s Tech Week Frankfurt, 13-14 November, Messe Frankfurt. Register for your free ticket today.


banking Europe finance
Send us a correction Send us a news tip