How European Banks Can Meet EBA Outsourcing Guidelines Through Customer-Controlled Encryption Keys
The European Banking Authority’s Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) require financial institutions to maintain effective control over outsourced functions, including the ability to monitor performance, enforce security standards, and terminate arrangements when data protection is compromised. Since January 2025, the Digital Operational Resilience Act (DORA) has added enforceable requirements for ICT risk management, third-party oversight, and operational resilience that apply directly across all EU member states. Together, these frameworks create a regulatory environment where European banks must demonstrate genuine control over customer and operational data processed by cloud service providers.
For German banks supervised by BaFin, this regulatory picture is even more detailed. BaFin’s 2024 supervisory notice on cloud outsourcing explicitly requires supervised companies to address encryption and key management as a core governance topic. The BAIT framework (Bankaufsichtliche Anforderungen an die IT), which remains applicable through December 2026 for institutions transitioning to DORA, sets clear expectations for IT security controls. Meanwhile, the ECB’s draft Guide on Outsourcing Cloud Services reinforces that institutions must own their data and restrict where cloud providers store it.
The common thread across all these requirements is control. Not contractual assurances of control, but architectural, verifiable, technical control over data sovereignty. This guide explains how customer-controlled encryption keys address the core outsourcing risk that regulators are targeting and how European banks can implement this approach to satisfy EBA, DORA, and national supervisory expectations simultaneously.
Executive Summary
Main Idea: EBA outsourcing guidelines and DORA require European banks to maintain effective control over data processed by cloud providers, including the ability to protect it from unauthorized access. Customer-controlled encryption keys, where the bank generates, stores, and exclusively manages cryptographic keys in its own hardware security module, provide the architectural foundation that satisfies these requirements because the cloud provider cannot access decrypted data even under legal compulsion.
Why You Should Care: DORA enforcement began January 17, 2025, with penalties reaching up to 10% of annual turnover for serious breaches. BaFin expects German banks to demonstrate compliance now and has signaled that initial findings will be available by late 2025. If your institution relies on a US-headquartered cloud provider that retains encryption key access, you face a measurable gap between your outsourcing arrangement and what regulators expect. Customer-controlled encryption is the technical measure that closes that gap.
5 Key Takeaways
- EBA guidelines require effective control, not contractual promises. Paragraph 98 of EBA/GL/2019/02 mandates that outsourcing agreements for critical functions specify data locations, ensure confidentiality, integrity, and availability, and include termination rights for security weaknesses.
- DORA mandates encryption at rest, in transit, and where necessary in use. Financial entities must implement comprehensive data encryption policies under DORA’s ICT risk management requirements, protecting information from unauthorized access across all states.
- BaFin specifically identifies encryption and key management as governance topics. The 2024 supervisory notice requires German banks to address key management in their cloud governance guidelines, going beyond general encryption to demand documented control over cryptographic keys.
- Provider-held keys create an unresolvable outsourcing risk. When a US-headquartered cloud provider retains encryption keys, CLOUD Act and FISA 702 exposure means the bank cannot guarantee data confidentiality, violating EBA and DORA requirements simultaneously.
- Customer-controlled keys satisfy multiple regulatory requirements at once. A single architectural decision, retaining encryption keys in the bank’s own HSM, addresses EBA outsourcing controls, DORA encryption mandates, GDPR transfer safeguards, and BaFin supervisory expectations.
Why EBA Outsourcing Guidelines Demand More Than Contractual Controls
The EBA’s Risk-Based Approach to Cloud Outsourcing
The EBA Guidelines on Outsourcing Arrangements, effective since September 30, 2019, apply to credit institutions, investment firms, payment institutions, and electronic money institutions. The guidelines take a risk-based approach that requires financial institutions to identify, assess, and mitigate risks across all outsourcing arrangements, with enhanced requirements for critical or important functions.
Cloud-based file sharing, email, collaboration platforms, and managed file transfer systems used for sensitive data exchange typically qualify as critical or important functions. These platforms process customer financial data, internal communications, regulatory correspondence, and transaction records. Under EBA paragraph 75, institutions must conduct thorough risk assessments before entering outsourcing arrangements and maintain ongoing monitoring of the provider’s security posture.
Critically, the EBA guidelines state that relying solely on certifications such as ISO 27001 is not appropriate for conducting risk assessments or ongoing monitoring. Banks must look beyond provider assurances to evaluate the actual technical architecture determining who can access their data.
What the Guidelines Require for Data Security
For critical or important outsourcing, EBA/GL/2019/02 paragraph 98 requires written agreements that specify where data will be stored and processed, with notification if the provider proposes to change locations. The agreement must ensure the accessibility, availability, integrity, privacy, and safety of data. It must guarantee the institution can access its data if the provider becomes insolvent. And it must include termination rights where there are weaknesses in data security.
Paragraph 100 requires institutions to routinely monitor their provider’s performance with a particular focus on data availability, security, and integrity. The EBA’s ICT and Security Risk Management guidelines add that contracts should include minimum cybersecurity requirements, specifications for the data lifecycle, requirements for data encryption, network security, and data center location requirements.
These are not aspirational guidelines. They create binding supervisory expectations that national regulators like BaFin enforce through examination, remedial orders, and, under DORA, financial penalties.
What Data Compliance Standards Matter?
DORA Raises the Stakes for ICT Third-Party Risk
Encryption Requirements Under DORA
DORA (Regulation EU 2022/2554) became enforceable on January 17, 2025, establishing uniform requirements for ICT security across approximately 22,000 financial entities in the EU. Under DORA’s ICT risk management framework, financial entities must implement comprehensive data encryption policies covering data at rest, data in transit, and where necessary, data in use. Where encryption is not technically feasible, data must be handled in a separate, secure environment with equivalent measures to maintain confidentiality and integrity.
DORA’s third-party risk management pillar requires that all ICT service agreements include service level agreements, audit rights, termination rights, exit strategies, and incident notification procedures. The European Supervisory Authorities designated 19 ICT service providers as critical in November 2025, including AWS, Microsoft Azure, and Google Cloud, subjecting them to direct EU supervisory oversight. This means European banks cannot treat their relationships with these providers as purely contractual matters. Regulators are now examining the providers themselves.
BaFin’s Specific Expectations for German Banks
BaFin’s February 2024 supervisory notice on cloud outsourcing goes further than the EBA baseline. It requires supervised companies to develop internal guidelines for cloud use covering encryption and key management as a core topic alongside compliance, identity management, and subcontractor control. BaFin expects banks to perform a strategic analysis of whether each outsourced function can be adequately monitored and, if necessary, repatriated.
BaFin has signaled that it will intensify outsourcing oversight in 2025 and expects first DORA compliance findings by year-end. German banks relying on US hyperscale providers without customer-controlled encryption face direct supervisory risk because their current architecture may not satisfy BaFin’s interpretation of adequate data protection controls.
The Encryption Key Problem European Banks Must Solve
Why Provider-Held Keys Fail the Regulatory Test
When a European bank uses a US-headquartered cloud provider for secure file sharing, email, or collaboration, the provider typically retains control of encryption keys. Even when the bank selects EU data center regions, the legal entity operating the service remains subject to the CLOUD Act, which enables US authorities to compel data production regardless of storage location. FISA Section 702 allows intelligence agencies to surveil non-US persons without individual warrants.
This creates an architectural conflict with EBA and DORA requirements. The bank’s outsourcing agreement may contractually require data confidentiality, but the provider can be legally compelled to decrypt and produce data without notifying the bank. The EBA’s requirement for termination rights on data security weaknesses becomes meaningless if the weakness is structural: the provider holds the keys and is subject to foreign government access laws.
The EDPB Recommendations 01/2020 confirmed that where a provider possesses encryption keys and operates under a legal regime permitting government access, no effective supplementary measures exist. For banks conducting Transfer Impact Assessments, provider-held encryption keys represent an unmitigable risk factor.
How Customer-Controlled Keys Resolve the Conflict
Customer-controlled encryption keys fundamentally change the risk architecture. In this model, the bank generates and stores customer-controlled encryption keys in its own hardware security module, located on premises or in a bank-controlled European data center. The cloud platform processes encrypted data but never possesses decryption keys. If a foreign government compels the provider to produce data, it can only deliver ciphertext that is unreadable without the bank’s keys.
This approach differs from “Bring Your Own Key” (BYOK) offerings where the bank generates a key but uploads it to the provider’s key management service. In BYOK, the provider retains access to key material and can be compelled to use it. Customer-controlled encryption means the key never leaves the bank’s infrastructure.
Regulatory Requirements Addressed by Customer-Controlled Keys
| Regulatory Requirement | Provider-Held Keys | Customer-Controlled Keys |
|---|---|---|
| EBA: Ensure data confidentiality (Para. 98) | Cannot guarantee; provider subject to foreign access laws | Guaranteed; provider cannot decrypt data |
| EBA: Ongoing data security monitoring (Para. 100) | Limited visibility; relies on provider reports | Full audit trail under bank control |
| DORA: Encryption at rest and in transit | Encrypted, but provider holds keys | Encrypted with bank-exclusive key control |
| DORA: Third-party ICT risk management | Residual risk from foreign access laws | Risk eliminated at architectural level |
| BaFin: Encryption and key management governance | Key management delegated to provider | Key management under bank governance |
| GDPR: Article 32 technical measures | Provider-controlled measures; transfer risk remains | Bank-controlled measures; transfer risk mitigated |
| CLOUD Act / FISA 702 exposure | Full exposure; provider can comply with demands | No exposure; provider cannot produce readable data |
Architectural Requirements Beyond Encryption Keys
Customer-controlled encryption is necessary but not sufficient. European banks should evaluate cloud platforms against three complementary requirements that together create verifiable data sovereignty.
Single-Tenant European Deployment
Multi-tenant cloud environments share infrastructure across customers, with provider personnel performing maintenance from locations worldwide. Single-tenant deployment on dedicated European infrastructure ensures the bank’s data resides on isolated systems where access controls are governed by European law. Combined with customer-controlled encryption, this eliminates both logical and physical access paths for unauthorized parties.
Policy-Enforced Data Residency
EBA paragraph 98 requires agreements to specify data locations with change notification. DORA reinforces this through its data residency expectations. Rather than relying on contractual commitments, banks should implement platforms with technical geofencing that restricts storage to German or EU data centers, prevents replication to non-EU locations, and logs all access attempts for audit trail purposes.
Comprehensive Audit and Monitoring Capabilities
Both EBA and DORA require continuous monitoring of outsourced services. Banks need platforms that provide complete visibility into every file access, user action, administrative change, and data movement. This data governance capability supports the outsourcing register required under DORA Article 28(3) and enables banks to demonstrate compliance during BaFin examinations and ECB supervisory reviews.
Implementation: A Risk-Based Approach for European Banks
Phase 1: Assess Current Outsourcing Arrangements
Inventory all cloud services processing customer data, operational data, and employee data. For each service, document the provider’s jurisdiction, encryption model, key management architecture, and third-party risk classification. Cross-reference against the DORA Register of Information requirements to identify gaps.
Phase 2: Evaluate Encryption Key Exposure
For each cloud service classified as supporting a critical or important function, apply the key test: Can the provider access decrypted data if compelled by a foreign government? Map the results against EBA and DORA requirements. Prioritize services handling the most sensitive data: customer financial records, regulatory correspondence, internal audit materials, and cross-border transaction data.
Phase 3: Implement Customer-Controlled Architecture
Transition critical data exchange platforms to architectures where the bank retains exclusive encryption key control. This typically involves deploying a hardened virtual appliance or on-premises HSM for key storage, configuring single-tenant European deployment, and establishing geofencing policies. Validate through independent testing that the provider cannot access decrypted data under any scenario.
Phase 4: Establish Ongoing Compliance Monitoring
Implement continuous monitoring aligned with EBA paragraph 100 and DORA’s operational resilience requirements. Establish regular review cadences with documented evidence for supervisory examination. Ensure incident response plans cover scenarios involving foreign government data access requests and provider security weaknesses.
Customer-Controlled Encryption Is the Foundation of Regulatory-Compliant Outsourcing
EBA outsourcing guidelines, DORA, and BaFin supervisory expectations converge on a single principle: European banks must maintain effective, verifiable control over data processed by cloud providers. When a provider holds encryption keys and operates under foreign government access laws, that control is architectural fiction. Customer-controlled encryption keys restore genuine control by ensuring no third party can access decrypted data without the bank’s explicit involvement.
Banks that implement customer-controlled keys alongside single-tenant European deployment and policy-enforced data residency are not simply checking regulatory boxes. They are building the zero trust infrastructure that DORA envisions for a resilient European financial system.
Kiteworks Helps European Banks Meet EBA Outsourcing Guidelines Through Customer-Controlled Encryption
The Kiteworks Private Data Network delivers the architectural controls European banks need to satisfy EBA, DORA, and BaFin requirements simultaneously. Kiteworks operates on a customer-managed encryption model where the bank generates and retains encryption keys in its own HSM. Kiteworks cannot access decrypted content and cannot comply with foreign government demands to produce readable data because it does not possess the keys.
Kiteworks deploys as a single-tenant instance on dedicated European infrastructure, including on-premises, private cloud, and hardened virtual appliance options. Built-in geofencing enforces data residency at the platform level. Comprehensive audit logging captures every file access, user action, and administrative change, providing the continuous monitoring evidence that EBA paragraph 100 and DORA require. Kiteworks supports DORA compliance through its unified approach to ICT risk management across all sensitive content channels.
The platform unifies secure file sharing, email protection, managed file transfer, and web forms under a single governance framework, enabling banks to address outsourcing requirements across all data exchange channels with one architecture, one set of controls, and one supervisory evidence package.
To learn more about meeting EBA outsourcing guidelines through customer-controlled encryption keys, schedule a custom demo today.
Frequently Asked Questions
The EBA guidelines apply to all outsourcing arrangements, with enhanced requirements for critical or important functions. Cloud services processing customer financial data, supporting regulatory reporting, or enabling core banking operations typically qualify as critical. The guidelines require vendor risk management including risk assessment, contractual controls, and ongoing monitoring for all outsourced services. Banks should classify each cloud service and apply proportionate controls, with the most stringent requirements, including specified data locations and encryption standards, reserved for critical functions. Even non-critical cloud outsourcing requires written agreements with security obligations and termination provisions under GDPR compliance requirements.
DORA creates directly enforceable encryption obligations backed by penalties of up to 10% of annual turnover. While earlier EBA guidelines recommended encryption as a security control, DORA mandates comprehensive data encryption policies covering data at rest, in transit, and where necessary in use. DORA also requires financial entities to maintain a Register of Information documenting all ICT third-party arrangements, including encryption configurations. The ESAs designated 19 major cloud providers as critical in November 2025, subjecting them to direct supervisory oversight. Banks must demonstrate not just that encryption exists, but that their data governance framework ensures encryption key control remains with the institution, particularly where providers are subject to foreign government access laws.
In BYOK, the bank generates a key but uploads it to the provider’s infrastructure; in customer-controlled encryption, the key never leaves the bank’s own HSM. This distinction is critical for regulatory compliance. With BYOK, the cloud provider retains access to key material and can be compelled to decrypt data under the CLOUD Act or FISA 702. With customer-controlled encryption keys, the provider processes only ciphertext and cannot produce readable data regardless of legal demands. BaFin’s supervisory notice identifies key management as a core governance topic, and the DPIA for cloud outsourcing should clearly document which party controls decryption capability.
Banks should maintain encryption architecture documentation, key management policies, Transfer Impact Assessments, and continuous monitoring evidence. BaFin expects German banks to have internal guidelines covering encryption and key management as part of their cloud governance framework. Documentation should include the key generation process, HSM deployment location, access controls for key material, and evidence that the cloud provider cannot access decryption keys. The DORA Register of Information must capture these arrangements. Banks should also maintain risk assessment records showing how customer-controlled keys mitigate the specific risks identified in their Transfer Impact Assessments for services involving US-headquartered providers.
Yes, if the bank implements architectural controls that eliminate the provider’s ability to access decrypted data. The EBA guidelines do not prohibit outsourcing to third-country providers, but they require enhanced risk assessment and additional safeguards. The key question is whether the provider can be compelled to produce readable customer data under foreign law. If the bank retains exclusive encryption key control through its own HSM, deploys on dedicated European infrastructure, and enforces data residency through technical controls, the outsourcing arrangement can satisfy EBA, DORA, and GDPR requirements because the foreign access risk is neutralized at the architectural level.
Additional Resources