Cloud computing data processing – KNF guidelines for supervised entities

On January 24^th 2020 Polish Financial Supervision Committee published extensive guidelines on the matters related to processing by supervised entities of information using public or hybrid cloud computing services. KNF also informs that they will organize trainings in order to explain the guidelines to market participants.

The KNF guidelines are rather extensive and detailed, they form a sort of compilation of all previous KNF’s communications in the matters relating to outsourcing. What’s important, the guidelines apply to all kinds of supervised entities, including but not limited to:

1. banks,
2. insurance companies,
3. investment firms,
4. payment services providers (small payment institutions, national payment institutions,
5. e-money institutions,
6. rating agencies,
7. SKOKs,

The scope of guidelines covers inter alia the following fields:

1. classification of information,
2. classification of cloud computing services,
3. risk assessment,
4. technical and organizational standards,
5. contracts with cloud computing services provider,
6. plan for processing information via cloud computing,
7. requirements for providers of cloud computing services,
8. cryptography,
9. monitoring of cloud computing environment,
10. documenting activities related to cloud computing,
11. KNF reporting obligations.

What’s important, the supervised entities shall apply the guidelines prior to using the cloud computing (public or hybrid) services.

We invite you to contact our Law Firm, which offers services such as:

1. payment services,
2. representation in front of KNF,
3. legal design of internal systems and bye-laws so that they comply with EBA and KNF guidelines.