Certification system for cloud services to be evaluated

Cloud services create new opportunities for innovative business models and more efficient processes. The secure use of cloud services therefore strengthens the competitiveness of the Swiss economy. Legal and regulatory uncertainties are delaying migration to the cloud, particularly of the banking infrastructure. Last spring, the Federal Council therefore commissioned in-depth clarifications about the need for and feasibility of a “Swiss cloud”.

In its recently published report, the Federal Department of Finance (FDF) identifies the need for a “Swiss cloud” label for secure cloud services that also adhere to specific data sovereignty requirements. This is to minimise the risk of unauthorised data access. Numerous legal issues relating to the use of cloud services require clarification and could result in adjustments to legal and regulatory frameworks. No clear need was identified for a “Swiss cloud” in the form of an independent technological infrastructure under public law.

A number of legal aspects that are particularly relevant for the banking industry have already been addressed in the Swiss Bankers Association’s Cloud Guidelines. They give rise to the question of what constitutes a breach of bank-client confidentiality in the cloud and to what extent personal data and non-personal data can be meaningfully differentiated and decoupled in a cloud. In particular, the SBA welcomes the clarification of the legal situation with regard to the impact of the US’s CLOUD Act on the Swiss economy after calling for such clarification in its position paper.

Based on the findings of the “Swiss cloud” needs assessment report, the Federal Council has mandated the establishment of a comprehensive package of further measures. Of particular interest from a banking perspective is the evaluation and specification of a certification system for cloud services. The Federal Council aims to list ICT and cloud solutions that meet defined categories of service quality (in terms of official confidentiality, the protection of information, data protection, availability, etc.) in a public register. This is to make it easier for users to identify trustworthy service providers. To this end, ICT and cloud standards should be made auditable.

The Swiss Bankers Association is prepared to actively contribute to the further work of the federal government in this area and will adjust its Cloud Guidelines if required.