Atlassian ensures BaFin compliance
Thanks to the EU FSA, the topic of cloud is now also becoming increasingly interesting for European customers from regulated sectors such as finance and insurance. In the past, they have faced many obstacles to cloud migration due to strict EBA and/or BaFin compliance regulations. In the future, Atlassian's EU FSA will remedy this situation and ensure DSGVO-compliant use of its cloud products.
Who can use the EU FSA?
In order to use the EU FSA, customers must meet certain requirements. For example, only European financial services institutions are eligible for the EU FSA. This applies to all banks and insurance companies operating in the European Economic Area or the United Kingdom. This includes local/regional banks as well as large multinational banks that have a presence in the European Economic Area (e.g., Morgan Stanley, Natwest, and Deutsche Bank).
In addition, certain fintech companies may also be classified as European financial services clients due to the scale and services they provide.
Note: Clients must enter into an MSA agreement (minimum spend of €150,000). The request for an MSA must be made through the Partner Service Desk. In the request, partners should indicate that the customer is a European financial services institution that qualifies for the EU FSA.
The EU FSA covers all qualifying cloud purchases. This applies to European Financial Services Institutions with the following Enterprise Editions:
- Confluence Cloud
- Jira Align Cloud
- Jira Service Management Cloud
- Jira Software Cloud
The following products are not covered by the EU FSA:
- Any editions of a cloud product other than Confluence Cloud, Jira Align Cloud, Jira Service Management Cloud, or Jira Software Cloud.
- The standard or premium editions of Confluence Cloud, Jira Align Cloud, Jira Service Management Cloud or Jira Software Cloud.
Why is EBA and BaFin compliance so important?
Financial services institutions operating in the European Economic Area are regulated by the European Banking Authority (EBA) and are subject to compliance with the EBA Guidelines. All requirements when procuring and implementing cloud products as well as cloud services for financial services institutions are listed in the EBA Guidelines on outsourcing arrangements. These requirements set by the EBA at regional level can be further extended or defined in more detail by national authorities through additional or detailed requirements.
This is also the case, for example, of the German Federal Financial Supervisory Authority (BaFin). It is considered one of the strictest and most demanding national regulators and provides an overview of its requirements in its guide to outsourcing cloud products and cloud services. Although the requirements of the BaFin guide are largely the same as those of the EBA guidelines, they are broader in some respects and must be complied with by all financial services institutions operating in Germany.
Both the EBA and BaFin have a noticeable influence on business processes of financial service providers – especially when it comes to migration to the cloud and the associated guarantee of data security. They consider cloud products and cloud services as outsourcing that can also be performed internally (e.g., via on-prem software). For this reason, the EBA and BaFin require financial services institutions to supervise and monitor the outsourced services (i.e., the cloud product) to a similar extent as they do for internal operations. This is the only way to ensure compliance and security of sensitive data outside the institution.
Benefits of the EU Financial Services Addendum for Financial Services Institutions
The EU FSA is a contractual addendum to the Atlassian Subscription Agreement. It grants the customer further control and audit rights to comply with EBA and BaFin guidelines and is considered a basic requirement to migrate to the cloud.
When a customer enters into an EU FSA with Atlassian, Atlassian provides the following additional rights:
- Comprehensive audit rights for the customer, its auditors and regulators with both Atlassian and the service provider, AWS;
- Enhanced recordkeeping and reporting requirements on the part of Atlassian;
- Commitment on the part of Atlassian to cooperate with Customer's regulators;
- Continuation of service after bankruptcy or termination.
The two together – the EU FSA and the Atlassian Subscription Agreement – provide customers with the level of oversight and monitoring of Atlassian's cloud products required by the EBA guidelines and the BaFin guidelines.
More information on BaFin compliance
We have compiled more information and useful guidance on the EU FSA for European financial services institutions and the associated compliance with EBA and BaFin outsourcing regulations in our factsheet. Download now to learn all about Atlassian's latest measures to strengthen data security and integrity in the cloud for financial services in EMEA.
Do you work for a financial services institution in the European Economic Area and want to migrate to the cloud? We would be happy to accompany you in this step and advise you around the EU Financial Services Addendum from Atlassian and compliance with BaFin complinace standards for outsourced services. Just contact us – we look forward to your inquiry.