Third edition of the SBA Cloud Guidelines

1. Introduction

On 4 November 2025, the Swiss Bankers Association ("SBA") released the third edition of its Cloud Guidelines for banks and securities firms (the "Institutions"). The Guidelines are non-binding recommendations designed to help Institutions interpret and operationalise Swiss legal and supervisory requirements when procuring and using cloud services. They aim to transpose those requirements into proportionate, risk-based technical, organisational and contractual measures ("TOMs") that fit each Institution’s business and operating model.

Two regulatory developments have triggered this update:

• FINMA Circular 2023/1 – Operational risks and resilience – banks (the "Operational Risks and Resilience Circular"): this circular introduces a modernised framework including a new concept of "critical data" that must benefit from enhanced protection.
• New Swiss legislative framework on data and security: since the previous edition (2020), three major acts have reshaped the legal environment governing data protection and outsourcing. The Financial Institutions Act ("FinIA") introduced new professional secrecy provisions (art. 69 FinIA), the revamped Federal Act on Data Protection ("FADP") modernised Switzerland’s data protection regime and the Information Security Act ("ISA") established security and incident-reporting obligations.

2. Cloud services in the financial industry

​​​​​​2.1. What "cloud" means here

The SBA adopts the familiar NIST/ENISA definitions. "Cloud computing" is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. There are three service models: Infrastructure as a Service ("IaaS"), Platform as a Service ("PaaS") and Software as a Service ("SaaS").

​​​​​​​2.2. Regulatory framework applicable to Cloud services in the Swiss financial industry

In practical terms, Institutions face three key areas of compliance when adopting cloud solutions:

​​​​​​​2.2.1. Regulatory and supervisory requirements

Two FINMA circulars form the supervisory foundation for cloud outsourcing:

• The FINMA Circular 2018/3 – Outsourcing (the "Outsourcing Circular") applies where an Institution outsources material functions or makes mass client identifying data (CID) available to the service provider. It requires, in particular, due diligence on the provider, a documented risk analysis, contractual safeguards and continuous monitoring.
• The Operational Risks and Resilience Circular establishes a modern framework introducing the notion of critical data, which is defined as information whose confidentiality, integrity or availability is essential for an Institution’s operations or for regulatory purposes. Institutions must identify, classify and protect such data through appropriate technical and organisational measures.

2.2.2. Data protection obligations

Where personal data are transferred to a cloud provider, Institutions must comply with the FADP and, where applicable, the EU General Data Protection Regulation ("GDPR").

This implies, in particular, that Institutions must:

• Inform clients and employees about the processing of their personal data;
• Conclude a data processing agreement ("DPA") defining the processor’s duties;
• Ensure that data transferred or made accessible outside of Switzerland (especially outside the EU) benefit from an adequate level of protection, typically through standard contractual clauses or equivalent safeguards.

​​​​​​​​​​​​​​2.2.3. Banking and professional secrecy

Under Article 47 of the Banking Act ("BA") and Article 69 FinIA, Institutions are bound by strict confidentiality obligations.

If cloud services are provided by a Swiss-based provider subject to these provisions, client consent is generally not required. However, when data are stored or accessible abroad, for example in foreign data centres or via foreign affiliates of the provider, Institutions must assess whether a banking-secrecy waiver from the client is necessary and ensure that suitable TOMs preserve confidentiality.

These measures typically include strong anonymization, encryption, pseudonymisation, access-control mechanisms and contractual clauses limiting access by foreign authorities. Institutions are expected to document and regularly review this assessment to demonstrate ongoing compliance.

3. The Cloud Guidelines

3.1. Purpose of the Guidelines

To ensure that the Swiss financial centre remains competitive and technologically agile, the SBA first published its Cloud Guidelines in 2019. Their aim is to provide Institutions with a practical framework for using cloud services in a manner consistent with Swiss law, FINMA’s expectations and best industry practices.

They focus on four practical areas that typically determine compliance in cloud projects:

• Governance & risk management: provider selection, subcontractor management and oversight;
• Data processing: handling of bank client data, data classification and security;
• Authorities & procedures: cooperation and transparency vis-à-vis administrative and judicial authorities; and
• Audit: ensuring effective auditability of cloud infrastructures and services. An Appendix complements this part by detailing audit-related expectations and potential implementation models.

3.2. Key updates in the third edition

The third edition reflects the evolution of the regulatory and technological landscape since the second edition in 2020. It incorporates new FINMA requirements, updated statutory obligations and refined terminology:

See below for a more in-depth explanation of the main changes.

​​​​​​​3.2.1. From "Client Identifying Data" to "Bank Client Data"

One of the most significant conceptual changes in the 2025 edition stems from the revision of the Operational Risks and Resilience Circular. Under the former FINMA Circular 2008/21 on Operational Risk, Institutions had to identify and protect CID, information that directly or indirectly identified a client (for example, a client’s name, passport number or a combination of indirect identifiers such as date of birth and profession).

This CID concept has now been replaced by two broader notions:

• Bank client data, encompassing all information protected by banking secrecy under Article 47 BA; and
• Critical data, defined as data that, given the Institution’s size, complexity and risk profile, are of such importance that they require heightened protection.

Accordingly, Institutions must now develop data-classification frameworks that distinguish between ordinary, bank-client and critical data.

This shift broadens the protection perimeter. It no longer focuses solely on identification data but on all data whose loss, alteration or disclosure could harm clients or the Institution’s stability.

​​​​​​​​​​​​​​3.2.2. A clarified risk-based approach

The second major improvement is the formal definition of the risk-based approach, which had previously been mentioned only briefly.

The Guidelines now explain that:

"A risk-based approach means that the appropriate technical and organisational measures that are defined and correctly implemented do not have to address and prevent all theoretically conceivable scenarios. Instead, they must address and prevent the scenarios that, under normal circumstances and based on experience, are foreseeable and avoidable through due diligence."

This clarification is key. It confirms that Institutions are not expected to eliminate every hypothetical risk, but rather to take reasonable, well-documented and proportionate steps based on experience, due diligence and proportionality.

In practice, this means that a properly documented risk analysis – covering provider selection, data sensitivity, storage locations, and cross-border exposure – is central to demonstrating compliance. If an unforeseeable event occurs despite these precautions, the Institution will not, in principle, be deemed to have acted unlawfully.

​​​​​​​​​​​​​​3.2.3. Confidentiality and reporting obligations

The revised section on banking secrecy and security measures reflects the new regulatory requirements arising from the FinIA, the FADP, the ISA and the FINMA Guidance on cyber attacks. While the triad of technical, organisational and contractual measures (TOMs) remains the cornerstone of data protection, the new edition strengthens the connection between secrecy obligations and modern cybersecurity and reporting requirements.

In particular:

• Article 69 FinIA extends the professional-secrecy obligation beyond banks to other regulated financial institutions, ensuring a consistent level of protection across the sector.
• The FADP, the ISA and the FINMA Guidance on cyber attacks now introduce mandatory incident-reporting duties for both financial institutions and cloud providers in the event of cyberattacks or security breaches (art. 24 FADP; art. 74a et seq. ISA; art. 29 para. 2 FINMASA). These reporting obligations do not cover the same scope, and the nature of the information to be provided varies depending on the applicable legal framework and the competent authority. A 24-hour reporting deadline applies for notifications to both FINMA and the National Cyber Security Centre ("NCSC"), while the Federal Data Protection and Information Commissioner ("FDPIC") must be notified "as quickly as possible".

The Guidelines therefore recommend that contracts with cloud providers include explicit procedures for detecting, reporting and managing such incidents, as well as clear escalation channels and defined responsibilities.

​​​​​​​3.2.4. Foreign lawful access

The 2025 edition introduces a completely new section on foreign lawful access, acknowledging the reality that many cloud providers operate across jurisdictions or store data in multiple countries.

The Guidelines recognise that data hosted abroad may, in principle, be subject to access requests from foreign authorities. However, the Guidelines confirm that using foreign cloud infrastructure does not breach Swiss law provided that adequate TOMs are in place to preserve confidentiality and limit unlawful disclosure.

Such measures may include:

• robust encryption (data unreadable to the provider or third parties);
• contractual clauses obliging the provider to notify the Institution of any foreign authority requests;
• restrictions on the provider’s access to unencrypted data; and
• documented risk assessments of applicable foreign legal regimes.

This new guidance provides welcome clarity for Institutions relying on global cloud providers, confirming that the use of foreign infrastructures is acceptable under Swiss law if governed by strict confidentiality and contractual safeguards. 

4. Practical implications

The 2025 edition of the Cloud Guidelines confirms that outsourcing and cloud services remain highly regulated areas requiring a close alignment between legal, contractual and operational safeguards, as well as robust governance and risk management. For Institutions, the key takeaway is that contracts are the main vehicle through which supervisory and legal requirements are implemented in practice.

In light of the new definitions introduced by the Operational Risks and Resilience Circular, the FinIA, the FADP and the ISA, Institutions should pay particular attention to the following points when negotiating or reviewing outsourcing and cloud agreements:

5. Conclusions

Cloud technologies are one of the cornerstones of digital transformation in the Swiss financial sector. Yet their adoption requires Institutions to navigate a complex regulatory landscape that combines supervisory expectations, data-protection obligations and contractual accountability.

The 2025 edition of the Cloud Guidelines brings greater clarity and alignment with the evolving Swiss legal framework. By explicitly connecting these frameworks, the SBA provides Institutions with a practical roadmap for compliant and resilient cloud adoption.

Ultimately, the success of a cloud strategy depends less on the technology itself than on robust contractual design, sound risk management and governance. Institutions that integrate the SBA’s updated principles into their outsourcing arrangements, from data classification to exit planning, will be best positioned to balance innovation, compliance and operational control, and to ensure that the Swiss financial centre remains competitive in an era shaped by AI-enabled services.