Conta na Nuvem Faça login na Nuvem Inscreva-se no Modo Gratuito na Nuvem

Conta da Oracle

Oracle Cloud Compliance

Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.

Shared Management Model

Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).

Before deploying Oracle cloud services, Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services in light of their own legal and regulatory compliance obligations. Making this determination remains solely the responsibility of customers.

Attestations

Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it is important that you consider they are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region. Clicking on a compliance framework retrieves the relevant detail. Please note that this information is subject to change and may be updated frequently, is provided “as-is” and without warranty and is not incorporated into contracts.

Customers can obtain more information about available attestations by contacting their Oracle sales representative.

Global

Attestation	Oracle Cloud Infrastructure	Oracle Applications	NetSuite	Oracle Industries	Oracle Health
CSA STAR Cloud Security Alliance Security Trust Assurance and Risk CSA STAR The Cloud Security Alliance (CSA) is an organization that promotes best practices for providing security assurance in cloud computing. The CSA Security Trust, Assurance and Risk (STAR) attestation provides for an assessment to be performed by a reputable third-party that affirms implementation of necessary security controls. This assessment is based on the CSA Cloud Controls Matrix (CCM) and controls from SOC 2 and ISO/IEC 27001. For more information, see https://cloudsecurityalliance.org/star/	yes	yes
GSMA SAS-SM GSMA SAS-SM Data Centre Operations and Management GSMA SAS-SM Global System for Mobile communications Association (GSMA) is a global organization that represents the interests of mobile network operators and related companies in the telecommunications industry. The GSMA’s Security Accreditation Scheme (SAS) is intended to enable mobile operators to assess the security of their Universal Integrated Circuit Card (UICC )and embedded UICC (eUICC) suppliers, and of their eUICC subscription management service providers. For more information, see https://www.gsma.com/security/security-accreditation-scheme/	yes
ISO 9001 ISO 9001: Quality Management Systems ISO 9001 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. The ISO 9001 standard family is based on a number of quality management principles including a strong customer focus. It is intended “to help organizations demonstrate its ability to consistently provide customers good quality products and services.” For more information, see https://www.iso.org/standard/62085.html	yes			yes
ISO/IEC 20000-1 ISO/IEC 20000-1: Service Management Systems ISO/IEC 20000-1 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 20000-1 service management system (SMS) standard. It is intended to help design, transition, deliver and improve services to fulfil agreed service requirements. For more information, see https://www.iso.org/standard/70636.html	yes
ISO/IEC 27001 ISO/IEC 27001: Information Security Management Systems ISO/IEC 27001 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 27001 Standard. It is intended to provide guidance for establishment and continuous improvement of an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. For more information, see https://www.iso.org/isoiec-27001-information-security.html	yes	yes	yes	yes	yes
ISO/IEC 27017 ISO/IEC 27017: Cloud Specific Controls ISO/IEC 27017 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27017, a set of guidelines for information security controls applicable to the provision and use of cloud services. It is intended to provide additional implementation guidance for relevant controls specified in ISO/IEC 27002 and guidance that specifically relates to cloud services. For more information, see https://www.iso.org/standard/82878.html	yes	yes			yes
ISO/IEC 27018 ISO/IEC 27018: Personal Information Protection Controls ISO/IEC 27018 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27018, to be used in conjunction with the information security objectives and controls in ISO/IEC 27002. It is intended to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a Personally Identifiable Information (PII) processor. For more information, see https://www.iso.org/standard/76559.html	yes	yes	yes	yes	yes
ISO/IEC 27701 ISO/IEC 27701: Privacy Information Management ISO/IEC 27701 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27701. It is intended to provide guidance for the establishment and continuous improvement of a Privacy Information Management System (PIMS) which is processing Personally Identifiable Information (PII). This standard is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. For more information, see https://www.iso.org/standard/71670.html	yes
PCI DSS Payment Card Industry Data Security Standard PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It is intended to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security practices globally. The PCI DSS standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI SSC). For more information, see https://www.pcisecuritystandards.org/	yes	yes	yes	yes	yes
SOC 1 System and Organization Controls 1 SOC 1 The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 1 report helps companies to establish trust and confidence in their service delivery processes and controls. The intent of these reports focuses on Internal Controls over Financial Reporting (ICFR). For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1	yes	yes	yes	yes	yes
SOC 2 System and Organization Controls 2 SOC 2 The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 2 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy Trust Criteria. The intent of this report is to provide detailed information and assurance about the controls relevant to security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2	yes	yes	yes	yes	yes
SOC 3 System and Organization Controls 3 SOC 3 The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy. These reports are shorter than SOC 2 reports and have less details. For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-3	yes	yes			yes

Americas

Attestation	Oracle Cloud Infrastructure	Oracle Applications	NetSuite	Oracle Industries	Oracle Health
DoD DISA SRG Department of Defense, Defense Information Systems Agency, Systems Requirement Guide DoD DISA SRG The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the US Department of Defense (DoD) will assess the security posture of non-DoD cloud service providers (CSPs). Additionally, the CC SRG explains how non-DoD CSPs can show they meet the security controls and requirements before handling any DoD data. CC SRG provides for the following categorization: Impact Level 2: Data cleared for public release (note: Level 1 was combined with Level 2) Impact Level 4: Controlled unclassified information (CUI) over the Non-Secure Internet Protocol Router Network (NIPRNet). CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4) Impact Level 5: Higher sensitivity CUI, mission-critical information, or NSS over NIPRNet Impact Level 6: Classified data over Secret Internet Protocol Router Network (SIPRNet) For more information, see https://dl.dod.cyber.mil/wp-content/uploads/cloud/zip/U_Cloud_Computing_SRG_V1R4.zip	yes	yes
FedRAMP Federal Risk and Authorization Management Program FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is a US government program designed to provide a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services. FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides a catalog of security controls for all US federal information systems. FedRAMP requires cloud service providers (CSPs) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see https://marketplace.fedramp.gov/#!/products?sort=productName&productNameSearch=oracle	yes	yes
FIPS 140 Federal Information Processing Standards Publication 140 FIPS 140 The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard published by the National Institute of Standards and Technology (NIST) that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. For more information, see https://csrc.nist.gov/publications/detail/fips/140/2/final Learn more about Oracle's FIPS certifications: https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications.html	Not applicable	Not applicable	Not applicable	Not applicable
HITRUST CSF Health Information Trust Alliance Common Security Framework HITRUST CSF The Health Information Trust Alliance (HITRUST) is an organization representing the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a framework against which cloud service providers (CSPs) and covered health entities can demonstrate compliance to US Health Insurance Portability and Accountability Act (HIPAA) requirements. For more information, see https://hitrustalliance.net/	yes				yes
HIPAA Health Insurance Portability and Accountability Act HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law. It requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For more information, see https://www.hhs.gov/hipaa/	yes	yes	yes	yes	yes
State RAMP: TX-RAMP Texas Risk and Authorization Management Program (TX-RAMP) State RAMP: TX-RAMP The Texas Risk and Authorization Management Program (TX-RAMP) is “a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation.” For more information, see https://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp	yes	yes	yes

Europe, Middle East, and Africa

Attestation	Oracle Cloud Infrastructure	Oracle Applications	NetSuite	Oracle Industries	Oracle Health
ACN Italian Public Administration Directorial Decree Prot. N. 5489 ACN The Italian National Cybersecurity Agency (Agenzia Per La Cybersicurezza nazionale or ACN) is an Italian government body that manages “Catalog of qualified Cloud services for the Public Administration (PA)”. ACN provides “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability”. For more information, see https://www.acn.gov.it/strategia/strategia-cloud-italia/qualificazione-cloud	yes	yes
C5 Cloud Computing Compliance Controls Catalog C5 The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) in 2016. The intent of this standard is to establish a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with the government. For more information, see https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Einfuehrung/C5_Einfuehrung_node.html	yes	yes
CST CCRF Cloud Computing Regulatory Framework (CST CCRF) CST CCRF The Communications, Space & Technology Commission (CST) of Saudi Arabia has issued the Cloud Computing Regulatory Framework (CCRF). The Regulatory Framework applies to the cloud computing services provided to subscribers residing in or having a subscriber’s address in the Kingdom and establishes a number of security and privacy requirements. For more information, see https://www.cst.gov.sa/en/RulesandSystems/RegulatoryDocuments/ Documents/CCRF_En.pdf
Cyber Essentials Cyber Essentials Cyber Essentials The Cyber Essentials is a UK government scheme intended to help participating organizations protect themselves against a whole range of the most common cyber-attacks. The scheme intends to establish more rigorous testing of the organization’s cyber security systems where cyber security experts carry out vulnerability tests to make sure the organization is protected against basic hacking and phishing attacks. For more information, see https://www.ncsc.gov.uk/cyberessentials/overview	yes	yes		yes
DESC CSPSS Dubai Electronic Security Center (DESC) Cloud Service Provider (CSP) Security Standard DESC CSPSS The Cloud Service Provider (CSP) Security Standard produced by Dubai Electronic Security Center (DESC) is a set of requirements and guidance for CSPs and organizations using cloud services. The CSP Security Standard includes requirements for alignment to international best practices for cloud services, which are based on global information security standards such as ISO/IEC 27001:2013; ISO/IEC 27002:2013; ISO/IEC 27017:2015; ISR:2017 v.02 and CSA Cloud Control Matrix 3.0.1. For more information, see https://www.desc.gov.ae/regulations/certifications/	yes	yes
ENS Esquema Nacional de Seguridad (Law 11/2007) ENS Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with the ISO/IEC 27001 Standard, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. For more information, see https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/pae_Seguridad_Inicio/pae_Esquema_Nacional_de_Seguridad.html?idioma=en#.YH9f2edlCUm	yes	yes		yes
EU Cloud CoC European Union (EU) Cloud Code of Conduct EU Cloud CoC 'The European Union (EU) Cloud Code of Conduct is a set of requirements that can help Cloud Service Provider (CSPs) document their controls in relation to the European Union's General Data Protection Regulation (GDPR). The EU’s intention is "to make it easier for cloud customers to determine whether certain cloud services are appropriate for their designated purpose". For more information, see https://eucoc.cloud/en/about/about-eu-cloud-coc/		yes	yes
HDS Hébergeur de Données de Santé HDS Hébergeur de Données de Santé (HDS) is a formal certification required by French laws. It is required for any commercial organizations who control, store, process, or transmit personally identifiable healthcare information in France. For more information, see https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante	yes	yes			yes
TISAX Trusted Information Security Assessment Exchange TISAX The Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants. It is maintained by the ENX Association, an organization consisting of automobile manufacturers, suppliers and national automotive associations. For more information, see https://enx.com/en-US/TISAX/	yes	yes
UAE IAR Information Security Requirements United Arab Emirates (UAE) Information Assurance Regulation (IAR) Information Security Requirements UAE IAR Information Security Requirements The United Arab Emirates (UAE) Telecommunication Regulatory Authority (TRA) has issued Information Assurance Regulation (IAR) to provide information security requirements for the critical infrastructure sectors in UAE. TRA-designated entities are required to implement the IAR framework and apply its requirements to the use, processing, storage, and transmission of information or data. For more information, see https://www.tdra.gov.ae/en/about-tra/telecommunication-sector/regulations-and-ruling/details.aspx#documents	yes	yes

Asia Pacific

Attestation	Oracle Cloud Infrastructure	Oracle Applications
Hosting Certification Framework Australia Hosting Certification Framework (the Framework) Hosting Certification Framework The Australian Government’s Hosting Certification Framework is intended to provide “guidance to Australian Government customers enabling them to identify and source hosting services that meet enhanced privacy, sovereignty and security requirements.” For more information, see https://www.hostingcertification.gov.au/framework	yes
IRAP Information Security Registered Assessor Program IRAP The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative. IRAP is the assessors' program developed by the Australian government Cyber Security Centre (ASD/ACSC) for assessing cloud services for government and non-government agency use. It is intended “to provide the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments”. For more information, see https://www.cyber.gov.au/irap	yes	yes
ISMAP Information System Security Management and Assessment Program ISMAP The Information System Security Management and Assessment Program (ISMAP) is a Japanese government program for assessing the security of public cloud services. It is intended “to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement.” For more information, see https://www.oracle.com/jp/cloud/compliance/ismap/	yes
ISMS (formerly K-ISMS) Information Security Management System ISMS (formerly K-ISMS) The Korean Information Security Management System (formerly K-ISMS, now ISMS) is a country-specific ISMS framework. It is intended to define a set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets. For more information, see https://elaw.klri.re.kr/eng_service/ebook.do?hseq=38422#68	yes
MeitY IT Security Guidelines Ministry of Electronics and Information Technology (MeitY) Information Technology (IT) Security Guidelines MeitY IT Security Guidelines India's Ministry of Electronics and Information Technology (MeitY) has defined the Information Technology Security Guidelines as a set of standards and guidelines that cloud services can be certified against in areas including security, interoperability, data portability, service level agreement, contractual terms and conditions. These guidelines are based on global information security standards such as ISO/IEC 27001:2013; ISO/IEC 20000:1; ISO/IEC 27017:2015; ISO/IEC 27018:2014; and TIA-942/ UPTIME (Tier III or higher). For more information, see https://www.meity.gov.in/writereaddata/files/act2000_0.pdf	yes
MTCS Singapore Multi-Tier Cloud Security Standard MTCS The Multi-Tier Cloud Security (MTCS) Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA). It is intended “to promote and facilitate national programs to standardize IT and communications, and Singapore's participation in international standardization activities.” For more information, see https://www.imda.gov.sg/regulations-and-licensing-listing/ict-standards-and-quality-of-service/it-standards-and-frameworks/compliance-and-certification	yes	yes
OSPAR Outsourced Service Provider’s Audit Report (OSPAR) OSPAR The Association of Banks in Singapore (“ABS”) provides Guidelines on Control Objectives and Procedures for the Financial Institution’s Outsourced Service Providers (“OSPs”) operating in Singapore. ABS defines guidance for providers of outsourced services which are material to banks or have access to the financial institution clients’ information. For more information, refer https://www.abs.org.sg/industry-guidelines/outsourcing	yes

Advisories and General Information

Oracle provides general information about some of the compliance frameworks listed below in the form of “advisories.” These advisories are provided to help you in your determination of the suitability of using specific Oracle cloud services as well as to assist you in implementing specific technical controls that may help you meet your compliance obligations. These advisories are not legal advice and you remain solely responsible for determining if a specific Oracle cloud service or configuration, or both, meets your legal and regulatory obligations.

Region	Country	Advisories
Global		GxP Good Practice Guidelines U.S. Food & Drug Administration Electronic Records; Electronic Signatures Rule:21 CFR 11 and General GxP Applicability for Oracle Fusion Cloud Supply Chain and Manufacturing (PDF) Oracle Cloud Infrastructure and Good Practice (GxP) Guidelines (PDF) Oracle Life Sciences Cloud Services and “GxP” Guidelines (PDF) GxP Good Practice Guidelines The Good Practice (GxP) guidelines and regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada \| Santé Canada (HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see https://www.fda.gov/drugs/guidance-compliance-regulatory-information.
Americas	Brazil	Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements Oracle Cloud Infrastructure and Central Bank of Brazil (BACEN) CMN Resolution No. 4,893 of February 26, 2021 (PDF) Oracle Contract Checklist for the Central Bank of Brazil (BACEN) Resolution CMN 4,893 of February 26, 2021 (PDF) Oracle Cloud Applications (SaaS) and BACEN CMN Resolution No. 4,893 (PDF) Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements The Central Bank of Brazil (BACEN) issued Resolution No. 4,893 of February 26, 2021, which describes several digital service requirements for regulated financial institutions, including cybersecurity policy, contracting data processing, storage, and cloud computing services. This Resolution is intended to guide financial institutions in evaluating cloud service providers and establish controls to manage this relationship. For more information, see https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolução CMN&numero=4893
Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 Oracle Cloud Infrastructure Privacy Features (PDF) Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 Brazil’s Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see https://www.lgpdbrasil.com.br/o-que-muda-com-a-lei/
Canada	Canadian Security Requirements for Protected B information Canadian Security Requirements for Protected B information Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. For more information, see https://www.tpsgc-pwgsc.gc.ca/esc-src/protection-safeguarding/niveaux-levels-eng.html
Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10) Oracle Contract Checklist for the Office of the Superintendent of Financial Institutions (OSFI) Guideline B-10 (PDF) Oracle Cloud Applications (SaaS) and OSFI Guideline B-10 (PDF) Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10) The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Canadian government that supervises and regulates federally registered financial institutions in Canada. As part of its role as a regulator, OSFI publishes guidelines for financial institutions. Guideline B-10 on Outsourcing of Business Activities, Functions and Processes (Guideline B-10) was first issued by OSFI in 2001 and revised in 2009. It sets out expectations for federally regulated entities (FREs) that outsource business activities to service providers. These expectations serve as prudent practices, procedures or standards that should be applied according to the characteristics of the outsourcing arrangement and the circumstances of each entity. For more information, see https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b10.aspx
Personal Information Protection and Electronic Documents Act (PIPEDA) Oracle Cloud Infrastructure Privacy Features (PDF) Personal Information Protection and Electronic Documents Act (PIPEDA) The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the course of commercial business.” For more information, see https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
Mexico	Circular Única de Seguros y Fianzas (CUSF) Oracle Contract Checklist for Mexico CNSF Requirements for Insurance and Surety Institutions Under the LISF and CUSF (PDF) Circular Única de Seguros y Fianzas (CUSF) Law on Insurance and Surety institutions (LISF) and Circular Única de Seguros y Fianzas (CUSF) Provides guidelines to financial institutions on outsourcing of services, audit rights, compliance, security, business continuity and subcontracting. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LISF.pdf https://www.gob.mx/cnsf/documentos/circular-unica-de-seguros-y-fianzas
Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO) Oracle Cloud Infrastructure Privacy Features (PDF) Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO) Mexico’s General Law for the Protection of Personal Data in Possession of Obliged Subjects (LGPDPPSO) applies to data processing by ‘Obliged Subjects’, i.e., governmental entities at the Mexican federal, state and municipal levels, including authorities, agencies or bodies of the Executive, Legislative or Judicial branches, as well as autonomous bodies, political parties, trusts and public funds. The stated purpose of the LGPDPPSO is to establish principles for guaranteeing the right to the protection of personal data including the right to access, rectification, deletion and opposition to the data processing. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LGPDPPSO.pdf
Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB) Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB) Disposiciones de Carácter General Aplicables a las Instituciones de Crédito (LIC) & Circular única de bancos (CUB) defines rules on corporate governance and internal controls for banking services and the organisation and operation of banking institutions. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley de Instituciones de Crédito.pdf https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las instituciones de crédito.pdf
Ley del Mercado de Valores (LMV) Oracle Contract Checklist for Mexico CNBV Requirements Securities Market & Brokerage Houses (LMV/CUCB) (PDF) Ley del Mercado de Valores (LMV) The Ley del Mercado de Valores (LMV) sets forth the general operational framework for securities-related commercial acts, and the general rules and regulations issued by the National Banking Securities Commission, the Central Bank and the Stock Exchange. These include requirements for monitoring of service, subcontracting, confidentiality, audit and access rights, business continuity and data portability. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley del Mercado de Valores.pdf https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las casas de bolsa.pdf
Ley Para Regular Las Instituciones De Tecnologia Financiera Oracle Contract Checklist for Mexico CNBV Requirements for Financial Technology Institutions Under the LTF and CUF (PDF) Ley Para Regular Las Instituciones De Tecnologia Financiera National Banking Securities Commission, Mexican Central Bank and Ministry of Finance in Mexico issued a 2018 Law (“Fintech Law”) to regulate financial technology institutions and to provide guidance to crowdfunding institutions, electronic money institutions and innovative model startups for conducting fintech operations in Mexico. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley para Regular las Instituciones de Tecnología Financiera.pdf
United States	California Consumer Privacy Act (CCPA) Oracle Cloud Infrastructure Privacy Features (PDF) California Consumer Privacy Act (CCPA) The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following: The right of Californians to know what personal information is being collected about them. The right of Californians to know whether their personal information is sold or disclosed and to whom. The right of Californians to say no to the sale of personal information. The right of Californians to access their personal information. The right of Californians to equal service and price, even if they exercise their privacy rights. For more information, see https://cppa.ca.gov/regulations/pdf/cppa_act.pdf
Criminal Justice Information Services Security Policy (CJIS) Criminal Justice Information Services Security Policy (CJIS) The US Federal Bureau of Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012 Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012 The Defense Federal Acquisition Regulation Supplement (DFARS) encompasses the Department of Defense (DoD) requirements for contractors and suppliers to follow when providing cloud computing services in the performance of a covered contract. For more information, see https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS_252.204-7010
Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of Cybersecurity Maturity. For more information, see https://www.ffiec.gov/cyberassessmenttool.htm.
Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503 Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503 The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management, Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see https://www.dni.gov/files/documents/ICD/ICD-503.pdf.
Internal Revenue Service (IRS) Publication 1075 Oracle Cloud Infrastructure and Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF) Internal Revenue Service (IRS) Publication 1075 The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see https://www.irs.gov/pub/irs-pdf/p1075.pdf
International Traffic in Arms Regulations (ITAR) International Traffic in Arms Regulations (ITAR) The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US national security and further US foreign policy objectives. For more information, see https://www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii
Minimum Acceptable Risk Standards for Exchanges (MARS-E) Minimum Acceptable Risk Standards for Exchanges (MARS-E) The U.S. Department of Health and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see https://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Oracle Cloud Infrastructure and the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (PDF) North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see https://www.nerc.com/comm/RSTC/Pages/default.aspx
Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For more information, see the following resources: SEC 17a-4(f) - https://www.sec.gov/rules/interp/34-47806.htm FINRA Rule 4511(c) - https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511 CFTC Rule 1.31(c)-(d) - https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm
Europe, Middle East, and Africa	European Union	Digital Operational Resilience Act (DORA) Oracle Contract Checklist for the EU Digital Operational Resilience Act (DORA) (PDF) Digital Operational Resilience Act (DORA) The Digital Operational Resilience Act (DORA) was adopted as European Union (EU) Regulation 2022/2554 to establish rules governing the use of information and communication technology (ICT) by financial entities operating in the EU. DORA aims to address the risks resulting from “increased digitalisation and interconnectedness” related to the use of ICT in the financial sector. It also creates an oversight framework for ICT service providers to the financial sector that are deemed critical. DORA provisions apply from 17 January 2025, to accommodate a 24-month implementation period. For more information, see: https://eur-lex.europa.eu/eli/reg/2022/2554/oj.
Network and Information Security Directive II (NIS2) Oracle Cloud Applications and the Network and Information Security (NIS2) Directive (PDF) Network and Information Security Directive II (NIS2) In 2022, the EU enhanced its cybersecurity framework with the Network and Information Security Directive II (NIS2) . It builds on the original NIS directive (NIS1) in an attempt to address existing gaps and strengthen cybersecurity across the region. NIS2 defines measures for cybersecurity risk management and reporting, across sectors that include critical infrastructure and cloud providers. For more information, see https://eur-lex.europa.eu/eli/dir/2022/2555.
European Banking Authority (EBA) Guidelines on Outsourcing Arrangements Contract Checklist for EBA-EIOPA-ESMA Guidelines (PDF) Oracle Cloud Infrastructure and Oracle Cloud Applications and the European Outsourcing Guidelines (EBA, EIOPA, ESMA) (PDF) European Banking Authority (EBA) Guidelines on Outsourcing Arrangements The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements
European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to: Assess the risk of adopting cloud services Compare different cloud providers offerings Obtain assurances from the selected cloud providers Reduce the assurance burden on cloud providers For more information, see https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework
General Data Protection Regulation (GDPR) Oracle Cloud Infrastructure Privacy Features (PDF) Oracle Cloud Infrastructure and the General Data Protection Regulation (GDPR) (PDF) General Data Protection Regulation (GDPR) The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see https://ec.europa.eu/info/law/law-topic/data-protection_en
Germany	BaFin Guidance on Outsourcing to Cloud Service Providers Oracle Cloud Applications and the German Federal Financial Supervisory Authority (BaFin) (PDF) BaFin Guidance on Outsourcing to Cloud Service Providers The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) is responsible for the supervision of banks, credit institutions, insurers, funds and financial institutions in Germany. BaFin and the Deutsche Bundesbank issued guidance on outsourcing with the intended goal “to create greater transparency into the supervisory assessment of the financial sector with outsources to cloud providers". For more information, see https://www.bafin.de/SharedDocs/Downloads/EN/Merkblatt/BA/ dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba_en.html?nn=9866146
IT Grundschutz IT Grundschutz The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz). IT-Grunschutz comprises: BSI Standard 200-1: provides the general requirements for an ISMS BSI Standard 200-2: explains how an ISMS can be built based on one of three different approaches BSI Standard 200-3: contains all risk-related tasks BSI Standard 100-4: covers Business Continuity Management (BCM) For more information, see https://www.bsi.bund.de
Kritische Infrastrukturen - Abschnitt 8a Oracle Cloud Applications (SaaS) and German Critical Infrastructures (KRITIS) Guidelines (PDF) Kritische Infrastrukturen - Abschnitt 8a The German Federal Government office for Information Security (BSI) issued Section 8a of BSIG (Act on the Federal Office for Information Security) that pertains to Kritis which stands for “Kritische Infrastruckturen” or critical infrastructures. It provides guidelines for identifying critical infrastructures, conducting risk assessments, implementing security measures, reporting incidents, undergoing audits & continuously improving security to safeguard essential services in Germany. For more information, see https://www.gesetze-im-internet.de/bsig_2009/BJNR282110009.html
Kenya	Guidelines on Cybersecurity for Payment Service Providers Oracle Cloud Applications (SaaS) and Select Kenyan Regulatory Guidelines (PDF) Guidelines on Cybersecurity for Payment Service Providers The Central Bank of Kenya has issued cybersecurity guidelines for Payment Service Providers (PSPs) related to risk assessment, data protection, incident response, and third-party security. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2019/07/GuidelinesonCybersecurityforPSPs.pdf
Prudential Guidelines for Institutions Licensed under the Banking Act Oracle Cloud Applications (SaaS) and Select Kenyan Regulatory Guidelines (PDF) Prudential Guidelines for Institutions Licensed under the Banking Act Under Section 33(4) of the Banking Act, the Central Bank of Kenya has issued guidelines for institutions. Some of these guidelines are intended to establish minimum standards of data and network security and business continuity. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf
Prudential Guideline on Outsourcing (CBK/PG/16) Oracle Contract Checklist for the Central Bank of Kenya’s Guideline on Outsourcing (CBK/PG/16) (PDF) Prudential Guideline on Outsourcing (CBK/PG/16) As part of its supervisory function, the Central Bank of Kenya issued Prudential Guidelines for Institutions Licensed Under the Banking Act, which includes guidance on Outsourcing (CBK/PG/16). The Guideline applies to all licensed banks which outsource activities. They encompass outsourcing policies, governance, risk management, business continuity, data security, and contracts with service providers. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf
Kuwait	Cloud Computing Regulatory Framework (CITRA CCRF) Cloud Computing Regulatory Framework (CITRA CCRF) Kuwait’s Communication and Information Technology Regulatory Authority established a framework to govern the use of cloud computing services within Kuwait. It provides guidelines for data protection, privacy, and security, facilitating the adoption of cloud services. For more information, see https://www.citra.gov.kw/sites/en/LegalReferences/Cloud_computing_regulatory_framework.pdf
Netherlands	Government Information Security Baseline (BIO) Oracle Cloud Applications and the Dutch Baseline Information Security Government (BIO) Standard (PDF) Government Information Security Baseline (BIO) Baseline informatiebeveiliging overheid (BIO) is an information security standard for the Dutch public sector, including government agencies, municipalities, provinces and water boards. It is based on internationally accepted standards and best practices in information security, such as ISO 27001 and ISO 27002. Since BIO was issued by the Ministerial Board, BIO is the sole baseline for the entire government. For more information, see https://bio-overheid.nl/media/1572/bio-versie-104zv_def.pdf
NEN 7510 Information Security Management in Healthcare Oracle Cloud Applications and the Netherlands Standards Institute (NEN) 7510 Standard (PDF) NEN 7510 Information Security Management in Healthcare The NEN 7510 standard was developed by the Royal Netherlands Standardization Institute (Stichting Koninklijk Nederlands Normalisatie Instituut, or NEN). Nen 7510 provides guidelines and basic principles for the determining, establishing and maintaining of measures for health care organisations to secure the health information. For more information, see https://www.nen.nl/en/nen-7510-1-2017-a1-2020-nl-267179
Wet op het financieel toezicht or Wft Oracle Cloud Applications (SaaS) and Select Financial Services Regulations and Guidelines in the Netherlands (PDF) Wet op het financieel toezicht or Wft The Financial Supervision Act (FSA) in the Netherlands serves as a comprehensive regulatory framework to uphold the stability and integrity of the financial system. The WFT comprises a large number of rules and regulations for financial markets and their supervision, including Good Practices Outsourcing Insurers and Good Practices for Managing Outsourcing Risks. For more information, see https://wetten.overheid.nl/BWBR0020368/2023-07-01 Good Practices Outsourcing Insurers - https://www.dnb.nl/media/rikf4hxv/good-practice-outsourcing-insurers.pdf Good Practices for Managing Outsourcing Risks - https://www.dnb.nl/en/sector-information/open-book-supervision/open-book-supervision-themes/prudential-supervision/governance/good-practices-for-managing-outsourcing-risks/
Norway	Forskrift om bruk av informasjons- og kommunikasjonsteknologi Oracle Contract Checklist for Norwegian Financial Services Regulations Applicable to IT Outsourcing (PDF) Forskrift om bruk av informasjons- og kommunikasjonsteknologi The Norwegian regulations on the use of Information and Communication Technology (ICT) provides guidelines to ensure responsible and secure utilization of digital tools and platforms. These regulations prioritize data protection, privacy, cybersecurity, and accessibility across both public and private sectors. For more information, see https://lovdata.no/dokument/SF/forskrift/2003-05-21-630
Veiledning om utkontraktering Oracle Contract Checklist for Norwegian Financial Services Regulations Applicable to IT Outsourcing (PDF) Veiledning om utkontraktering Circular 7/2021 issued by Norwegian Financial Supervisory Authority (Finanstilsynet) provides guidelines on outsourcing activities and promotes responsible business practices. For more information, see https://www.finanstilsynet.no/contentassets/9f76ac1a390a44218b285b61bb13e19a/veiledning-om-utkontraktering.pdf
Saudi Arabia	National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) The National Cybersecurity Authority (NCA) developed the Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see https://nca.gov.sa/ecc-en.pdf.
Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF) Oracle Contract Checklist for Saudi Arabian Monetary Authority Cyber Security Framework (PDF) Oracle Cloud Infrastructure and the Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (PDF) Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF) The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf
Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing Oracle Contract Checklist for Saudi Arabian Monetary Authority Rules on Outsourcing (PDF) Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing Saudi Arabian Monetary Authority (SAMA) is the central bank of the Kingdom of Saudi Arabia and the supervisory authority for banks, payment providers, insurance companies, finance companies and credit bureaus operating within the Kingdom. The SAMA Rules on Outsourcing apply to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), and require these banks to appropriately manage risks arising from outsourcing, including ensuring their outsourcing arrangements are subject to appropriate due diligence, approval and ongoing monitoring. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/FinanceRules/Outsourcing%20Rules%20-%20Revised%20v2%20Final%20Draft-Dec-2019.pdf
South Africa	Directive 159.A.i Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF) Directive 159.A.i The Financial Services Board of South Africa, part of the Financial Sector Conduct Authority, implemented Directive 159.A.i, which specifies the rules applicable to outsourcing by insurers in South Africa. For more information, see https://www.fsca.co.za/Enforcement-Matters/Directives/Forms/DispForm.aspx?ID=436.
Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014) Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF) Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014) The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 5 of 2014 (G5/2014). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2014/6320.
Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017) Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF) Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017) The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 4 of 2017 (G4/2017). For more information, see https://www.resbank.co.za/content/dam/sarb/publications/prudential-authority/pa-deposit-takers/banks-guidance-notes/2017/7803/G4-of-2017.pdf.
Protection of Personal Information Act (POPIA) Oracle Cloud Infrastructure and the South African Protection of Personal Information Act 2013 (PDF) Protection of Personal Information Act (POPIA) The Protection of Personal Information Act (POPIA) is a South African law intended to "promote the protection of personal information processed by public and private bodies." POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information. For more information, see https://www.justice.gov.za/legislation/acts/2013-004.pdf
Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018) Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF) Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018) The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued a directive pertaining to cloud computing and offshoring of data in the financial services sector referred to as Directive 3 of 2018 (D3/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-directives/2018/8749.
Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018) Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF) Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018) The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued guidance pertaining to cloud computing and offshoring of data in the financial services sector referred to as Guidance Note 5 of 2018 (G5/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2018/8747.
Spain	Pinakes Oracle Fusion Cloud Applications and the Spanish Interbank Cooperation Center’s PINAKES cybersecurity framework (PDF) Pinakes Created by the Centre for Interbank Cooperation (CCI), a non-profit professional association, Pinakes is a platform that provides qualification, management and monitoring of services to financial service providers. It is intended to allow organisations to verify the levels of cybersecurity of the services they use, enable vendors to demonstrate their security benefits to customers, and help organisations comply with EBA’s supplier security assessment guidelines. For more information, see https://asociacioncci.es/pinakes/
Switzerland	Financial Market Supervisory Authority (FINMA) Circular 2018/3 Contract Checklist_FINMA_Guidelines (PDF) Oracle Fusion Cloud Applications and the Swiss Financial Market Supervisory Authority (FINMA) (PDF) Oracle Cloud Applications and the Swiss Financial Market Supervisory Authority (FINMA) (PDF) Financial Market Supervisory Authority (FINMA) Circular 2018/3 The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en .
United Arab Emirates	United Arab Emirates (UAE) Federal Law No. 2 of 2019 Oracle Cloud Infrastructure and United Arab Emirates Health Data Law (PDF) United Arab Emirates (UAE) Federal Law No. 2 of 2019 The United Arab Emirates issued Federal Law No. 2 of 2019 on 6 February 2019 Concerning the Use of the Information and Communication Technology ("ICT") in Health Fields (“Health Data Law”). The Health Data Law applies to all ICT methods and usages in the health fields in the UAE, including free zones. The Law aims at the following: (1) ensuring the optimal use of the ICT in health fields; (2) ensuring compatibility of the principles, standards, and practices applicable in the State with their internally recognized counterparts; (3) enabling the Ministry of Health and Prevention to collect, analyze and keep the health information at the UAE level; and (4) ensuring the safety and security of health data and information. For more information, see https://mohap.gov.ae/app_content/legislations/php-law-en-77/mobile/index.html.
United Kingdom	Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation) Oracle Contract Checklist for Select UK Financial Services Regulations (PDF) Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation) The Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 (Solvency II Delegated Regulation) forms part of the framework for a solvency and supervisory regime for insurers and reinsurers. It sets out organizational requirements and procedures for various matters including outsourcing arrangements. The UK version of the Solvency II Delegated Regulation became part of UK law by virtue of the European Union (Withdrawal) Act 2018 and related legislation. For more information, see https://www.legislation.gov.uk/uksi/2019/407/contents/made
ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014 Oracle Contract Checklist for Select UK Financial Services Regulations (PDF) ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014 The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mifid-ii
Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance Oracle Contract Checklist for Select UK Financial Services Regulations (PDF) Oracle Cloud Applications (SaaS) and Select UK Financial Services Regulations (PDF) Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance The Financial Conduct Authority (FCA) is responsible for the authorization and conduct supervision of financial institutions in the UK. The FCA Handbook sets out the FCA’s legislative and other provisions made under powers given to it by the Financial Services and Markets Act 2000. The Senior Management Arrangements, Systems and Controls (SYSC) and Supervision (SUP) parts of the FCA Handbook contain rules and guidance relevant to outsourcing arrangements. For more information, see https://www.handbook.fca.org.uk/.
National Cyber Security Centre IT Health Check (ITHC) National Cyber Security Centre IT Health Check (ITHC) The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance.
Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management Oracle Contract Checklist for Select UK Financial Services Regulations (PDF) Oracle Cloud Applications (SaaS) and Select UK Financial Services Regulations (PDF) Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management The Prudential Regulation Authority (PRA) is responsible for prudential supervision of banks, insurance companies, building societies, credit unions and major investment firms in the UK. The PRA’s remit includes supervising firms’ outsourcing and other third-party arrangements. The PRA’s Supervisory Statement 2/21 on outsourcing arrangements and third-party risk management published on 29 March 2021 (SS2/21) sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management. For more information, see https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss.
UK Government G-Cloud Framework UK Government G-Cloud Framework The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see https://www.gov.uk/digital-marketplace.
UK National Cyber Security Centre (NCSC) Cloud Security Principles UK National Cyber Security Centre (NCSC) Cloud Security Principles The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles.
UK NHS Data Security and Protection Toolkit (DSPT) Oracle Cloud Infrastructure Privacy Features (PDF) UK NHS Data Security and Protection Toolkit (DSPT) The Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see https://www.dsptoolkit.nhs.uk/.
Asia Pacific	Australia	Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231 Australian Prudential Regulation AuA)thority (APR Regulated Entity and Oracle Cloud Infrastructure (PDF) Oracle Contract Checklist for the Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 231 on Outsourcing (PDF) Oracle Cloud Applications (SaaS) and APRA Prudential Standards CPS 231 and CPS 234 (PDF) Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231 The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on Outsourcing Involving Cloud Computing Services. For more information, see https://www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf.
Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 Oracle Cloud Applications (SaaS) and APRA Prudential Standards CPS 231 and CPS 234 (PDF) Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 The Australian Prudential Regulation Authority (APRA) regulates financial services in Australia. APRA issued standards that regulate banks, credit unions, and insurance companies. APRA’s Prudential Standard CPS 234 defines requirements for entities to implement information security measures to protect their information assets, including the handling of data breaches and cybersecurity incidents. For more information, see https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf
Hong Kong	Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1 Hong Kong Monetary Authority’s Supervisory Policy Manuals on Outsourcing and General Principles for Technology Risk Management (PDF) Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1 The Hong Monetary Authority (HKMA) sets out minimum standards for authorized institutions (AIs) to attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business. The Supervisory Policy TM-G-1 General Principles for Technology Risk Management is guidance which the HKMA expects regulated entities to consider when managing technology-related risks. For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf
Hong Kong Monetary Authority (HKMA) Outsourcing SA-2 Hong Kong Monetary Authority’s Supervisory Policy Manuals on Outsourcing and General Principles for Technology Risk Management (PDF) Hong Kong Monetary Authority (HKMA) Outsourcing SA-2 The Hong Monetary Authority (HKMA) sets out minimum standards that authorized institutions (AIs) must attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business. The Supervisory Policy Manual Outsourcing SA-2 is the approach to risk management when outsourcing and the major points which the HKMA recommends that regulated entities address when outsourcing activities. For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf
India	ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act The Companies Act 2013 regulates the formation and functioning of corporations or companies in India. Administered by the Ministry of Corporate Affairs (MCA), the law governs incorporation, dissolution and the running of companies and defines requirements for corporate governance. Subsequently, the Auditing and Assurance Standards Board of The Institute of Chartered Accountants of India (ICAI) issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” on March 2023. Rule 11(g) focuses on reporting on the use of accounting software for maintaining a company’s books of accounts, including audit trails. For more information about the Companies Act, see https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf. For more information about ICAI’s Rule11(g) guidance, see https://resource.cdn.icai.org/73438aasb59254.pdf
Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Infrastructure and the Insurance Regulatory and Development Authority of India (IRDAI) (Outsourcing of Activities by Indian Insurers) Regulations, 2017 (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see https://irdai.gov.in/document-detail?documentId=822221.
Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018) Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018) The Reserve Bank of India (RBI) issued a set of guidelines for Primary (Urban) Cooperative Banks (UCBs) to enhance security and resilience, protecting their assets against cyber security attacks on a continuous basis. It highlights the need to implement a robust cyber security/resilience framework and recommends specific security controls to support adequate cyber security preparedness. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397&Mode=0.
Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016) Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Accelerate your Database Activity Monitoring readiness to comply with Reserve Bank of India (RBI) Guidelines (PDF) Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016) The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS. CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016. These guidelines are intended as a robust cyber security/resilience framework to ensure adequate cyber-security preparedness among banks on a continuous basis. The RBI Guidelines related to Cyber Security framework will enable banks to formalize and adopt cyber security policy and cyber crisis management plan. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0.
Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Infrastructure and the Reserve Bank of India 2011 Guideline's on Information Security, Electronic Banking, Technology Risk Management, and Cyber Fraud (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf.
Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006) Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006) The Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by banks is intended to address the RBI’s expectations for banks managing the risks in outsourcing to third-parties. The RBI guidelines provide specific guidance on risk management practices for outsourced financial services and foreign outsourcing of financial services. For more information see: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.PDF
Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015) Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015) The guidelines are intended to ensure depositories do not outsource their Core and critical activities, ensure proper audit of implementation of risk assessment and mitigation measures, monitor and have checks and overall controls over the outsourced entity on a real-time basis. For information see: https://www.sebi.gov.in/legal/circulars/dec-2015/outsourcing-by-depositories_31219.html
Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017) Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017) The Circular on Outsourcing of activities by Stock Exchanges and Clearing Corporations provide specific guidance on: due diligence, sub-contracting, contracts with service providers, monitoring of the service provider’s performance, business continuity, confidentiality, termination, access to information and other records and audit. For information see: https://www.sebi.gov.in/legal/circulars/sep-2017/outsourcing-of-activities-by-stock-exchanges-and-clearing-corporations_35932.html
Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011) Oracle Contract Checklist for Select India Financial Services Regulations, Guidance and Circulars (PDF) Oracle Cloud Application Services and Select India Financial Services Regulations, Guidance and Circulars (PDF) Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011) The Guidelines on Outsourcing of activities by Intermediaries provide specific guidance on: audit rights, confidentiality and data security, monitoring outsourced services, subcontracting and business continuity. For more information, see https://www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on-outsourcing-of-activities-by-intermediaries_21752.html
Japan	Financial Industry Information Systems (FISC) Security Guidelines Financial Industry Information Systems (FISC) Security Guidelines The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see https://www.fisc.or.jp
National Center of Incident Readiness and Strategy for Cybersecurity (NISC) National Center of Incident Readiness and Strategy for Cybersecurity (NISC) The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see https://www.nisc.go.jp/eng/
Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act Oracle Cloud Infrastructure Privacy Features (PDF) Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see https://www.ppc.go.jp/files/pdf/en3.pdf.
Three Ministries Guidelines: Healthcare Sector Three Ministries Guidelines: Healthcare Sector Three Japanese Ministries provide guidance for the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information on guidelines see, The Safety Management Guideline for Information Systems and Service Providers Handling Medical Information - https://www.meti.go.jp/policy/mono_info_service/healthcare/01gl_20230707.pdf The Guideline for Safety Management of Medical Information Systems Version 5.2 - https://www.mhlw.go.jp/stf/shingi/0000516275_00002.html The Ministry of Economy, Trade and Industry (METI) - https://www.meti.go.jp/ The Ministry of Internal Affairs and Communications (MIC) - https://www.soumu.go.jp/ The Ministry of Health, Labour & Welfare (MHLW) - https://www.mhlw.go.jp/index.html
Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank The Financial Services Agency (FSA) in Japan provides comprehensive guidelines on risk management, corporate governance, compliance, internal controls, financial and supervisory reporting for the supervision of major banks. For more information, see https://www.fsa.go.jp/common/law/guide/kantokushishin.pdf
Malaysia	Risk Management in Technology (RMiT) Oracle Cloud Infrastructure and Bank Negara Malaysia Risk Management in Technology (PDF) Risk Management in Technology (RMiT) Bank Negara Malaysia regulates the risk management practices in technology for the financial services sector in Malaysia. The RMiT guidelines are intended to provide banks a framework to effectively manage technology related risks in areas such as cybersecurity, operational risk, data governance, cloud risk management and emerging technologies. For more information, see https://www.bnm.gov.my/documents/20124/938039/PD-RMiT-June2023.pdf
Singapore	Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide Oracle Cloud Infrastructure Contract Checklist for ABS Guidelines on Control Objectives and Procedures for Outsourced Services Providers (PDF) Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide The Association of Banks in Singapore (ABS) is an industry association representing commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see https://abs.org.sg/industry-guidelines/outsourcing
Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines Oracle Cloud Infrastructure Practices in the Context of the Technology Risk Management Guidelines (PDF) Oracle Contract Checklist for Oracle Cloud Infrastructure and the Monetary Authority of Singapore (MAS) Guidelines on Outsourcing (PDF) Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/trm-guidelines-18-january-2021.pdf.
Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655 Oracle Cloud Applications and the Monetary Authority of Singapore Cyber Hygiene Requirements Notice 655 (PDF) Oracle Contract Checklist for Oracle Cloud Infrastructure and the Monetary Authority of Singapore (MAS) Guidelines on Outsourcing (PDF) Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655 The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/notices/pdf/mas-notice-655.pdf.
South Korea	Financial Security Initiative (FSI) Cloud Guidelines Financial Security Initiative (FSI) Cloud Guidelines The Financial Security Initiative (FSI) issued its Guidelines on the Use of Cloud Computing Services in the Financial Industry in 2019. The guidelines provide procedures and security measures that financial companies in Korea are required to implement when employing the use of cloud services. For more information, see https://www.fsec.or.kr/en.
Thailand	Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559) Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559) The Bank of Thailand introduced regulations for outsourcing in financial institutions that include requirements for obtaining prior approval, conducting risk assessments, conducting due diligence on suppliers, outsourcing contracts, monitoring supplier performance, establishing business continuity plans and ensuring compliance with data protection laws. For more information, see https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2560/ThaiPDF/25600035.pdf.
Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561) Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561) The Capital Market Supervisory Board issued regulations regarding the outsourcing of securities and derivative transactions to third parties that specify the requirements, conditions and procedures for outsourcing and contain provisions for the selection and monitoring of service providers. For more information, see https://publish.sec.or.th/nrs/7820s.pdf

Region

Country

Advisories

Global

GxP Good Practice Guidelines

GxP Good Practice Guidelines
The Good Practice (GxP) guidelines and regulations comprise a set of global guidelines for traceability, accountability and data integrity. They are intended to ensure that food, medical devices, drugs and other life science products are safe, while maintaining the quality of processes throughout every stage of manufacturing, control, storage, and distribution. Some of the primary regulators include Food & Drug Administration (FDA) in the US, Therapeutic Goods Administration (TGA) in Australia, and Health Canada | Santé Canada (HC-SC) in Canada. GxP includes varied regulation sets, but the most common are GCP, GLP, and GMP. For more information, see https://www.fda.gov/drugs/guidance-compliance-regulatory-information.

Americas

Brazil

Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements

Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements
The Central Bank of Brazil (BACEN) issued Resolution No. 4,893 of February 26, 2021, which describes several digital service requirements for regulated financial institutions, including cybersecurity policy, contracting data processing, storage, and cloud computing services. This Resolution is intended to guide financial institutions in evaluating cloud service providers and establish controls to manage this relationship. For more information, see https://www.bcb.gov.br/estabilidadefinanceira/exibenormativo?tipo=Resolução CMN&numero=4893

Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18

Oracle Cloud Infrastructure Privacy Features (PDF)

Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18
Brazil’s Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 was passed in August 2018 with the intent to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. For more information, see https://www.lgpdbrasil.com.br/o-que-muda-com-a-lei/

Canada

Canadian Security Requirements for Protected B information

Canadian Security Requirements for Protected B information
Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. For more information, see https://www.tpsgc-pwgsc.gc.ca/esc-src/protection-safeguarding/niveaux-levels-eng.html

Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10)

Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10)
The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Canadian government that supervises and regulates federally registered financial institutions in Canada. As part of its role as a regulator, OSFI publishes guidelines for financial institutions. Guideline B-10 on Outsourcing of Business Activities, Functions and Processes (Guideline B-10) was first issued by OSFI in 2001 and revised in 2009. It sets out expectations for federally regulated entities (FREs) that outsource business activities to service providers. These expectations serve as prudent practices, procedures or standards that should be applied according to the characteristics of the outsourcing arrangement and the circumstances of each entity. For more information, see https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b10.aspx

Personal Information Protection and Electronic Documents Act (PIPEDA)

Oracle Cloud Infrastructure Privacy Features (PDF)

Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law relating to data privacy. It is intended “to governs how private sector organizations collect, use and disclose personal information in the course of commercial business.” For more information, see https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

Mexico

Circular Única de Seguros y Fianzas (CUSF)

Oracle Contract Checklist for Mexico CNSF Requirements for Insurance and Surety Institutions Under the LISF and CUSF (PDF)

Circular Única de Seguros y Fianzas (CUSF)
Law on Insurance and Surety institutions (LISF) and Circular Única de Seguros y Fianzas (CUSF) Provides guidelines to financial institutions on outsourcing of services, audit rights, compliance, security, business continuity and subcontracting. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LISF.pdf
https://www.gob.mx/cnsf/documentos/circular-unica-de-seguros-y-fianzas

Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO)

Oracle Cloud Infrastructure Privacy Features (PDF)

Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO)
Mexico’s General Law for the Protection of Personal Data in Possession of Obliged Subjects (LGPDPPSO) applies to data processing by ‘Obliged Subjects’, i.e., governmental entities at the Mexican federal, state and municipal levels, including authorities, agencies or bodies of the Executive, Legislative or Judicial branches, as well as autonomous bodies, political parties, trusts and public funds. The stated purpose of the LGPDPPSO is to establish principles for guaranteeing the right to the protection of personal data including the right to access, rectification, deletion and opposition to the data processing. For more information, see https://www.diputados.gob.mx/LeyesBiblio/pdf/LGPDPPSO.pdf

Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB)

Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB)
Disposiciones de Carácter General Aplicables a las Instituciones de Crédito (LIC) & Circular única de bancos (CUB) defines rules on corporate governance and internal controls for banking services and the organisation and operation of banking institutions. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley de Instituciones de Crédito.pdf
https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las instituciones de crédito.pdf

Ley del Mercado de Valores (LMV)

Oracle Contract Checklist for Mexico CNBV Requirements Securities Market & Brokerage Houses (LMV/CUCB) (PDF)

Ley del Mercado de Valores (LMV)
The Ley del Mercado de Valores (LMV) sets forth the general operational framework for securities-related commercial acts, and the general rules and regulations issued by the National Banking Securities Commission, the Central Bank and the Stock Exchange. These include requirements for monitoring of service, subcontracting, confidentiality, audit and access rights, business continuity and data portability. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley del Mercado de Valores.pdf
https://www.cnbv.gob.mx/Normatividad/Disposiciones de carácter general aplicables a las casas de bolsa.pdf

Ley Para Regular Las Instituciones De Tecnologia Financiera

Oracle Contract Checklist for Mexico CNBV Requirements for Financial Technology Institutions Under the LTF and CUF (PDF)

Ley Para Regular Las Instituciones De Tecnologia Financiera
National Banking Securities Commission, Mexican Central Bank and Ministry of Finance in Mexico issued a 2018 Law (“Fintech Law”) to regulate financial technology institutions and to provide guidance to crowdfunding institutions, electronic money institutions and innovative model startups for conducting fintech operations in Mexico. For more information, see https://www.cnbv.gob.mx/Normatividad/Ley para Regular las Instituciones de Tecnología Financiera.pdf

United States

California Consumer Privacy Act (CCPA)

Oracle Cloud Infrastructure Privacy Features (PDF)

California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a bill passed by the California State Legislature and signed into law on June 28, 2018, and amended on September 23, 2018. The CCPA provides for the following:

The right of Californians to know what personal information is being collected about them.
The right of Californians to know whether their personal information is sold or disclosed and to whom.
The right of Californians to say no to the sale of personal information.
The right of Californians to access their personal information.
The right of Californians to equal service and price, even if they exercise their privacy rights.

For more information, see https://cppa.ca.gov/regulations/pdf/cppa_act.pdf

Criminal Justice Information Services Security Policy (CJIS)

Criminal Justice Information Services Security Policy (CJIS)
The US Federal Bureau of Investigation (FBI) Criminal Justice Information Services Division (CJIS) sets standards for information security, guidelines, and agreements for protecting Criminal Justice Information (CJI). The CJIS Security Policy describes the controls to protect sources, transmission, storage and access to data. For more information, see https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center

Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012

Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012
The Defense Federal Acquisition Regulation Supplement (DFARS) encompasses the Department of Defense (DoD) requirements for contractors and suppliers to follow when providing cloud computing services in the performance of a covered contract. For more information, see https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses#DFARS_252.204-7010

Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool

Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC has developed a Cybersecurity Assessment Tool (Assessment) to help financial institutions identify their risks and determine their cybersecurity maturity. The Assessment provides guidance for financial institutions on developing an Inherent Risk Profile and identifying their level of Cybersecurity Maturity. For more information, see https://www.ffiec.gov/cyberassessmenttool.htm.

Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503

Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503
The U.S. Director of National Intelligence published Intelligence Community Directive (ICD) 503 Intelligence Community (IC) Information Technology Systems Security Risk Management, Certification, and Accreditation in September 2008. ICD 503 sets IC policy for processes related to security risk management, certification, and accreditation. For more information, see https://www.dni.gov/files/documents/ICD/ICD-503.pdf.

Internal Revenue Service (IRS) Publication 1075

Oracle Cloud Infrastructure and Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (PDF)

Internal Revenue Service (IRS) Publication 1075
The US Internal Revenue Service Publication 1075 (IRS 1075) applies to organizations that process or maintain US Federal Tax Information. The intent is “to address any public request for sensitive information and prevent disclosure of data that would put Federal Tax Information (FTI) at risk.” For more information, see https://www.irs.gov/pub/irs-pdf/p1075.pdf

International Traffic in Arms Regulations (ITAR)

International Traffic in Arms Regulations (ITAR)
The International Traffic in Arms Regulations (ITAR) is a US requirement. It is intended to restrict and control the export of defense and military related technologies to safeguard US national security and further US foreign policy objectives. For more information, see https://www.federalregister.gov/documents/2020/01/23/2020-00574/international-traffic-in-arms-regulations-us-munitions-list-categories-i-ii-and-iii

Minimum Acceptable Risk Standards for Exchanges (MARS-E)

Minimum Acceptable Risk Standards for Exchanges (MARS-E)
The U.S. Department of Health and Human Services established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) under the Affordable Care Act (ACA) of 2010. It is intended to ensure secure handing of Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI) of US Citizens. For more information, see https://www.hhs.gov/guidance/document/minimum-acceptable-risk-standards-exchanges-mars-e-20

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI. For more information, see https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)

Oracle Cloud Infrastructure and the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (PDF)

North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
The North American Electric Reliability Corporation (NERC) is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the US Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC Critical Infrastructure Protection (CIP) cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada. For more information, see https://www.nerc.com/comm/RSTC/Pages/default.aspx

Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements
Financial institutions trading in regulated securities in the US may be subject to special regulatory requirements for electronic records retention by the Securities and Exchange Commission (SEC), the Financial Industry Financial Authority (FINRA), and the Commodities Futures Trading Commission (CFTC). These requirements may include SEC Rule 17a-4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d). For more information, see the following resources: SEC 17a-4(f) - https://www.sec.gov/rules/interp/34-47806.htm
FINRA Rule 4511(c) - https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511
CFTC Rule 1.31(c)-(d) - https://www.cftc.gov/sites/default/files/opa/press99/opa4266-99-attch.htm

Europe, Middle East, and Africa

European Union

Digital Operational Resilience Act (DORA)

Oracle Contract Checklist for the EU Digital Operational Resilience Act (DORA) (PDF)

Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) was adopted as European Union (EU) Regulation 2022/2554 to establish rules governing the use of information and communication technology (ICT) by financial entities operating in the EU. DORA aims to address the risks resulting from “increased digitalisation and interconnectedness” related to the use of ICT in the financial sector. It also creates an oversight framework for ICT service providers to the financial sector that are deemed critical. DORA provisions apply from 17 January 2025, to accommodate a 24-month implementation period. For more information, see: https://eur-lex.europa.eu/eli/reg/2022/2554/oj.

Network and Information Security Directive II (NIS2)

Oracle Cloud Applications and the Network and Information Security (NIS2) Directive (PDF)

Network and Information Security Directive II (NIS2)
In 2022, the EU enhanced its cybersecurity framework with the Network and Information Security Directive II (NIS2) . It builds on the original NIS directive (NIS1) in an attempt to address existing gaps and strengthen cybersecurity across the region. NIS2 defines measures for cybersecurity risk management and reporting, across sectors that include critical infrastructure and cloud providers. For more information, see https://eur-lex.europa.eu/eli/dir/2022/2555.

European Banking Authority (EBA) Guidelines on Outsourcing Arrangements

European Banking Authority (EBA) Guidelines on Outsourcing Arrangements
The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements to provide financial institutions guidance for outsourcing arrangements such as cloud services. For more information, see https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-outsourcing-arrangements

European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework

European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework
European Union Agency for Cybersecurity (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur. ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:

Assess the risk of adopting cloud services
Compare different cloud providers offerings
Obtain assurances from the selected cloud providers
Reduce the assurance burden on cloud providers

For more information, see https://www.enisa.europa.eu/publications/cloud-computing-information-assurance-framework

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
The General Data Protection Regulation 2016/679 (GDPR) is a regulation in European Union (EU) law on data protection and privacy. It applies to all entities processing data about EU residents, regardless of company location and /or locale of data storage. For more information, see https://ec.europa.eu/info/law/law-topic/data-protection_en

Germany

BaFin Guidance on Outsourcing to Cloud Service Providers

Oracle Cloud Applications and the German Federal Financial Supervisory Authority (BaFin) (PDF)

BaFin Guidance on Outsourcing to Cloud Service Providers
The Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) is responsible for the supervision of banks, credit institutions, insurers, funds and financial institutions in Germany. BaFin and the Deutsche Bundesbank issued guidance on outsourcing with the intended goal “to create greater transparency into the supervisory assessment of the financial sector with outsources to cloud providers". For more information, see https://www.bafin.de/SharedDocs/Downloads/EN/Merkblatt/BA/
dl_181108_orientierungshilfe_zu_auslagerungen_an_cloud_anbieter_ba_en.html?nn=9866146

IT Grundschutz

IT Grundschutz
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) created a framework for information security (IT-Grundschutz). IT-Grunschutz comprises:

BSI Standard 200-1: provides the general requirements for an ISMS
BSI Standard 200-2: explains how an ISMS can be built based on one of three different approaches
BSI Standard 200-3: contains all risk-related tasks
BSI Standard 100-4: covers Business Continuity Management (BCM)

For more information, see https://www.bsi.bund.de

Kritische Infrastrukturen - Abschnitt 8a

Oracle Cloud Applications (SaaS) and German Critical Infrastructures (KRITIS) Guidelines (PDF)

Kritische Infrastrukturen - Abschnitt 8a
The German Federal Government office for Information Security (BSI) issued Section 8a of BSIG (Act on the Federal Office for Information Security) that pertains to Kritis which stands for “Kritische Infrastruckturen” or critical infrastructures. It provides guidelines for identifying critical infrastructures, conducting risk assessments, implementing security measures, reporting incidents, undergoing audits & continuously improving security to safeguard essential services in Germany. For more information, see https://www.gesetze-im-internet.de/bsig_2009/BJNR282110009.html

Kenya

Guidelines on Cybersecurity for Payment Service Providers

Oracle Cloud Applications (SaaS) and Select Kenyan Regulatory Guidelines (PDF)

Guidelines on Cybersecurity for Payment Service Providers
The Central Bank of Kenya has issued cybersecurity guidelines for Payment Service Providers (PSPs) related to risk assessment, data protection, incident response, and third-party security. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2019/07/GuidelinesonCybersecurityforPSPs.pdf

Prudential Guidelines for Institutions Licensed under the Banking Act

Oracle Cloud Applications (SaaS) and Select Kenyan Regulatory Guidelines (PDF)

Prudential Guidelines for Institutions Licensed under the Banking Act
Under Section 33(4) of the Banking Act, the Central Bank of Kenya has issued guidelines for institutions. Some of these guidelines are intended to establish minimum standards of data and network security and business continuity. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf

Prudential Guideline on Outsourcing (CBK/PG/16)

Oracle Contract Checklist for the Central Bank of Kenya’s Guideline on Outsourcing (CBK/PG/16) (PDF)

Prudential Guideline on Outsourcing (CBK/PG/16)
As part of its supervisory function, the Central Bank of Kenya issued Prudential Guidelines for Institutions Licensed Under the Banking Act, which includes guidance on Outsourcing (CBK/PG/16). The Guideline applies to all licensed banks which outsource activities. They encompass outsourcing policies, governance, risk management, business continuity, data security, and contracts with service providers. For more information, see https://www.centralbank.go.ke/wp-content/uploads/2016/08/PRUDENTIAL-GUIDELINES.pdf

Kuwait

Cloud Computing Regulatory Framework (CITRA CCRF)

Cloud Computing Regulatory Framework (CITRA CCRF)
Kuwait’s Communication and Information Technology Regulatory Authority established a framework to govern the use of cloud computing services within Kuwait. It provides guidelines for data protection, privacy, and security, facilitating the adoption of cloud services. For more information, see https://www.citra.gov.kw/sites/en/LegalReferences/Cloud_computing_regulatory_framework.pdf

Netherlands

Government Information Security Baseline (BIO)

Oracle Cloud Applications and the Dutch Baseline Information Security Government (BIO) Standard (PDF)

Government Information Security Baseline (BIO)
Baseline informatiebeveiliging overheid (BIO) is an information security standard for the Dutch public sector, including government agencies, municipalities, provinces and water boards. It is based on internationally accepted standards and best practices in information security, such as ISO 27001 and ISO 27002. Since BIO was issued by the Ministerial Board, BIO is the sole baseline for the entire government. For more information, see https://bio-overheid.nl/media/1572/bio-versie-104zv_def.pdf

NEN 7510 Information Security Management in Healthcare

Oracle Cloud Applications and the Netherlands Standards Institute (NEN) 7510 Standard (PDF)

NEN 7510 Information Security Management in Healthcare
The NEN 7510 standard was developed by the Royal Netherlands Standardization Institute (Stichting Koninklijk Nederlands Normalisatie Instituut, or NEN). Nen 7510 provides guidelines and basic principles for the determining, establishing and maintaining of measures for health care organisations to secure the health information. For more information, see https://www.nen.nl/en/nen-7510-1-2017-a1-2020-nl-267179

Wet op het financieel toezicht or Wft

Oracle Cloud Applications (SaaS) and Select Financial Services Regulations and Guidelines in the Netherlands (PDF)

Wet op het financieel toezicht or Wft
The Financial Supervision Act (FSA) in the Netherlands serves as a comprehensive regulatory framework to uphold the stability and integrity of the financial system. The WFT comprises a large number of rules and regulations for financial markets and their supervision, including Good Practices Outsourcing Insurers and Good Practices for Managing Outsourcing Risks. For more information, see https://wetten.overheid.nl/BWBR0020368/2023-07-01

Good Practices Outsourcing Insurers - https://www.dnb.nl/media/rikf4hxv/good-practice-outsourcing-insurers.pdf

Good Practices for Managing Outsourcing Risks - https://www.dnb.nl/en/sector-information/open-book-supervision/open-book-supervision-themes/prudential-supervision/governance/good-practices-for-managing-outsourcing-risks/

Norway

Forskrift om bruk av informasjons- og kommunikasjonsteknologi

Oracle Contract Checklist for Norwegian Financial Services Regulations Applicable to IT Outsourcing (PDF)

Forskrift om bruk av informasjons- og kommunikasjonsteknologi
The Norwegian regulations on the use of Information and Communication Technology (ICT) provides guidelines to ensure responsible and secure utilization of digital tools and platforms. These regulations prioritize data protection, privacy, cybersecurity, and accessibility across both public and private sectors. For more information, see https://lovdata.no/dokument/SF/forskrift/2003-05-21-630

Veiledning om utkontraktering

Oracle Contract Checklist for Norwegian Financial Services Regulations Applicable to IT Outsourcing (PDF)

Veiledning om utkontraktering
Circular 7/2021 issued by Norwegian Financial Supervisory Authority (Finanstilsynet) provides guidelines on outsourcing activities and promotes responsible business practices. For more information, see https://www.finanstilsynet.no/contentassets/9f76ac1a390a44218b285b61bb13e19a/veiledning-om-utkontraktering.pdf

Saudi Arabia

National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)

National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC)
The National Cybersecurity Authority (NCA) developed the Essential Cyber Security Controls (ECC) to define the minimum set of cyber security requirements for national organizations in Saudi Arabia. The intent is to establish controls that set the minimum requirements for information and technology assets in the organizations. For more information, see https://nca.gov.sa/ecc-en.pdf.

Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF)

Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF)
The Cyber Security Framework was developed by Saudi Arabian Monetary Authority (SAMA) to enable financial institutions to identify and address risks related to cyber security. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf

Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing

Oracle Contract Checklist for Saudi Arabian Monetary Authority Rules on Outsourcing (PDF)

Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing
Saudi Arabian Monetary Authority (SAMA) is the central bank of the Kingdom of Saudi Arabia and the supervisory authority for banks, payment providers, insurance companies, finance companies and credit bureaus operating within the Kingdom. The SAMA Rules on Outsourcing apply to banks licensed under the Banking Control Law (Royal Decree No. M/5 dated 22/2/1386 H), and require these banks to appropriately manage risks arising from outsourcing, including ensuring their outsourcing arrangements are subject to appropriate due diligence, approval and ongoing monitoring. For more information, see https://www.sama.gov.sa/en-US/RulesInstructions/FinanceRules/Outsourcing%20Rules%20-%20Revised%20v2%20Final%20Draft-Dec-2019.pdf

South Africa

Directive 159.A.i

Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)

Directive 159.A.i
The Financial Services Board of South Africa, part of the Financial Sector Conduct Authority, implemented Directive 159.A.i, which specifies the rules applicable to outsourcing by insurers in South Africa. For more information, see https://www.fsca.co.za/Enforcement-Matters/Directives/Forms/DispForm.aspx?ID=436.

Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014)

Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)

Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014)
The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 5 of 2014 (G5/2014). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2014/6320.

Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017)

Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)

Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017)
The Office of the Registrar of Banks in South Africa issued guidance to banks in relation to the outsourcing functions within a bank and cyber resilience in Guidance Note 4 of 2017 (G4/2017). For more information, see https://www.resbank.co.za/content/dam/sarb/publications/prudential-authority/pa-deposit-takers/banks-guidance-notes/2017/7803/G4-of-2017.pdf.

Protection of Personal Information Act (POPIA)

Oracle Cloud Infrastructure and the South African Protection of Personal Information Act 2013 (PDF)

Protection of Personal Information Act (POPIA)
The Protection of Personal Information Act (POPIA) is a South African law intended to "promote the protection of personal information processed by public and private bodies." POPIA sets general conditions for public and private entities to lawfully process South African data subjects’ personal information. For more information, see https://www.justice.gov.za/legislation/acts/2013-004.pdf

Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018)

Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)

Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018)
The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued a directive pertaining to cloud computing and offshoring of data in the financial services sector referred to as Directive 3 of 2018 (D3/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-directives/2018/8749.

Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018)

Oracle Contract Checklist for Select South African Financial Services Directives and Guidance (PDF)

Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018)
The Prudential Authority regulates commercial banks, mutual banks, co-operative banks, insurers, co-operative financial institutions, financial companies, and market infrastructures under the supervision of the South African Reserve Bank. The Prudential Authority issued guidance pertaining to cloud computing and offshoring of data in the financial services sector referred to as Guidance Note 5 of 2018 (G5/2018). For more information, see https://www.resbank.co.za/en/home/publications/publication-detail-pages/prudential-authority/pa-deposit-takers/banks-guidance-notes/2018/8747.

Spain

Pinakes

Oracle Fusion Cloud Applications and the Spanish Interbank Cooperation Center’s PINAKES cybersecurity framework (PDF)

Pinakes
Created by the Centre for Interbank Cooperation (CCI), a non-profit professional association, Pinakes is a platform that provides qualification, management and monitoring of services to financial service providers. It is intended to allow organisations to verify the levels of cybersecurity of the services they use, enable vendors to demonstrate their security benefits to customers, and help organisations comply with EBA’s supplier security assessment guidelines. For more information, see https://asociacioncci.es/pinakes/

Switzerland

Financial Market Supervisory Authority (FINMA) Circular 2018/3

Financial Market Supervisory Authority (FINMA) Circular 2018/3
The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA’s Circular 2018/3 Outsourcing—banks and insurers sets a number of requirements for financial services organizations when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers. For more information, see https://www.finma.ch/en/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2018-03-01012021_de.pdf?la=en .

United Arab Emirates

United Arab Emirates (UAE) Federal Law No. 2 of 2019

Oracle Cloud Infrastructure and United Arab Emirates Health Data Law (PDF)

United Arab Emirates (UAE) Federal Law No. 2 of 2019
The United Arab Emirates issued Federal Law No. 2 of 2019 on 6 February 2019 Concerning the Use of the Information and Communication Technology ("ICT") in Health Fields (“Health Data Law”). The Health Data Law applies to all ICT methods and usages in the health fields in the UAE, including free zones. The Law aims at the following: (1) ensuring the optimal use of the ICT in health fields; (2) ensuring compatibility of the principles, standards, and practices applicable in the State with their internally recognized counterparts; (3) enabling the Ministry of Health and Prevention to collect, analyze and keep the health information at the UAE level; and (4) ensuring the safety and security of health data and information. For more information, see https://mohap.gov.ae/app_content/legislations/php-law-en-77/mobile/index.html.

United Kingdom

Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation)

Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)

Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation)
The Commission Delegated Regulation (EU) 2015/35 of 10 October 2014 (Solvency II Delegated Regulation) forms part of the framework for a solvency and supervisory regime for insurers and reinsurers. It sets out organizational requirements and procedures for various matters including outsourcing arrangements. The UK version of the Solvency II Delegated Regulation became part of UK law by virtue of the European Union (Withdrawal) Act 2018 and related legislation. For more information, see https://www.legislation.gov.uk/uksi/2019/407/contents/made

ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014

Oracle Contract Checklist for Select UK Financial Services Regulations (PDF)

ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014
The European Securities and Markets Authority (ESMA) and European Union have issued Markets in Financial Instruments Directive II (MiFID 2) and associated Markets in Financial Instruments (MiFIR) Regulation (EU) No 600/2014 to promote fairer, safer and more efficient markets and facilitate greater transparency for all participants. For more information, see https://www.esma.europa.eu/publications-and-data/interactive-single-rulebook/mifid-ii

Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance

Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance
The Financial Conduct Authority (FCA) is responsible for the authorization and conduct supervision of financial institutions in the UK. The FCA Handbook sets out the FCA’s legislative and other provisions made under powers given to it by the Financial Services and Markets Act 2000. The Senior Management Arrangements, Systems and Controls (SYSC) and Supervision (SUP) parts of the FCA Handbook contain rules and guidance relevant to outsourcing arrangements. For more information, see https://www.handbook.fca.org.uk/.

National Cyber Security Centre IT Health Check (ITHC)

National Cyber Security Centre IT Health Check (ITHC)
The IT Health Check (ITHC) is an IT security assessment required, as part of an accreditation process, for many government computer systems in the UK. For more information, see https://www.gov.uk/government/publications/it-health-check-ithc-supporting-guidance.

Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management

Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management
The Prudential Regulation Authority (PRA) is responsible for prudential supervision of banks, insurance companies, building societies, credit unions and major investment firms in the UK. The PRA’s remit includes supervising firms’ outsourcing and other third-party arrangements. The PRA’s Supervisory Statement 2/21 on outsourcing arrangements and third-party risk management published on 29 March 2021 (SS2/21) sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management. For more information, see https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss.

UK Government G-Cloud Framework

UK Government G-Cloud Framework
The UK Government G-Cloud is a procurement initiative for streamlining cloud-computing procurement by public-sector bodies in departments of the UK government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts via an online Digital Marketplace. For more information, see https://www.gov.uk/digital-marketplace.

UK National Cyber Security Centre (NCSC) Cloud Security Principles

UK National Cyber Security Centre (NCSC) Cloud Security Principles
The UK National Cyber Security Centre (NCSC) is chartered to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC’s 14 Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service. For more information, see https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles.

UK NHS Data Security and Protection Toolkit (DSPT)

Oracle Cloud Infrastructure Privacy Features (PDF)

UK NHS Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit (DSPT) is a self-assessment tool that measures performance against the United Kingdom’s National Health Service (NHS) 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. For more information, see https://www.dsptoolkit.nhs.uk/.

Asia Pacific

Australia

Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231

Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231
The Australian Prudential Regulation Authority (APRA) is the regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. APRA’s Prudential Standard CPS 231 Outsourcing (CPS 231), Prudential Standard SPS 231 Outsourcing (SPS 231), and Prudential Standard HPS 231 Outsourcing (HPS 231) set forth requirements to ensure that risks associated with outsourcing arrangements are identified, assessed, managed and reported. APRA has also published a Information Paper on Outsourcing Involving Cloud Computing Services. For more information, see https://www.apra.gov.au/sites/default/files/information_paper_-_outsourcing_involving_cloud_computing_services.pdf.

Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234

Oracle Cloud Applications (SaaS) and APRA Prudential Standards CPS 231 and CPS 234 (PDF)

Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234
The Australian Prudential Regulation Authority (APRA) regulates financial services in Australia. APRA issued standards that regulate banks, credit unions, and insurance companies. APRA’s Prudential Standard CPS 234 defines requirements for entities to implement information security measures to protect their information assets, including the handling of data breaches and cybersecurity incidents. For more information, see https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf

Hong Kong

Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1

Hong Kong Monetary Authority’s Supervisory Policy Manuals on Outsourcing and General Principles for Technology Risk Management (PDF)

Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1
The Hong Monetary Authority (HKMA) sets out minimum standards for authorized institutions (AIs) to attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business. The Supervisory Policy TM-G-1 General Principles for Technology Risk Management is guidance which the HKMA expects regulated entities to consider when managing technology-related risks. For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/TM-G-1.pdf

Hong Kong Monetary Authority (HKMA) Outsourcing SA-2

Hong Kong Monetary Authority’s Supervisory Policy Manuals on Outsourcing and General Principles for Technology Risk Management (PDF)

Hong Kong Monetary Authority (HKMA) Outsourcing SA-2
The Hong Monetary Authority (HKMA) sets out minimum standards that authorized institutions (AIs) must attain to satisfy requirements and best practices for the Banking Ordinance that regulates banking business. The Supervisory Policy Manual Outsourcing SA-2 is the approach to risk management when outsourcing and the major points which the HKMA recommends that regulated entities address when outsourcing activities. For more information, see: https://www.hkma.gov.hk/media/eng/doc/key-functions/banking-stability/supervisory-policy-manual/SA-2.pdf

India

ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act

ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act
The Companies Act 2013 regulates the formation and functioning of corporations or companies in India. Administered by the Ministry of Corporate Affairs (MCA), the law governs incorporation, dissolution and the running of companies and defines requirements for corporate governance. Subsequently, the Auditing and Assurance Standards Board of The Institute of Chartered Accountants of India (ICAI) issued the “Implementation Guide on Reporting under Rule 11(g) of the Companies (Audit and Auditors) Rules, 2014” on March 2023. Rule 11(g) focuses on reporting on the use of accounting software for maintaining a company’s books of accounts, including audit trails. For more information about the Companies Act, see https://www.mca.gov.in/Ministry/pdf/CompaniesAct2013.pdf. For more information about ICAI’s Rule11(g) guidance, see https://resource.cdn.icai.org/73438aasb59254.pdf

Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers

Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers
The Insurance Regulatory and Development Authority of India (IRDAI) issued IRDAI Regulations, Outsourcing of Activities by Indian Insurers. These regulations cover outsourcing and provide risk management guidelines and requirements for the insurance industry across India. For more information, see https://irdai.gov.in/document-detail?documentId=822221.

Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018)

Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018)
The Reserve Bank of India (RBI) issued a set of guidelines for Primary (Urban) Cooperative Banks (UCBs) to enhance security and resilience, protecting their assets against cyber security attacks on a continuous basis. It highlights the need to implement a robust cyber security/resilience framework and recommends specific security controls to support adequate cyber security preparedness. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11397&Mode=0.

Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016)

Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016)
The Reserve Bank of India has provided guidelines on Cyber Security Framework vide circular DBS. CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016. These guidelines are intended as a robust cyber security/resilience framework to ensure adequate cyber-security preparedness among banks on a continuous basis. The RBI Guidelines related to Cyber Security framework will enable banks to formalize and adopt cyber security policy and cyber crisis management plan. For more information see: https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=10435&Mode=0.

Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds

Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds
The Reserve Bank of India (RBI) has issued Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds for financial institutions. These guidelines include requirements for governance of information security and information technology (IT) within banks. For more information, see https://rbidocs.rbi.org.in/rdocs/content/PDFs/GBS300411F.pdf.

Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006)

Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006)
The Guidelines on Managing Risk and Code of Conduct in Outsourcing of Financial Services by banks is intended to address the RBI’s expectations for banks managing the risks in outsourcing to third-parties. The RBI guidelines provide specific guidance on risk management practices for outsourced financial services and foreign outsourcing of financial services. For more information see: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/73713.PDF

Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015)

Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015)
The guidelines are intended to ensure depositories do not outsource their Core and critical activities, ensure proper audit of implementation of risk assessment and mitigation measures, monitor and have checks and overall controls over the outsourced entity on a real-time basis. For information see: https://www.sebi.gov.in/legal/circulars/dec-2015/outsourcing-by-depositories_31219.html

Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017)

Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017)
The Circular on Outsourcing of activities by Stock Exchanges and Clearing Corporations provide specific guidance on: due diligence, sub-contracting, contracts with service providers, monitoring of the service provider’s performance, business continuity, confidentiality, termination, access to information and other records and audit. For information see: https://www.sebi.gov.in/legal/circulars/sep-2017/outsourcing-of-activities-by-stock-exchanges-and-clearing-corporations_35932.html

Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011)

Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011)
The Guidelines on Outsourcing of activities by Intermediaries provide specific guidance on: audit rights, confidentiality and data security, monitoring outsourced services, subcontracting and business continuity. For more information, see https://www.sebi.gov.in/legal/circulars/dec-2011/guidelines-on-outsourcing-of-activities-by-intermediaries_21752.html

Japan

Financial Industry Information Systems (FISC) Security Guidelines

Financial Industry Information Systems (FISC) Security Guidelines
The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. For more information, see https://www.fisc.or.jp

National Center of Incident Readiness and Strategy for Cybersecurity (NISC)

National Center of Incident Readiness and Strategy for Cybersecurity (NISC)
The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) was established in 2015. The governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. It is intended to design a wide range of security guidelines for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. For more information, see https://www.nisc.go.jp/eng/

Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act

Oracle Cloud Infrastructure Privacy Features (PDF)

Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act
The My Number Act, issued by the Personal Information Protection Commission (PPC), was enacted by the government of Japan in 2016. The intent is to ensure that organizations properly handle and adequately protect personal data, including My Number data, as required by law. For more information, see https://www.ppc.go.jp/files/pdf/en3.pdf.

Three Ministries Guidelines: Healthcare Sector

Three Ministries Guidelines: Healthcare Sector
Three Japanese Ministries provide guidance for the healthcare sector. Each Ministry has their own set of guidelines and requirements for cloud providers. The intent is to ensure that the cloud service provider conforms to the security guidelines identified by the three ministries. For more information on guidelines see, The Safety Management Guideline for Information Systems and Service Providers Handling Medical Information - https://www.meti.go.jp/policy/mono_info_service/healthcare/01gl_20230707.pdf

The Guideline for Safety Management of Medical Information Systems Version 5.2 - https://www.mhlw.go.jp/stf/shingi/0000516275_00002.html
The Ministry of Economy, Trade and Industry (METI) - https://www.meti.go.jp/
The Ministry of Internal Affairs and Communications (MIC) - https://www.soumu.go.jp/
The Ministry of Health, Labour & Welfare (MHLW) - https://www.mhlw.go.jp/index.html

Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank

Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank
The Financial Services Agency (FSA) in Japan provides comprehensive guidelines on risk management, corporate governance, compliance, internal controls, financial and supervisory reporting for the supervision of major banks. For more information, see https://www.fsa.go.jp/common/law/guide/kantokushishin.pdf

Malaysia

Risk Management in Technology (RMiT)

Oracle Cloud Infrastructure and Bank Negara Malaysia Risk Management in Technology (PDF)

Risk Management in Technology (RMiT)
Bank Negara Malaysia regulates the risk management practices in technology for the financial services sector in Malaysia. The RMiT guidelines are intended to provide banks a framework to effectively manage technology related risks in areas such as cybersecurity, operational risk, data governance, cloud risk management and emerging technologies. For more information, see https://www.bnm.gov.my/documents/20124/938039/PD-RMiT-June2023.pdf

Singapore

Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide

Oracle Cloud Infrastructure Contract Checklist for ABS Guidelines on Control Objectives and Procedures for Outsourced Services Providers (PDF)

Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide
The Association of Banks in Singapore (ABS) is an industry association representing commercial and investment banking institutions in Singapore. The ABS Cloud Computing Implementation Guide 2.0 (ABS Guide) provides best-practice recommendations and considerations for the adoption of cloud technologies, including guidelines for due diligence, vendor management, and key controls. For more information, see https://abs.org.sg/industry-guidelines/outsourcing

Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines

Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines
The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/trm-guidelines-18-january-2021.pdf.

Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655

Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655
The Monetary Authority of Singapore (MAS), created with the passing of the MAS Act in 1970, is Singapore’s central bank and integrated financial regulator. MAS has provided a list of guidelines applicable to financial institutions operating in Singapore with regards to risk management, cyber security, and IT outsourcing. For more information, see https://www.mas.gov.sg/-/media/mas/notices/pdf/mas-notice-655.pdf.

South Korea

Financial Security Initiative (FSI) Cloud Guidelines

Financial Security Initiative (FSI) Cloud Guidelines
The Financial Security Initiative (FSI) issued its Guidelines on the Use of Cloud Computing Services in the Financial Industry in 2019. The guidelines provide procedures and security measures that financial companies in Korea are required to implement when employing the use of cloud services. For more information, see https://www.fsec.or.kr/en.

Thailand

Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559)

Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559)
The Bank of Thailand introduced regulations for outsourcing in financial institutions that include requirements for obtaining prior approval, conducting risk assessments, conducting due diligence on suppliers, outsourcing contracts, monitoring supplier performance, establishing business continuity plans and ensuring compliance with data protection laws. For more information, see https://www.bot.or.th/Thai/FIPCS/Documents/FPG/2560/ThaiPDF/25600035.pdf.

Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561)

Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561)
The Capital Market Supervisory Board issued regulations regarding the outsourcing of securities and derivative transactions to third parties that specify the requirements, conditions and procedures for outsourcing and contain provisions for the selection and monitoring of service providers. For more information, see https://publish.sec.or.th/nrs/7820s.pdf

Oracle Cloud Compliance

Shared Management Model

Attestations

Global

Attestation

CSA STAR

GSMA SAS-SM

ISO 9001

ISO/IEC 20000-1

ISO/IEC 27001

ISO/IEC 27017

ISO/IEC 27018

ISO/IEC 27701

PCI DSS

SOC 1

SOC 2

SOC 3

Americas

Attestation

DoD DISA SRG

FedRAMP

FIPS 140

HITRUST CSF

HIPAA

State RAMP: TX-RAMP

Europe, Middle East, and Africa

Attestation

ACN

C5

CST CCRF

Cyber Essentials

DESC CSPSS

ENS

EU Cloud CoC

HDS

TISAX

UAE IAR Information Security Requirements

Asia Pacific

Attestation

Hosting Certification Framework

IRAP

ISMAP

ISMS (formerly K-ISMS)

MeitY IT Security Guidelines

MTCS

OSPAR

Advisories and General Information