DNB -- De Nederlandsche Bank Outsourcing Guidelines¶
Framework Overview¶
Full name: DNB Good Practices for Managing Outsourcing Risks / DNB Guidance on Cloud Computing Issued by: De Nederlandsche Bank (DNB -- the Dutch central bank and financial supervisor) Legal basis: Financial Supervision Act (Wet op het financieel toezicht -- Wft), Decree on Prudential Rules (Besluit prudentiele regels Wft -- Bpr), EBA Guidelines on Outsourcing Arrangements Type: Supervisory guidance and good practices for regulated financial institutions
DNB supervises Dutch banks, insurers, and pension funds. Its outsourcing guidelines require financial institutions to maintain control over outsourced activities, particularly cloud computing. All financial institutions must inform DNB about cloud computing initiatives, regardless of materiality. DNB maintains a register of all cloud outsourcing contracts.
Who Must Comply¶
- Dutch banks (supervised under the Wft)
- Insurance companies (supervised under the Wft)
- Pension funds (supervised under the Pensioenwet)
- Payment institutions and electronic money institutions
- Investment firms under DNB supervision
- Their critical and important service providers (including cloud providers)
Key Principles¶
- Mandatory notification: All cloud outsourcing arrangements must be reported to DNB
- Risk analysis required: A comprehensive risk analysis must precede any cloud adoption
- Continued control: The institution must maintain effective control over outsourced activities
- Exit strategy: A viable exit strategy must exist before entering a cloud arrangement
- Data access control: The cloud provider must not have unauthorized access to sensitive data
DNB Requirements and CloudTaser Mapping¶
Outsourcing Risk Analysis¶
DNB requires a mandatory risk analysis before engaging cloud services. The risk analysis must assess:
| DNB Requirement | Description | CloudTaser Mapping | Component |
|---|---|---|---|
| Data classification and sensitivity | Identify the sensitivity of data processed in the cloud | cloudtaser discover identifies workloads that reference Kubernetes Secrets (sensitive data stored in etcd, accessible to the cloud provider). Each represents a data sovereignty risk that can be classified and quantified |
CLI |
| Risk of unauthorized data access | Assess the risk that the cloud provider or third parties access sensitive data | CloudTaser's protection scores quantify the residual risk per workload. A fully protected workload (score 115/115) has near-zero risk of unauthorized access by the cloud provider | CLI, All |
| Legal and jurisdictional risks | Assess the impact of the provider being subject to non-EU laws | CloudTaser's threat model explicitly addresses US CLOUD Act and FISA 702. Technical controls ensure the provider cannot comply with compelled disclosure requests for protected secrets | All |
| Concentration risk | Assess dependency on a single cloud provider | CloudTaser is cloud-agnostic. Secrets are in a portable EU vault, enabling multi-cloud or cloud-switching strategies that reduce concentration risk | Wrapper, Operator |
Data Access Controls¶
| DNB Requirement | Description | CloudTaser Mapping | Component |
|---|---|---|---|
| Provider must not access sensitive data | The cloud provider must be technically unable to access sensitive financial data | memfd_secret removes secret pages from the kernel direct map. eBPF blocks all memory access vectors. The cloud provider is physically unable to read protected secrets |
Wrapper, eBPF |
| Encryption key control | Encryption keys must remain under the institution's control | The EU-hosted vault (OpenBao/Vault) is operated by the financial institution (or its EU-based delegate). The cloud provider has no key access | Wrapper, S3 Proxy |
| Client-side encryption | Data at rest should be encrypted with keys the provider cannot access | S3 proxy provides client-side AES-256-GCM encryption. DB proxy provides transparent database encryption. Encryption keys remain in the EU vault | S3 Proxy, DB Proxy |
| Access logging | All data access must be logged and auditable | Vault audit log records all secret fetch operations. eBPF generates security events for all access attempts (blocked and allowed). cloudtaser audit produces compliance reports |
eBPF, CLI |
Third-Party Provider Risk Management¶
| DNB Requirement | Description | CloudTaser Mapping | Component |
|---|---|---|---|
| Provider risk assessment | The institution must assess the cloud provider's security posture | cloudtaser audit produces reports showing the protection level independent of the cloud provider's security posture. Even if the provider's controls fail, CloudTaser's technical enforcement prevents secret access |
CLI |
| Contractual safeguards | Contracts must include security requirements and audit rights | CloudTaser supplements contractual safeguards with technical enforcement. Even if contractual provisions are breached (e.g., under legal compulsion), secrets remain protected | All |
| Sub-outsourcing controls | The institution must approve and monitor sub-outsourcing by the provider | CloudTaser eliminates the need to trust the provider's sub-processors for secret data. The provider and all their sub-processors are in the same trust category: untrusted | All |
| Regular provider reviews | The institution must regularly review the cloud provider's performance and security | cloudtaser audit provides ongoing monitoring of protection coverage. Protection scores detect drift. eBPF events detect anomalous access patterns |
CLI, eBPF |
Exit Strategy and Portability¶
| DNB Requirement | Description | CloudTaser Mapping | Component |
|---|---|---|---|
| Viable exit strategy | The institution must have a documented plan to exit the cloud arrangement | CloudTaser makes exit strategies simple: secrets are in a portable EU vault, not locked to any provider. Switching providers requires only redeploying the CloudTaser stack on a new cluster | Wrapper, Operator |
| Data portability | Data must be extractable in a standard format | Secrets and encryption keys are in standard vault (OpenBao/Vault) format. No proprietary formats. Export via standard vault CLI tools | Wrapper |
| Business continuity during transition | Cloud switching must not disrupt operations | CloudTaser works identically across AWS, GCP, and Azure. The same vault configuration and policies apply on any Kubernetes distribution. Parallel deployment enables zero-downtime migration | Operator |
| Reduced vendor lock-in | Minimize dependency on provider-specific services | CloudTaser replaces provider-specific secret management (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault) with a cloud-agnostic EU vault. No provider-specific APIs or formats | Wrapper |
Regulatory Access and Audit¶
| DNB Requirement | Description | CloudTaser Mapping | Component |
|---|---|---|---|
| DNB access to data | DNB must be able to access outsourced data for supervisory purposes | The EU vault is under EU legal entity control. DNB can access data through the institution, not through the cloud provider. CloudTaser does not impede lawful EU regulatory access | -- |
| Audit rights | The institution and DNB must have audit rights over the cloud provider | cloudtaser audit produces reports that can be included in audit evidence. eBPF event logs provide forensic evidence for supervisory review |
CLI, eBPF |
| Incident reporting | Security incidents must be reported to DNB | eBPF security events (SECRET_LEAK, PROCMEM_READ, PTRACE_DENIED, etc.) provide the detection data needed for incident reporting |
eBPF |
Component Coverage Matrix¶
| CloudTaser Component | DNB Areas Addressed |
|---|---|
| Operator (webhook injection) | Exit strategy, portability, concentration risk |
| Wrapper (secret delivery) | Data access control, key control, portability, exit strategy |
| eBPF (runtime enforcement) | Data access control, access logging, incident detection, provider review |
| S3 Proxy (client-side encryption) | Data access control, client-side encryption, key control |
| DB Proxy (transparent encryption) | Data access control, client-side encryption, key control |
| CLI (audit, validate, discover) | Risk analysis, provider review, audit evidence, incident reporting |
Alignment with EBA Guidelines¶
DNB's requirements align with the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), which apply across the EU. CloudTaser's mapping to DNB requirements also satisfies the corresponding EBA requirements:
| EBA Guideline | DNB Equivalent | CloudTaser Coverage |
|---|---|---|
| Section 4 -- Proportionality | Risk analysis | Protection scores quantify risk proportionally |
| Section 9 -- Pre-outsourcing analysis | Outsourcing risk analysis | cloudtaser discover identifies secret-related risks |
| Section 12 -- Security of data | Data access controls | memfd_secret + eBPF enforcement |
| Section 13 -- Exit strategies | Exit strategy and portability | Cloud-agnostic vault, no vendor lock-in |
| Section 15 -- Monitoring of outsourcing | Regular provider reviews | cloudtaser audit + protection scores |
Gaps and Limitations¶
| DNB Area | Gap | Mitigation |
|---|---|---|
| Governance framework | CloudTaser does not replace the institution's governance framework for outsourcing | CloudTaser provides technical controls and evidence. Governance frameworks are the institution's responsibility |
| Personnel requirements | DNB requires qualified staff to manage outsourcing relationships | Outside product scope. CloudTaser reduces the need for provider-specific expertise by standardizing secret management |
| Business continuity planning | DNB requires comprehensive BCP for outsourced services | Vault high availability and multi-cloud portability support BCP, but planning is the institution's responsibility |
| Full regulatory compliance | DNB has broad requirements beyond data protection | CloudTaser addresses the data sovereignty and secret management aspects. Other DNB requirements (capital adequacy, liquidity, governance) are outside scope |
| Non-secret data | CloudTaser protects secrets and encryption keys. Non-secret data in cloud storage is not directly protected unless encrypted via S3 proxy or DB proxy | Deploy S3 proxy and DB proxy for all sensitive data at rest. Use CloudTaser-protected keys for application-level encryption |
DORA supersedes some DNB requirements
Since January 2025, DORA (Regulation (EU) 2022/2554) directly applies to Dutch financial institutions and supersedes some DNB-specific requirements for ICT risk management and third-party provider risk. CloudTaser's DORA mapping covers these requirements. DNB's outsourcing guidelines remain relevant for areas not covered by DORA.
Audit Evidence¶
CloudTaser produces evidence suitable for DNB supervisory reviews:
# Generate compliance audit report
cloudtaser audit --vault-address https://vault.eu.example.com
# JSON output for regulatory evidence
cloudtaser audit --vault-address https://vault.eu.example.com -o json
The audit report provides:
- Protected vs. unprotected workload inventory (risk analysis evidence)
- Protection scores per workload (residual risk quantification)
- eBPF enforcement coverage per node (data access control evidence)
- EU vault connectivity verification (key control evidence)
- Orphaned Kubernetes Secrets (data in US-controlled storage)