August 31, 2020

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

Security & Compliance

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS

“Critical or important” might seem like day-to-day words, but when it comes to cloud software, they have just acquired a very important meaning. In this post, we will explain how it affects you and what you can do to take action.

New upcoming regulations: EBA Outsourcing Guidelines

If you are a financial institution (yes, fintech startups too) you are almost certainly in the list of affected companies.

By December 2021, almost every financial institution in the UK and Europe will need to comply with the new Outsourcing Guidelines passed by the European Banking Authority (EBA). This means that most regulated fintech companies will have to introduce risk management and compliance processes for the SaaS they use and many other things they outsource by next year.

For more information about the guidelines, click here.

Classification of your software stack

Although the guidelines apply to all of your cloud software and you will need to run a compliance process for all of your SaaS, certain types of SaaS will require deeper diligence. And, you’ve guessed it, that is SaaS classified as “critical or important” for your business.

How do I know what software is critical or important to my business?

First of all, it is important to understand that what is considered as "critical or important" will vary across companies. In other words, what is “critical or important” for one firm may not be for another.

Regarding the article 13(1) of the MiFID implementing Directive, “an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.”

That is the official definition.

In plainer words, if the failure of the technology in question results in a disruption to your business, and in failure to provide your services or the inability to support your customers, it may be considered as “critical or important”

If you are still in doubt, maybe an example will clear things up. So if you are a neobank, these are some of the tools that you might want to consider as “critical or important”:

  • Your CRM (i.e. Pipedrive)
  • Your customer support software (i.e. Zendesk)
  • Your single session and user authentication service or SSO (i.e. Okta)
  • Your PEPs and sanctions screening tool (i.e. ComplyAdvantage)

On the other side, it is likely that your analytics (i.e. Google Analytics) or your internal communications (Slack) software would not be regarded as critical or important.

This looks exhausting… Is there any way of skipping this process?

Even though we normally get no for an answer, we all like to ask ourselves the same question.

But this time… we’ve got good news!

Cledara has just introduced a new SaaS compliance tool. What this means is that we will take care of this process, and make it simple and easy for you. Check it out at our webpage, or book a demo of our product! We will be very happy to show you around and adapt to the needs of your business.

Suggestions and subscribe!

This post was inspired by questions provided by people like you. We love receiving new and interesting questions that help us think about data in new ways.  If you found this post interesting and have other questions that you’d like us to help answer, drop us a line at

Scroll down to subscribe to our blog!



Subscribe to our newsletter

Receive the latest insights in your inbox

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more