Author: Daniel Gottschalk
Head of Sales & Customer Success Manager at XALT
Imagine your IT department has the perfect case for Atlassian Cloud: lower operating costs, automatic updates, and no need for your own infrastructure. Then the compliance department steps in, and the project grinds to a halt. BaFin requirements, EBA guidelines, DORA: For banks, insurance companies, and fintechs, Atlassian Cloud has long seemed like a regulatory obstacle course.
What used to be justified, however, looks different today.
Atlassian has specifically addressed the concerns of regulated institutions with the EU Financial Services Addendum and a structured compliance framework. In this article, you’ll get a clear overview of what this means in practice and how you, as an IT leader, can plan your move to the cloud in a compliance-compliant manner.
Why financial institutions are hesitant to migrate to the Cloud
The reluctance to adopt cloud solutions in the financial sector is driven by regulatory considerations. The EBA (European Banking Authority) and BaFin (Federal Financial Supervisory Authority) treat cloud services as a form of outsourcing that entails far-reaching obligations:
- Audit rights: The institution must be able to audit the cloud provider and its subcontractors.
- Right to issue instructions: Clear rules about who is allowed to do what with the data.
- Data security and location: Where is data processed and stored?
- Exit clauses: What happens when the contract ends or the provider goes bankrupt?
- Chain outsourcing: Subcontractors of the cloud provider must also meet the requirements.
BaFin is considered one of the most demanding national regulatory authorities within the EU. Its guidance on outsourcing to cloud providers, last updated in February 2024 with an explicit reference to DORA, contains requirements that go beyond the EBA guidelines.
According to the Capgemini World Cloud Report: Financial Services 2025 – a survey of 600 banking and insurance decision-makers – only 12% of financial institutions worldwide are true cloud innovators who consistently leverage the cloud to gain a competitive advantage. The majority are still struggling to translate cloud investments into measurable business value. The most common reason for this is a lack of a regulatory framework for migration.
What Atlassian has changed since 2021
EU Financial Services Addendum (EU FSA): Since December 2021, Atlassian has been offering this contract addendum to eligible European financial service providers. The EU FSA contractually ensures compliance with the EBA and BaFin requirements for cloud outsourcing.
With the EU FSA, your institution will receive:
- Comprehensive audit rights for you, your auditors, and regulatory authorities, including downstream rights for AWS as the infrastructure provider
- Enhanced record-keeping and reporting requirements on the part of Atlassian
- Obligation to cooperate with the client's regulatory authorities
- Continuity of service following termination or bankruptcy
DORA (Digital Operational Resilience Act): Mandatory for all EU financial institutions as of January 17, 2025. Atlassian supports affected institutions with a robust contractual framework, proof of compliance, and transparency regarding security practices.
BaFin Outsourcing Guidance: Atlassian has published a specific mapping document that shows how Atlassian Cloud Enterprise addresses each of the BaFin requirements.
Atlassian provides the regulatory framework, contract, certifications, and documentation. The institution is responsible for configuration and data management.
4 steps to a BaFin-compliant Atlassian Cloud
Step 1: Check the requirements for the EU FSA
The EU FSA is not available to every customer. Requirements:
- Status as a European financial services institution (bank, insurance company, or qualified fintech company in the EEA or the UK)
- Enterprise Edition of Confluence Cloud, Jira Software Cloud, Jira Service Management Cloud, or Jira Align Cloud
- MSA agreement with a minimum spend of 150,000 euros; inquiry via the Atlassian Partner Service Desk
Step 2: Get the compliance team on board early on
This is the most common mistake in practice: IT plans the migration, and the compliance team finds out about it six weeks before go-live. Do it the other way around. Start with a mapping session involving IT, the compliance department, and the data protection officer. Make it clear from the start:
- What data is processed in Jira/Confluence, and what is its classification?
- What internal approvals do you need for outsourcing?
- Are there any existing internal policies for cloud services that need to be updated first?
- What data may be processed, and for what purposes?
Step 3: Compare BaFin requirements with Atlassian controls
Atlassians BaFin Outsourcing Guidance provides the exact mapping. The key areas:
- Audit rights: Atlassian grants inspection rights even downstream at AWS
- Data Security: ISO 27001, SOC 2, SOC 3, and BSI C5-certified; Data Residency available for the EU
- Incident Report: 72-Hour Standard for Security Incidents Enshrined in the Atlassian DPA
- Exit Management: EU FSA Ensures Service Continuity Even in the Event of Termination or Insolvency
Step 4: Document everything as a package of supporting evidence
- Completed outsourcing register with the EU FSA as proof of contract
- Mapping Document: BaFin requirements vs. Atlassian controls
- Configuration documentation for all admin settings
- Incident Response Matrix
- Regular review meeting (at least once a year)
DORA starting in 2025: What's changing for Atlassian users
For Atlassian users, DORA encompasses five areas of focus:
- ICT Risk Management: Clear Frameworks for risk identification and management
- Incident Reporting: Standardized reporting processes for ICT disruptions
- Resilience Tests: Regular penetration tests and stress tests
- Third-Party Management: Monitoring and Ooversight of critical ICT service providers
- Information Exchange: Voluntary exchange on cyber threats
Conclusion: What IT leaders in the financial sector should take away
- The EU FSA makes Atlassian Cloud regulatorially compliant (available to eligible financial institutions since 2021)
- DORA has been mandatory since January 2025 (Atlassian provides the contract framework)
- Shared Responsibility: Atlassian provides the foundation; you provide the configuration.
- Involving Compliance early on speeds up projects (not the other way around)
- The Enterprise Edition is a prerequisite for the EU FSA
Are you planning to migrate to the Atlassian Cloud and want to ensure compliance with BaFin, EBA, and DORA from the very beginning? XALT supports you every step of the way: From conducting a regulatory assessment to setting up an audit-ready cloud environment.
FAQ: Atlassian Cloud and BaFin Compliance
How does Atlassian support compliance with BaFin BAIT requirements?
Through the Financial Services Addendum (FSA) and the EU Data Residency the necessary contractual and technical foundations. The Atlassian Trust Center also provides specific compliance mappings for German financial institutions to help them meet the requirements of BAIT and MaRisk.
Is Atlassian Cloud DORA-compliant for banks in Germany?
Yes, Atlassian is actively preparing for the Digital Operational Resilience Act (DORA) . They already provide the necessary transparency and audit rights, as well as security certifications (ISO 27001, SOC 2), required for third-party ICT risk management under DORA.
What is the Atlassian Financial Services Addendum (FSA)?
The FSA is a contract addendum for clients in the financial sector. It contains specific provisions regarding audit rights, disclosure obligations, and the oversight of subcontractors to meet the requirements of BaFin and the EBA (European Banking Authority).
Can I use Atlassian Jira and Confluence Cloud with BSI C5?
Yes, Atlassian Cloud products have a BSI C5 Certification (Cloud Computing Compliance Controls Catalog). This is essential for German companies to demonstrate the security of their cloud infrastructure to regulatory authorities. XALT has already successfully migrated customers (such as AKDB) to a C5-compliant environment.
Where can I find the latest audit reports for my risk analysis?
All relevant Certifications, SOC reports and compliance certifications are central to the Atlassian Trust Center archived. Some detailed reports can be requested directly through the compliance portal.