Amsterdam, February 22, 2025 – Human Rights in Finance.EU (HRIF.EU) has today issued an open letter and briefing note, advising EU financial institutions to re-assess their reliance on U.S.-based service providers in light of the Digital Operational Resilience Act (DORA).
HRIF.EU, whose founders have a professional background in the risk/compliance domain, considers that recent political events have significantly increased the likelihood of repetition of the ‘Amsterdam Trade Bank’ scenario. In this scenario the Bank was locked out of using US-services of Microsoft, as Microsoft Ierland attached more weight to US rules and risks than the applicable EU-rules. An Amsterdam Court Order had to be sought to re-instate access.
The Amsterdam Trade Bank: a wake-up call in 2022
In April 2022, Amsterdam Trade Bank (ATB)—a Dutch bank with Russian ownership—collapsed after being cut off from international financial services due to U.S. sanctions against Russian entities following the invasion of Ukraine. While ATB itself was not on the EU sanctions list, it was placed on the U.S. sanctions list, which triggered severe restrictions on its operations.
A key issue emerged when Microsoft, a U.S.-based cloud service provider, abruptly terminated ATB’s access to its cloud infrastructure (including Azure, Office 365, and SharePoint). This locked out the bank’s court-appointed trustees, who were legally responsible for managing the bankruptcy and needed access to ATB’s digital records to settle customer accounts and repay creditors.
In response, the trustees sued Microsoft in the Amsterdam District Court, arguing that the bank’s financial and operational data—stored in Microsoft’s cloud—was critical to their ability to perform their legal duties. The court ruled in favor of the trustees, ordering Microsoft to restore access. This case exposed the real-world risks that financial institutions face when relying on U.S.-based ICT providers, who will comply with U.S. laws or US soft-laws —even when they contradict European legal obligations.
HRIF.EU Open letter and must-read briefing for European CEOs
The Amsterdam Trade Bank case proves that geopolitical tensions can directly impact business continuity. With growing international uncertainty, proactive steps are essential to ensure compliance, operational resilience, and strategic autonomy. To aid European financial institutions in assessing and navigating these risks, HRIF.EU has today provided a comprehensive briefing note that CEOs can use to get this issue on their board agenda.
The briefing note explains how, under rules of the DORA-regulation, financial institutions in Europe must assess, mitigate, and prepare for third-party risks—not just from a technical standpoint, but also from a legal and geopolitical perspective. This note is the basis for HRIFs urgent request to CEOs:
Please urgently reconsider your non-EU outsourcing policies and, at a minimum, reduce your reliance on U.S. AML rules, sanctions, and US-service providers.
In essence the briefing note outlines why the likelihood of sudden disruption of business due to geopolitical developments has significantly increased. Under the DORA-legal frameworks this means that a re-assessment of the risk scenario’s must occur as well as a consideration of relevant mitigating measures. HRIF.EU notes that the Oversight Framework of DORA that deals with cross-border supervisory issues of critical non-EU service provides may not prove to be effective.
Therefore other, more practical, mitigating measures should also come into play, such as:
- Executing exit plans: Shift critical processes to non-U.S.-based or EU-owned providers.
- Transitioning operations: Move processing to EU operators to minimize extraterritorial risks.
- Building an EU consortium: Redesign banking, payments, and data systems to insulate them from U.S. legal leverage.
- Rethinking sanctions and AML policies: Reduce dependency on U.S.-driven frameworks like FATF recommendations that may clash with EU law (see article here).
- Pushing for legal immunity: Urge the European Commission to shield EU firms from U.S. extraterritorial laws.
The bigger picture: Human Rights and sovereignty
Beyond compliance, HRIF.EU frames this as a human rights issue. Aligning with DORA, we argue, will enhance protections for EU citizens and companies by safeguarding data and services from foreign interference. It’s a vision of digital sovereignty that resonates with the EU’s broader strategic autonomy push post-Munich.
Yet the challenge is immense. Shifting away from entrenched U.S. providers like Microsoft or Amazon Web Services—whose dominance in cloud services is near-ubiquitous—requires resources, planning, and political will. The European Supervisory Authorities (ESAs) have already flagged geopolitical risks in their draft technical standards, rejecting banks’ attempts to downplay non-EU provider vulnerabilities. But as HRIF.EU notes, “geopolitical realities shift faster than the European Commission can establish Regulatory Technical Standards.”
The clock is ticking: the financial sector at a turning point!
For EU financial CEOs, the message is clear: revisit your risk assessments, update your Business Impact Analyses, and detail your exit strategies—now. The volatility of the political environment leaves no room for complacency. As Chairman Lelieveldt concludes in the open letter, “We look forward to understanding your responses to these developments. The financial sector is at a turning point.”
For more details, read the full open letter and briefing note here.
Support Our Work
HRIF.EU is committed to advocating for financial integrity, digital sovereignty, and human rights in finance. If you value independent research and action on these critical issues, consider supporting our work. Your contribution (see our bank accounts at the bottom of the screen) will help us continue to provide expert analysis, legal advocacy, and policy recommendations that safeguard Human Rights in Finance in Europe.