Cloud providers are under more scrutiny than ever, and regulated industries are leading that shift. Regulatory pressure, amplified by frameworks like DORA, has made third-party ICT risk a board-level concern.
Organizations operating in financial services, legal, and asset management are now expected to document, assess, and justify every cloud dependency they hold. This article explains why that expectation has hardened, what structured assurance mechanisms look like in practice, and how publicly accessible disclosures, like a CSA STAR registry listing, are changing what buyers look for when shortlisting a cloud platform.
Key takeaways:
Third-party ICT risk is now a regulatory requirement, not just a best practice. The EU's Digital Operational Resilience Act (DORA), which entered into application on January 17, 2025, ensures that banks, insurance companies, investment firms, and other financial entities can withstand, respond to, and recover from ICT disruptions.
Before DORA, firms across EU member states followed inconsistent guidance, and many smaller providers operated without standardized disclosure requirements. That patchwork is gone. Article 3(18) of DORA defines ICT third-party risk as any risk that a financial institution might face when using ICT services provided by external vendors or their subcontractors, including any outsourcing arrangements. The scope is deliberately broad.
DORA creates direct obligations for cloud platforms supplying financial entities. Financial organizations must conduct ICT concentration risk assessments before entering contractual agreements with new vendors. Firms must seek providers that offer a comprehensive ICT risk management framework enabling them to identify, assess, manage, and mitigate all ICT-related risks.
This means a provider saying "we take security seriously" is no longer sufficient. Buyers need documentation, control frameworks, and publicly verifiable disclosures they can present to their own regulators.
Cloud security transparency refers to a provider's willingness to disclose its security controls, policies, and processes in a standardized, assessable format.
For procurement and compliance teams in financial services, transparency is functional, not ceremonial. The CAIQ v4 offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services. It helps cloud customers gauge the security posture of prospective cloud service providers and determine if their cloud services are suitably secure.
Without that kind of structure, every vendor evaluation becomes a bespoke, time-consuming exercise. Standardized disclosure reduces that friction for buyers and establishes a common baseline for comparison.
Read more: The Importance of Secure Collaboration Software in Fintech Compliance
CSA STAR Level 1 is a self-assessment tier of the Cloud Security Alliance's Security, Trust, Assurance, and Risk (STAR) program. It is publicly searchable and free to access.
At Level 1, organizations submit the Consensus Assessments Initiative Questionnaire (CAIQ), based on the Cloud Controls Matrix, to evaluate and document their security controls. Organizations should pursue this level if they want to offer increased transparency around the security controls they have in place or if they are looking for a cost-effective way to improve trust.
The listing appears in the CSA STAR Registry, which prospective customers and auditors can search at any time. It is not a certification, but it is evidence, and that distinction matters in due diligence workflows where verifiable documentation is required.
The Consensus Assessments Initiative Questionnaire is the instrument that powers a STAR Level 1 submission. The STAR Level 1 Security Questionnaire (CAIQ v4.1) provides a set of yes/no questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance with the Cloud Controls Matrix.
The framework covers 17 control domains, addressing areas including governance, risk management, operations, and incident response. The CAIQ v4.1 now features 283 questions aligned with the latest controls, with updates covering datacenter security, logging and monitoring, and security incident management.
Each answer maps to a specific control within the CCM, making it possible for buyers to cross-reference responses against their own internal policies or regulatory checklists.
Self-assessments are a recognized and widely accepted starting point in third-party cloud risk management. They are not a substitute for deeper audit rights, but they serve a specific function: giving buyers a structured, comparable basis for initial evaluation before deeper due diligence begins.
For time-poor procurement teams assessing multiple providers in parallel, a CAIQ v4.1 response on the public registry is accessible immediately. It reduces the need to issue custom security questionnaires, shortens vendor review cycles, and gives compliance officers something concrete to document.
The alternative, a provider with no public disclosure and no standardized framework response, creates more work and more risk for the buyer.
Read more: Building Stronger Investor Relations with Capital Calls Transparency
Third-party assurance frameworks exist across a spectrum. At one end, there is informal self-declaration with no supporting documentation. At the other, there are independent third-party certifications like SOC 2 Type II or ISO 27001. CSA STAR Level 1 sits between those two points, providing structured, standardized, and publicly accessible control disclosure without the time or cost of a full external audit.
For organizations evaluating a cloud collaboration platform, the presence of a STAR listing signals that the provider has assessed its own controls against a recognized industry framework and made those responses publicly verifiable.
It supports the kind of operational due diligence that regulated buyers, particularly those with DORA obligations, are now expected to perform. Capcade, a secure collaboration platform built for complex, regulated workflows, has completed a CAIQ v4.1 self-assessment and is listed on the CSA STAR registry. For teams in financial services, asset management, or legal advisory seeking a compliant workspace, that listing provides a structured starting point for vendor review.
What is the difference between CSA STAR Level 1 and Level 2?
Level 1 is a self-assessment submitted to the public registry using the CAIQ. Level 2 builds on existing certifications like ISO 27001 or SOC 2 and requires a third-party audit or attestation. Level 1 is a meaningful first step in cloud security transparency; Level 2 provides independent verification.
Who can access the CSA STAR registry?
The STAR registry is publicly accessible to anyone, including procurement teams, compliance officers, auditors, and regulators. No account or login is required to search listings.
Does CAIQ v4.1 replace previous versions?
CAIQ v4.1 is the version of the CAIQ that can currently be submitted to the STAR registry. Earlier versions cannot be submitted for new listings. Providers completing assessments today should use CAIQ v4.1.
Is a STAR Level 1 listing enough to satisfy DORA third-party risk requirements?
A STAR Level 1 listing contributes to the evidence base for third-party cloud risk assessments but should be treated as one component of a broader due diligence process. DORA requires ongoing monitoring, contractual protections, and documented concentration risk assessments.
Why does cloud security transparency matter for financial services teams specifically?
DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector. Firms that cannot demonstrate they have assessed their cloud providers' controls may struggle to satisfy regulatory review or internal audit requirements.
Regulatory expectations around third-party ICT risk have moved from guidance to obligation. Procurement teams evaluating cloud platforms now need more than a security overview page.
They need structured, comparable, and publicly accessible disclosures that map to recognized control frameworks. That is the function the CSA STAR registry and the CCM v4.1 serve. Capcade's listing supports that process for any organization working through vendor due diligence. Teams who want to understand what that means for their specific workflows can explore the platform or book a demo to see how Capcade handles cross-entity collaboration in compliance-sensitive environments.
.svg)
.svg)
.svg)
