Compliance / By country / FINMA 2018/3
FINMA Circular 2018/3 (Outsourcing) and Microsoft 365
Swiss financial-sector outsourcing and access-control oversight. Siemserva by Senserva maps 197+ Microsoft 365 and Entra ID checks to the areas FINMA 2018/3 emphasizes, so a scan of your tenant doubles as evidence.
What FINMA 2018/3 is
FINMA Circular 2018/3 sets outsourcing and oversight expectations for Swiss banks and insurers, including access control over outsourced and cloud services. For firms running Microsoft 365, that means demonstrable control over identity, privileged access, and logging.
How Siemserva maps to FINMA 2018/3
FINMA 2018/3 asks for strong identity, access control, and monitoring. Siemserva evidences those areas with the checks below, each ranked by Severity and checked against your own tenant:
Identity and access management (60 checks)
Privileged access (PIM) (34 checks)
Conditional Access (60 checks)
Logging and audit (43 checks)
See every check with its Severity and remediation in the checks catalog, or the per-control detail in the control reference.
Evidence FINMA 2018/3 in your own Microsoft 365
Siemserva by Senserva runs the identity, access, privileged-access, and logging checks above, and 650+ others, against your own tenant: it shows where you meet or miss each requirement, ranks the gaps by Severity, and produces audit-ready evidence and validated fixes to close them.
FINMA 2018/3 and Microsoft 365: common questions
Does FINMA 2018/3 apply to Microsoft 365?
FINMA Circular 2018/3 (Outsourcing) does not name Microsoft 365 specifically, but its identity, access-control, and logging requirements are met (or missed) in your Microsoft 365 and Entra ID configuration. That is where Siemserva checks provide the evidence.
How does Siemserva map to FINMA 2018/3?
Siemserva runs 197+ Microsoft 365 and Entra ID checks across the areas FINMA 2018/3 emphasizes, multi-factor authentication, Conditional Access, privileged access, and logging, ranks the gaps by Severity, and produces audit-ready evidence. It is evidence, not an official mapping or certification.
Is this an official FINMA 2018/3 certification?
No. Senserva is not an assessor and issues no certifications. It provides the configuration evidence, Severity ranking, and remediation that make an assessment defensible. Confirm requirements with your assessor or regulator.
More: the frameworks crosswalk, Microsoft 365 compliance by country, and the audit evidence guide.