ESMA issues new guidelines to draw attention to management of risks associated with cloud outsourcing

European regulator ESMA has issued new guidelines to help financial firms manage the risks associated with outsourcing to cloud service providers. The purpose of the guidelines is to help firms identify, address and monitor risks. The guidelines will apply from 31 July 2021 to new or amended cloud outsourcing arrangements and from 31 December 2022 to existing arrangements. They are endorsed by the Dutch Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB).

Firms are increasingly outsourcing to the cloud. This brings benefits, but it is not free from risks. The ESMA guidelines provide guidance on appropriate controls for these risks and help to foster a common approach to them in the EU.

What do the guidelines help with? The ESMA guidelines help financial firms with:

  • the risk assessment and due diligence they must perform on their cloud service providers
  • the governance, organisational and control frameworks they must put in place to monitor the performance of their cloud service providers
  • the termination of their cloud outsourcing arrangements without undue disruption to their business
  • the contractual provisions that must be included in their cloud outsourcing arrangements
  • the information they must provide to competent authorities, including maintaining a register of information on all their cloud outsourcing arrangements

To which financial firms do the guidelines apply?

The ESMA guidelines apply to, among others:

  • alternative investment fund managers and depositaries of alternative investment funds
  • undertakings for collective investment in transferable securities (UCITS), management companies and depositaries of UCITS, and investment companies that have not designated an authorised management company pursuant to UCITS Directive
  • central counterparties, including Tier 2 third-country central counterparties that comply with the relevant EMIR requirements
  • investment firms and credit institutions when carrying out investment services and investment activities
  • data reporting services providers and market operators of trading venues
  • central securities depositaries

Common interpretation and application in supervision

The AFM and DNB supervise the application of risk controls for outsourcing to the cloud. In doing so, they strive for a common interpretation and application of the ESMA guidelines.

Risks for sectors are similar

The main risks associated with outsourcing to the cloud are similar across all sectors. ESMA has therefore considered comparable guidelines issued by regulatory authorities EBA and EIOPA in preparing its guidelines. ESMA has also taken into account the European Commission’s proposal for a Digital Operational Resilience Act.

Contact for this article

Would you like to receive the latest news from AFM?

Subscribe to our newsletter, we will keep you up-to-date.