The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, recently published a consultation paper[1] on guidelines on outsourcing to cloud service providers.
The guidelines, which are expected to be introduced in [. ], set out the regulator’s requirements when financial market participants outsource to cloud service providers, with a particular focus on identifying, addressing and monitoring the risks and challenges that arise from cloud outsourcing arrangements.
Announcing the consultation, ESMA chair, Steven Maijoor said that whilst cloud outsourcing can bring benefits such as reduced costs, and enhanced operational efficiency and flexibility, it also raises risks and challenges that need to be properly addressed, especially data protection and information security. Maijoor went to say[2]:
“Financial markets participants should be careful that they do not become overly reliant on their cloud services providers. They need to closely monitor the performance and the security measures of their cloud service provider and make sure that they are able to exit the cloud outsourcing arrangement as and when necessary.”
The draft guidelines build on the European Banking Authority’s (EBA) 2017 recommendations on outsourcing to cloud service providers[3] (as subsequently incorporated, in February 2019, into revised EBA outsourcing guidelines[4]), as well as cloud outsourcing guidance[5] from the European Insurance and Occupational Pensions Authority (EIOPA) published in February 2020.
The guidelines focus on five key areas.
Governance, documentation, oversight and monitoring mechanisms. |
Pre-outsourcing assessment and due diligence. |
Minimum requirements for outsourcing and sub-outsourcing (i.e. subcontracting) agreements. |
Requirements for exit strategies, and access/audit rights. |
Notification to competent authorities. |
Supervision by competent authorities. |
The consultation closes on 1 September 2020, with ESMA’s final report expected to be published by Q1 2021.
The new guidelines will take effect from 30 June 2021 and will apply to all cloud outsourcing arrangements entered into, renewed or amended by EU financial participants on or after that date (although firms will have until 31 December 2022 to ensure that existing arrangements comply).
Compliance with the new guidelines will be a key ESMA test to be used when assessing:
If you would like more information about legal and regulatory issues, risks and challenges when considering cloud outsourcing or related IT projects, please contact the author or your usual Fladgate contact.
[1] https://www.esma.europa.eu/sites/default/files/library/esma50-164-3342_cp_cloud_outsourcing_guidelines.pdf
[2] https://www.esma.europa.eu/press-news/esma-news/esma-consults-cloud-outsourcing-guidelines
[3] https://eba.europa.eu/sites/default/documents/files/documents/10180/2170125/e02bef01-3e00-4d81-b549-4981a8fb2f1e/Recommendations%20on%20Cloud%20Outsourcing%20(EBA-Rec-2017-03)_EN.pdf
[4] https://eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1
[5] https://www.eiopa.europa.eu/content/guidelines-outsourcing-cloud-service-providers_en