Tech & Sourcing @ Morgan Lewis


The European Securities and Markets Authority (ESMA) published its draft guidelines on outsourcing to cloud service providers on June 3. Steven Maijoor, the chair of ESMA, indicated that the purpose of the guidelines is to “help firms understand and mitigate the risks that they are exposed to when outsourcing to cloud service providers.”

The paper sets out a number of measures that certain regulated entities (such as investment firms, central counterparties, and central securities depositories) can take to mitigate risk factors for outsourcing to cloud service providers, including operational risks, security risks, and legal risks. The paper also functions as a guide to the cloud service providers for how to contract with these firms.

The new guidelines set out the following nine principles, which are intended to shape outsourcing to cloud service providers:

  • The governance, oversight, and monitoring mechanisms and documentation that firms have in place should be defined, up to date, and consistent with all relevant policies.
  • Pre-outsourcing analysis and due diligence should be undertaken prior to commencing a cloud outsourcing at such a degree as is proportionate to the nature of the particular deal.
  • Outsourcing agreements should set out clear dependencies, rights, incentives, and obligations as a minimum requirement.
  • Information security requirements should be included within the outsourcing agreement.
  • Firms should ensure that the agreement contains exit strategies that will not disrupt the business and/or services.
  • The agreement should not limit the firm’s rights of access and audit.
  • If there are any sub-outsourcing arrangements, clear obligations and requirements should be specified in the outsourcing agreement.
  • Competent authorities should be provided with written notification in a timely manner if the outsourcing is critical in nature.
  • Supervision of cloud outsourcing arrangements by competent authorities should focus on critical outsourcing arrangements.

The guidelines also include a preliminary cost-benefit analysis undertaken by ESMA.

The draft guidelines follow the publication of the European Banking Authority’s (EBA’s) guidance on cloud outsourcing, which applies to the banking, investment, and payment activities and services of financial institutions, such as investment firms and credit institutions, and the European Insurance and Occupational Pensions Authority’s (EIOPA’s) guidelines on cloud outsourcing, which apply to insurance and reinsurance undertakings. ESMA is following their lead by developing guidance to help regulated entities with the increasing number of engagements with cloud service providers.

ESMA has stated that these new guidelines are consistent with the prior guidance. While it is helpful for in-scope businesses that these guidelines be aligned, the very fact that there are three different sets of guidelines means it is necessary to consider each separately.

The consultation will close on September 1, 2020, and ESMA is encouraging those that use cloud service providers to engage in the consultation and provide feedback to the questions set out by ESMA. Once the consultation has been completed, these guidelines are expected to come into force from June 30, 2021, following which businesses will need to retroactively fit their cloud outsourcing agreements to comply with these guidelines.