On 11 July 2025, the European Securities and Markets Authority (ESMA) published a Final Report on revised guidelines on outsourcing to cloud service providers (CSPs).

Background

On 18 December 2020, ESMA published a Final Report on guidelines on outsourcing to CSPs. The guidelines are intended to help in-scope firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements and support a convergent approach to the supervision of cloud outsourcing arrangements across Member State competent authorities. The guidelines have applied since 31 July 2021 (the 2021 guidelines) to all cloud outsourcing arrangements entered into, renewed or amended on or after this date.

On 17 January 2025, the Digital Operational Resilience Act (DORA) became applicable. The subject matter which the 2021 guidelines cover has been incorporated in DORA although DORA does not apply to certain addressees of the 2021 guidelines, namely some of the depositories referred to in Article 21 of the Alternative Investment Fund Managers Directive (AIFMD) and Article 23 of the Undertakings for Collective Investment in Transferable Securities Directive (UCITS Directive).

Changes

In the Final Report ESMA amends the scope of the addressees of the 2021 guidelines to exclude financial entities covered by DORA. However, ESMA considers that the revised guidelines on outsourcing to CSPs should cover depositaries referred to in Articles 21(3)(c) and 21(3), third subparagraph of the AIFMD and Article 23(2)(c) of the UCITS Directive that are not subject to DORA in consideration of their market relevance, of their role as depositaries and of the funds served.

Whilst ESMA is amending the scope of addressees of the 2021 guidelines it is not substantively changing the content. ESMA did not conduct an open public consultation on the amendments to the 2021 guidelines as this would have been disproportionate in relation to the scope and impact of these amendments.

Next steps

The revised guidelines will be translated in the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which Member State competent authorities must notify ESMA whether they comply or intend to comply with the revised guidelines.