On 18 December 2020, the European Securities and Markets Authority (ESMA) published a final report on guidelines on outsourcing to cloud service providers (CSPs). The purpose of the guidelines is to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements and to support convergent approach to the supervision of cloud outsourcing arrangements across Member State competent authorities.

The final report follows a consultation paper containing draft guidelines that ESMA published on 3 June 2020. The consultation closed on 1 September 2020. In the final report ESMA reports that, in general, respondents agreed with its approach towards outsourcing to CSPs. The detailed content of the responses and ESMA’s feedback is outlined in the Feedback Statement contained in Annex I of the final report.

The guidelines are not prescriptive on the exact form that the cloud outsourcing strategy needs to take, meaning that they may form part of broader IT or outsourcing strategies. The same holds true for the governance and oversight framework of cloud outsourcing arrangements. ESMA has also clarified in paragraph 14 of the final guidelines (paragraph 27 of the draft guidelines) that the monitoring of the CSP by the firm should be risk-based, with a primary focus on those cloud outsourcing arrangements that concern critical or important functions.

The final guidelines will now be translated into the official EU languages and published on ESMA’s website. The publication of the translations in all EU official languages will trigger a two-month period during which Member State competent authorities must notify ESMA whether they comply or intend to comply with the guidelines.

The final guidelines apply to Member State competent authorities and to:

  • Alternative investment fund managers and depositaries of alternative investment funds.
  • Undertakings for collective investment in transferable securities (UCITS), management companies and depositaries of UCITS, and investment companies that have not designated a management company authorised pursuant to the UCITS Directive.
  • Central counterparties (CCPs), including Tier 2 third-country CCPs which comply with the relevant EMIR requirements.
  • Trade repositories.
  • Investment firms and credit institutions when carrying out investment services and activities, data reporting services providers and market operators of trading venues.
  • Central securities depositories.
  • Credit rating agencies.
  • Securitisation repositories.
  • Administrators of critical benchmarks.

ESMA will also take the final guidelines into account when assessing the extent to which compliance with the relevant EMIR requirements by a Tier 2 third-country CCP is satisfied by its compliance with comparable requirements in the third country pursuant to Article 25(2b)(a) of EMIR.