ESMA Announces New Cloud Outsourcing Guidelines

The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, recently published a set of guidelines in a consultation paper on outsourcing to cloud service providers. The guidelines announced on June 3 detail updates on the outsourcing requirements concerning financial market participants using the cloud. Its objectives are to establish effective supervisory practices by helping firms and competent authorities identify, address, and monitor the risks that arise from cloud outsourcing arrangements. 

Since firms are increasingly outsourcing to cloud service providers, authorities were compelled to warn businesses of the challenges it raises in terms of data protection and information security. ESMA identified the need to develop nuanced regulations following the European Commission’s FinTech Action Plan 1 and feedback from firms and stakeholders. Considering that the main risks associated with cloud outsourcing are similar across sectors, ESMA’s proposed guidelines set out: the governance, documentation, and monitoring mechanisms that firms should have; the assessment and due diligence expected prior to outsourcing; the minimum elements that outsourcing agreements include; the exit strategies, access, and audit rights to cater for; the notification to competent authorities; and the supervision by competent authorities.

Brief overview of ESMA’s guidelines:

    • Guideline 1: Governance, oversight, and documentation– firms should have an up to date cloud outsourcing strategy consistent with the firm’s relevant strategies, such as information security
    • Guideline 2: Pre-outsourcing analysis and due diligence– before entering any cloud outsourcing arrangement, firms must assess if it’s a critical function, identify risks, and detect conflicts of interest
    • Guideline 3: Contractual requirements– the respective rights and obligations of a firm and its CSP should be clearly allocated in a written agreement that allows for the firm to terminate it, where necessary
    • Guideline 4: Information security– a firm should set information security requirements in its internal policies and the written outsourcing agreement to be monitored for compliance on an ongoing basis
    • Guideline 5: Exit strategies– firms be able to exit cloud outsourcing arrangements without undue disruption to business activities and without any detriment to its compliance with legal requirements
    • Guideline 6: Access and audit rights– a firm should ensure that the cloud outsourcing agreement does not limit the firm’s effective exercise of access and audit rights, nor its oversight options on the CSP
    • Guideline 7: Sub-outsourcing– If sub-outsourcing is permitted, the agreement should clearly indicate the conditions for compliance, specify CSP’s obligations, and ensure the firm’s right to termination
    • Guideline 8: Written notification to competent authorities– In case of planned outsourcing of critical functions, a firm should notify its competent authority in writing and in a timely manner
    • Guideline 9: Supervision of cloud outsourcing arrangements– Competent authorities assess the risks from outsourcing in its supervisory process, focusing on arrangements that relate to critical functions

“Today’s proposals will help firms understand and mitigate the risks that they are exposed to when outsourcing to cloud service providers,” said Steven Maijoor, Chair of ESMA, adding that financial markets participants “need to closely monitor the performance and the security measures of their cloud service provider and make sure that they are able to exit the cloud outsourcing arrangement as and when necessary.” The consultation paper remains open until September 1 and seeks feedback from national competent authorities and financial market participants that use cloud outsourcing services provided by third parties.