Final ESMA Guidelines on cloud outsourcing

At the end of December 2020, the European Securities and Markets Authority (ESMA) published its final report on its guidelines on outsourcing to cloud service providers (CSP). The purpose of the guidelines is to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements. Since the main risks associated with cloud outsourcing are similar across financial sectors, ESMA has considered the European Banking Authority (EBA) Guidelines on outsourcing arrangements, which have incorporated the EBA Recommendations on outsourcing to cloud services providers and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. This ensures consistency between the three sets of guidelines. The ESMA Guidelines on cloud outscoring apply to MiFID II firms such as investment firms and other financial services providers indirectly but they describe the market standard and set the supervisory framework for the National Competent Authorities (NCAs) in Europe such as the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin).

For the German jurisdiction, BaFin published guidance on outsourcing to cloud providers back in 2018. Please note that the amended MaRisk include outsourcing requirements for investment firms and other financial services providers and already reflect the EBA Guidelines on outsourcing, including cloud outsourcing. For more information on the MaRisk amendment, please see our previous Blogpost.

The guidelines in more detail

The following gives a brief overview of the main content of the ESMA cloud outsourcing guidelines.

  • Guideline 1: Governance, oversight and documentation

Firms should have a defined and up-to date cloud outsourcing strategy which should include, inter alia, a clear assignment of the responsibility for the documentation, management and control of cloud outsourcing arrangements, sufficient resources to ensure compliance with all legal requirements applicable to the firm’s outsourcing arrangements, a cloud outsourcing oversight function directly accountable to the management body and responsible for managing and overseeing the risk of cloud outsourcing arrangements, a (re)assessment of whether the cloud outsourcing arrangements concern critical or important functions as well as an updated register of information on all cloud outsourcing arrangements. For the outsourcing of critical or important functions, the ESMA guidelines include a detailed list of information which should be included in the register.

  • Guideline 2: Pre-outsourcing analysis and due diligence

ESMA provides information on what is required for the pre-outsourcing analysis (e.g. an assessment if the cloud outsourcing concerns a critical or important function). In the case of outsourcing of critical or important function, firms should conduct a comprehensive risk analysis and take into account benefits and costs of the cloud outsourcing and perform an evaluation of the suitability of the CSP.

  • Guideline 3: Key contractual elements

The guidelines provide a detailed list of what a written cloud outsourcing agreement should include in case of outsourcing of critical or important functions. Such agreements should include, inter alia, provisions regarding data protection, agreed service levels incident management, business continuity plans, termination rights and access and audit rights for the firm and its competent supervisory authority.

  • Guideline 4: Information security

Firms should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis. In case of outsourcing of critical or important functions, additional requirements apply regarding information security organization, identity and access management, encryption and key management, operations and network security, application programming interfaces, business continuity and data location.

  • Guideline 5: Exit strategies

In case of outsourcing of critical or important functions, firms should develop and maintain exit strategies that ensure that the firm is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its client. Exit strategies should include comprehensive and documented exit plans, the identification of alternative solutions and provisions in the written outsourcing agreements that oblige the CSP to support orderly transfer of the outsourced function from the CSP to another CSP.

  • Guideline 6: Access and audit rights

Firms should ensure that the cloud outsourcing written agreement does not limit the firm´s and competent authority´s effective exercise of the access and audit rights on the CSP (see also Guideline 3). However, the Guideline also includes provisions aimed at reducing the organizational burden on the CSP and its clients when exercising access and audit rights: firm may use e.g. third-party certifications and external or internal audit reports made available by the CSP. However, in case of outsourcing of critical or important functions, the guidelines stipulate additional requirements that must be met in order to be able to rely on third party certifications or assessments.

  • Guideline 7: Sub-outsourcing

In case of sub-outsourcing, the firm should ensure that the CSP appropriately oversees the sub-outsourcer. In addition, ESMA provides information on the provisions that should be included in the written outsourcing agreement between the firm and the CSP in the case of sub-outsourcing critical or important function. This includes the remaining accountability of the CSP, a notification requirement for the CSP in case of any intended sub-outsourcing allowing the firm sufficient time to carry out a risk assessment of the proposed sub-outsourcer, the firm´s right to object to the intended sub-outsourcing and termination rights in case of such objection.

  • Guideline 8: Written notification to competent authorities

Firms should notify in writing its competent authority in a timely manner of planned cloud outsourcing arrangement that concern critical or important functions. The notification should include, inter alia, a description of the outsourced functions, a brief summary of the reasons why the outsourced function is considered critical or important and the individual or decision-making body in the firm that approved the cloud outsourcing arrangement.

What´s next?

In a next step, the guidelines will be translated in the official EU languages and published on the ESMA´s website. The publication of the translation will trigger a two-month period during which the national competent authorities must notify ESMA whether they comply or intend to comply with the guidelines (comply or explain mechanism). For the German jurisdiction, it is to be expected that BaFin will comply with the ESMA guidelines.