ESMA: Draft Guidelines on Outsourcing to Cloud Service Providers - consultation

03 June 2020

Firms are increasingly outsourcing to cloud service providers. Although cloud outsourcing can offer a number of benefits, including reduced costs and enhanced operational efficiency and flexibility, it raises challenges in terms of data protection and information security.

Concentration risk can also arise, as a result of many firms using the same large cloud service providers, with potential negative outcomes for financial stability.


ESMA identified the need to develop guidance on outsourcing to cloud service providers following the European Commission’s FinTech Action Plan1 and feedback received from firms and stakeholders. Considering that the main risks associated with cloud outsourcing are similar across sectors, ESMA has considered the recent guidelines published by EBA and EIOPA, namely the EBA Guidelines on outsourcing arrangements2, which have incorporated the EBA Recommendations on outsourcing to cloud service providers3, and the EIOPA Guidelines on outsourcing to cloud service providers.


In accordance with Article 16(2) of Regulation (EU) No 1095/20105 (the ‘ESMA Regulation’), as recently amended6, this paper sets out for consultation draft ESMA guidelines on outsourcing to cloud service providers.


The purpose of these draft guidelines is to provide guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. These draft guidelines are intended to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements (from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies).

full PDF

ESMA


© ESMA