23 December 2020
This completes guidance from the ESAs on the use of cloud services.
On 18 December 2020, the European Securities and Markets Authority (ESMA), published its Final Report on Guidelines on outsourcing to cloud service providers (the ESMA Guidelines). The ESMA Guidelines complete the guidance from the European Supervisory Authorities (ESAs) on the use of cloud services, following earlier guidelines from the European Banking Authority (EBA) and European Insurance and Occupational Pension Authority (EIOPA). However, despite some similarities, the ESMA Guidelines may not represent the level of cross-sector harmonisation that some might have hoped for.
As a result of Brexit, the ESMA Guidelines are not expected to apply to firms only operating in the UK (as they will enter into force after the EU withdrawal implementation period). However, the ESMA Guidelines will apply to the following types of firms acting in the EU (In-scope Firms):
The ESMA Guidelines enter into force on 31 July 2021 and will apply to all cloud outsourcing arrangements that In-scope Firms enter into, renew or amend on or after 30 June 2021. For existing cloud arrangements, ESMA expects In-scope Firms to review and amend those arrangements by 31 December 2022.
The ESMA Guidelines will require In-scope Firms to implement measures to identify, address and monitor risks that may arise from using cloud services, with a particular emphasis on the use of cloud services for "critical or important functions".
In particular, the ESMA Guidelines include requirements on the following areas, many of which are similar to the approach taken under guidelines from the EBA and EIOPA:
Importantly, the ESMA Guidelines emphasise that firms should implement the requirements in a way which is proportionate to the nature, scale and complexity of the function(s) being outsourced, and following a risk-based approach.
Note that similarly to the guidelines from EIOPA, the ESMA Guidelines only apply to cloud outsourcing arrangements. This also includes arrangements where firms outsource to another party (such as a software-as-a-service (SaaS) provider) who then further outsources to a cloud service provider. By contrast, the guidelines from the EBA apply to all outsourcing by firms.
Currently, different types of In-scope Firms are subject to various different outsourcing requirements under the relevant sectoral legislation (including the AIFMD, the UCITS Directive, MiFID II, EMIR, Benchmark Regulation, and various other pieces of sectoral legislation).
As a result, the existing outsourcing rules have tended to be highly fragmented across different sectors and EU Member States. To address this, the ESMA Guidelines seek to implement a more convergent approach to supervision of cloud outsourcing, recognising that the risks relating to cloud outsourcing are likely to be similar for different types of firms. However, it is important to note that the ESMA Guidelines are without prejudice to applicable requirements in sectoral legislation, which in some cases, may include more stringent requirements.
ESMA stated that it took the equivalent guidelines from the EBA and EIOPA into account when preparing the ESMA Guidelines. Although the ESMA Guidelines are broadly in line with the EBA and EIOPA guidelines, the ESMA Guidelines are more condensed, less prescriptive in how they should be applied, and in some areas, go further than the EBA and EIOPA guidelines. For example, the ESMA Guidelines include more detail on information security requirements, and additional provisions on termination and data deletion.
In-scope Firms that are also supervised by the EBA or EIOPA might therefore have preferred a more directly aligned approach. For this kind of cross-sector alignment on the use of cloud services and other Information and Communication Technologies (ICT), it looks as if firms will need to wait for the proposed EU regulation on digital operational resilience (DOR Regulation) - see our separate briefing here. Once in force, the DOR Regulation will entrench into EU legislation many concepts and provisions currently set out in the guidance from the EBA, EIOPA and ESMA.
If you have any questions about what we've covered in this article, please contact a member of our Financial Services Regulatory team.
by Clare Reynolds and Dr. Paul Voigt, Lic. en Derecho, CIPP/E
by Clare Reynolds and Liam Croucher