ESMA publishes final guidelines on outsourcing to cloud service providers

Briefing

This completes guidance from the ESAs on the use of cloud services.

On 18 December 2020, the European Securities and Markets Authority (ESMA), published its Final Report on Guidelines on outsourcing to cloud service providers (the ESMA Guidelines). The ESMA Guidelines complete the guidance from the European Supervisory Authorities (ESAs) on the use of cloud services, following earlier guidelines from the European Banking Authority (EBA) and European Insurance and Occupational Pension Authority (EIOPA). However, despite some similarities, the ESMA Guidelines may not represent the level of cross-sector harmonisation that some might have hoped for.

Who do the ESMA Guidelines apply to?

As a result of Brexit, the ESMA Guidelines are not expected to apply to firms only operating in the UK (as they will enter into force after the EU withdrawal implementation period). However, the ESMA Guidelines will apply to the following types of firms acting in the EU (In-scope Firms):

alternative investment fund managers and their depositaries
undertakings for collective investment in transferable securities management companies and their depositaries
central counterparties
trade repositories
investment firms and credit institutions when carrying out investment services and activities
data reporting services providers and market operators of trading venues
central securities depositories
credit rating agencies
securitisation repositories, and
administrators of benchmarks.

When will they apply?

The ESMA Guidelines enter into force on 31 July 2021 and will apply to all cloud outsourcing arrangements that In-scope Firms enter into, renew or amend on or after 30 June 2021. For existing cloud arrangements, ESMA expects In-scope Firms to review and amend those arrangements by 31 December 2022.

What will In-scope Firms need to do?

The ESMA Guidelines will require In-scope Firms to implement measures to identify, address and monitor risks that may arise from using cloud services, with a particular emphasis on the use of cloud services for "critical or important functions".

In particular, the ESMA Guidelines include requirements on the following areas, many of which are similar to the approach taken under guidelines from the EBA and EIOPA:

Governance – In-scope Firms will need to have a strategy for any cloud outsourcing, including appropriate governance arrangements such as clear allocation of roles and responsibilities, directly accountable senior staff members, and allocation of sufficient resources etc.
Risk assessment – Before entering into any cloud outsourcing arrangement, In-scope Firms need to assess the relevant risks and carry out due diligence, and may need to repeat the analysis throughout the life of the arrangements.
Oversight and monitoring – In-scope Firms should oversee their cloud service providers to ensure that risks are addressed and monitored.
Contractual terms – As with the equivalent guidelines from the EBA and EIOPA, the ESMA Guidelines specify certain terms that should be included in any cloud outsourcing agreements. This may mean that In-scope Firms need to renegotiate their terms with providers, in particular to include terms on access and audit rights and sub-outsourcing.
Access and audit rights – Agreements should enable the "effective exercise" of access and audit rights in relation to cloud service providers. However, In-scope Firms will not necessarily be required to conduct their own audits; in certain cases, relying on third-party certifications or audit reports may be appropriate provided relevant requirements are met.
Sub-outsourcing – The ESMA Guidelines increase In-scope Firms' oversight of 'sub-outsourcing' by cloud service providers, including the conditions under which any sub-outsourcing should take place.
Information security – One area where the ESMA Guidelines include more detail than the equivalent guidelines from the EBA and EIOPA is the information security requirements for outsourcing of critical or important functions. For example, the ESMA Guidelines include requirements relating to encryption and key management, identity and access management, network security, integration of APIs etc., in each case following a risk-based approach.

By contrast, the EBA and EIOPA have implemented separate, more detailed guidelines on requirements for ICT security and risk management generally (rather than cloud specific).
Exit strategies – In-scope Firms need to ensure that they can exit cloud outsourcing arrangements without undue disruption to their activities and services. This includes developing exit strategies, such as planning (and testing) how a firm might migrate the relevant services back to the firm (on-premises) or to another provider.

Importantly, the ESMA Guidelines emphasise that firms should implement the requirements in a way which is proportionate to the nature, scale and complexity of the function(s) being outsourced, and following a risk-based approach.

Note that similarly to the guidelines from EIOPA, the ESMA Guidelines only apply to cloud outsourcing arrangements. This also includes arrangements where firms outsource to another party (such as a software-as-a-service (SaaS) provider) who then further outsources to a cloud service provider. By contrast, the guidelines from the EBA apply to all outsourcing by firms.

What's new?

Currently, different types of In-scope Firms are subject to various different outsourcing requirements under the relevant sectoral legislation (including the AIFMD, the UCITS Directive, MiFID II, EMIR, Benchmark Regulation, and various other pieces of sectoral legislation).

As a result, the existing outsourcing rules have tended to be highly fragmented across different sectors and EU Member States. To address this, the ESMA Guidelines seek to implement a more convergent approach to supervision of cloud outsourcing, recognising that the risks relating to cloud outsourcing are likely to be similar for different types of firms. However, it is important to note that the ESMA Guidelines are without prejudice to applicable requirements in sectoral legislation, which in some cases, may include more stringent requirements.

How do the ESMA Guidelines fit with wider regulatory trends on outsourcing and ICT risk?

ESMA stated that it took the equivalent guidelines from the EBA and EIOPA into account when preparing the ESMA Guidelines. Although the ESMA Guidelines are broadly in line with the EBA and EIOPA guidelines, the ESMA Guidelines are more condensed, less prescriptive in how they should be applied, and in some areas, go further than the EBA and EIOPA guidelines. For example, the ESMA Guidelines include more detail on information security requirements, and additional provisions on termination and data deletion.

In-scope Firms that are also supervised by the EBA or EIOPA might therefore have preferred a more directly aligned approach. For this kind of cross-sector alignment on the use of cloud services and other Information and Communication Technologies (ICT), it looks as if firms will need to wait for the proposed EU regulation on digital operational resilience (DOR Regulation) - see our separate briefing here. Once in force, the DOR Regulation will entrench into EU legislation many concepts and provisions currently set out in the guidance from the EBA, EIOPA and ESMA.