The European Securities and Markets Authority (herein after “ESMA”) has announced the final report on Guidelines concerning outsourcing to cloud service providers (CSPs).
The Guidelines are intended to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to firms on:
The risk assessment and due diligence that they should undertake on their CSPs;
The governance, organizational and control frameworks that they should put in place to monitor the performance of their CSPs and how to exit their cloud outsourcing arrangements without undue disruption to their business;
The contractual elements that their cloud outsourcing agreement should include; and
The information to be notified to competent authorities.
The Guidelines also provide guidance to competent authorities on the supervision of cloud outsourcing arrangements, with a view to fostering a convergent approach in the EU.
ESMA conducted a public consultation on these Guidelines to gather the views of relevant stakeholders. The report includes a feedback statement summarizing the responses received and highlighting the amendments and clarifications introduced in the final guidelines to take into account the feedback received during this consultation.
Next steps
The guidelines will be translated into the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines.
If you have questions do not hesitate to contact us.