ESMA publishes cloud outsourcing guidelines


The European Securities and Markets Authority (ESMA), the EU’s securities markets authority, has today published the final report on its guidelines on outsourcing to cloud service providers (CSPs).

The Guidelines are intended to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to firms on:

  • The risk assessment and due diligence that they should undertake on their CSPs;
  • The governance, organisational and control frameworks that they should put in place to monitor the performance of their CSPs and how to exit their cloud outsourcing arrangements without undue disruption to their business;
  • The contractual elements that their cloud outsourcing agreement should include; and
  • The information to be notified to competent authorities.

In addition, the Guidelines provide guidance to competent authorities on the supervision of cloud outsourcing arrangements, with a view to fostering a convergent approach in the EU.

ESMA conducted a public consultation on these Guidelines to gather the views of relevant stakeholders. The report published today contains a feedback statement summarising the responses received and highlighting the amendments and clarifications introduced in the final guidelines to take into account the feedback received during this consultation.

Next steps

The guidelines will be translated into the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines.

More on the same topic