Following the end of the transitional period under the ESMA Guidelines on outsourcing to cloud services providers on 31 December 2022, all cloud outsourcing arrangements subject to these guidelines must be compliant. If this is not the case, the competent regulator must be noticed. In case of critical or important outsourcing, a notice to the competent regulator is always required.
ESMA adopted detailed guidelines on cloud outsourcing arrangements in May 2021. These guidelines relate to the delivery of cloud services by a third party, being services using cloud computing (for example server access and external data storage).
At that time of adoption of the ESMA guidelines, it was stipulated that whereas new arrangements subject to these guidelines must be compliant by 31 July 2021, a transitional period applied to existing arrangements until 31 December 2022. As a result, the financial institutions these ESMA guidelines apply to (including alternative investment fund managers, management companies, investment firms and regulated market operators), were granted another one-and-a-half year to bring their existing arrangements in line with these guidelines.
Deadline: 31 December 2022
As a result of the above, the existing arrangements must be reviewed and, where necessary, updated by 31 December 2022. If the existing outsourcing arrangements still do not meet the ESMA guidelines by 31 December 2022, for example because a review is still pending or amendments have not yet been finalised, the competent authority must be notified and must be informed what measures are planned to finalise the review and make the necessary amendments, and when this is expected to be completed.
Aspects to take into account
The ESMA guidelines include nine guidelines. These guidelines relate to (1) a compulsory outsourcing strategy, (2) an analysis and due diligence required prior to outsourcing, (3) key contract terms, (4) information security, (5) a necessary exit strategy, (6) access and information rights for the party outsourcing and the competent authority, (7) sub-outsourcing conditions (to the extent authorised), (8) notification to the competent authority and (9) supervision.
The ESMA guidelines are largely in line with other rules and regulations on outsourcing and do not include materially new elements. The ESMA guidelines therefore require a step-by-step process cycle of strategy adoption, analysis of envisaged outsourcing, due diligence of the third party, contracting, notification of the competent regulator (where necessary), and monitoring of the arrangement.
Important element of the ESMA guidelines is the distinction between critical or important outsourcing and other outsourcing. Outsourcing is deemed critital or important if failure in performance would materially impair the compliance, financial performance, soundness or continuity of the financial institution outsourcing. Guidelines 5, 7 and 8 apply to critical or important outsourcing only.
In line with the above, financial institutions subject to the ESMA Guidelines on outsourcing to cloud services providers must make sure their cloud outsourcing arrangements comply with the ESMA guidelines by 31 December 2022. This requires a review of the existing arrangements and, where necessary, amendment to bring the arrangements in line with the ESMA guidelines. It is advisable to do this before 31 December 2022 as otherwise a notice must be given to the competent regulator (usually the AFM). Bear in mind that a notice must anyway be given in respect of outsourcing that is qualified as critical or important.