ESMA publishes final cloud outsourcing guidelines what do firms need to do to prepare? | Dentons


Before digital operational resilience was in full focus in of the European Supervisory Authorities (including the European Securities and Markets Authority – ESMA) and national competent authorities (NCAs) cloud outsourcing was a primary area of rulemaking and supervisory guidance. On December 18, 2020, ESMA released its final Cloud Outsourcing Guidelines (the COGs). The responses to the public consultation on the COGs also set further details on ESMA’s supervisory expectations.

The purpose of the COGs is to provide supervisory expectations to identify, mitigate and manage cloud outsourcing as well as “software as a services” (SaaS) specific risks generally but specifically for “critical and important functions” and to support a convergent approach to the supervision of cloud outsourcing arrangements by EU and national competent authorities. 

The COGs were supposed to enter into force on January 1, 2021 but in the final version will enter into force on July 31, 2021 and apply to all cloud outsourcing arrangements that persons to whom the COGs are directed (Relevant Persons) when they enter into, renew or amend their cloud outsourcing arrangements either on or from July 31, 2021 onwards. 

ESMA equally expects that all Relevant Persons review and amend existing cloud outsourcing arrangements to which the COGs apply by December 31, 2022. This deadline may also coincide with a number of information and communication technology (ICT) project deadlines set by NCAs. Relevant Persons that do not comply with the December 31, 2022 deadline are required to inform their competent authority of this fact including measures planned to meet compliance or a relevant exit strategy. 

The COGs are the most recent set of guidelines from the ESAs and come in addition to the European Banking Authority’s (EBA) guidelines on outsourcing arrangements. The EU’s proposed Digital Operational Resilience Act (DORA) may harmonize a number of items that were published by ESMA and EBA (as well as by the third ESA, the European Insurance and Occupational Pensions Authority (EIOPA), and the European Central Bank). ESMA states in its introduction to the COGs that it has considered the EBA’s guidelines, which in turn incorporated and repealed the 2017 EBA recommendations on outsourcing to cloud service providers as well as the EIOPA guidelines on outsourcing to cloud service providers with a view to ESMA ensuring consistency amongst those three guidelines. ESMA’s introduction to the COGs also points to DORA and mentions that ESMA may amend the COGs in light thereof. 

Until DORA becomes operational, the COGs along with the efforts of other supervisors will each require review and compliance by firms as it applies to them and activity that falls within ESMA’s part of the Single Rulebook. This is certainly the case in the absence of cross-sectoral harmonization beyond what the COGs do for Relevant Persons within ESMA’s supervisory mandate i.e. investment services. While the COGs will not apply to the UK, Relevant Persons with operations in the EU-27 and further afield will want to consider how the COGs interoperate with non-EU and thus third-country regimes. Relevant Persons may want to consider in mapping out the most onerous compliance obligations so to ensure they can meet those requirements where and when required. 

Relevant Persons and the COGs

The COGs apply to EU authorities and NCAs as well as set harmonized requirements applicable to Relevant Persons in the EU-27, which include and this includes the following types of firms: 

  1. Alternative investment fund managers (AIFMs) and their depositories; 
  2. Undertakings for collective investment in transferable securities management companies, including their management companies and their depositories;
  3. Central counterparties (CCPs) – including Tier 2 third-country CCPs which comply with the relevant EMIR requirements;
  4. Trade repositories;
  5. Investment firms and credit institutions when carrying out investment services and activities; 
  6. Data reporting services providers and Securitization Repositories;
  7. Market operators of trading venues;
  8. Central securities depositories (CSD)
  9. Credit rating agencies; and
  10. Administrators of critical benchmarks as defined under the EU’s Benchmarks Regulation.

Relevant Persons are permitted to apply the rules in a way that is proportionate and risk based given the Relevant Person’s organization, its nature, scale and complexity of the functions being outsourced as well as those linked to their critical and important functions. Regardless of proportionality and risk-based approaches, Relevant Persons need to ensure they can evidence compliance with a range of qualitative requirements including having detailed:

Governance arrangements

Including maintaining a cloud outsourcing strategy, clear allocation of roles and responsibilities as well as accountability of identified senior personnel and the management body as well as overall adequacy of resources as well as dealing with concentration risk, which is in addition to establishing either a cloud outsourcing oversight function or designating senior staff members who are directly accountable to the management body and responsible for managing and overseeing the risks of cloud outsourcing arrangements;  

Risk assessments (which equally reflect Relevant Persons’ overall Risk Appetite Frameworks)

Risk assessments (which equally reflect Relevant Persons’ overall Risk Appetite Frameworks) – which are carried out prior to entering into a cloud outsourcing arrangement and periodically thereafter “throughout the life of the arrangement”; 

Systems and controls that facilitate resilient oversight and monitoring

Systems and controls that facilitate resilient oversight and monitoring of the relevant cloud service provider, its key performance indicators as well as risk drivers and other metrics including a register of information on all cloud outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. When distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements, Relevant Persons should provide a brief summary of the reasons why the outsourced function is or is not considered critical or important. Taking into account national law, a Relevant Person should also maintain a record of terminated cloud outsourcing arrangements for an appropriate period;

Robust contractual terms

Implementing certain provisions set out by the COGs (which the EBA and EIOPA’s efforts as well as those proposed under DORA follow) which apply to the primary outsourcing arrangement as well as sub-outsourcing – the latter being an area that the COGs place a greater burden on both cloud outsourcing providers (CSPs) but also on Relevant Persons, as compared to previous guidelines or those of other ESAs (or indeed NCAs); 

Detailed and enforceable access and audit rights

In a manner that facilitates the “effective exercise” by the Relevant Person of access and audit of the cloud outsourcing and/or the sub-outsourcing provider or by the Relevant Person relying on third-party certifications or audit reports – the latter being an area that DORA’s proposal could improve on in its drafting;

ICT security measures

ICT security measures – which go beyond the equivalent principles set in the EBA and EIOPA publications in relation to cloud outsourcing (but not of DORA necessarily) with a focus on ICT security and scrutiny thereof being skewed in favor of those ICT requirements connected to critical or important functions, therefore requiring firms to review which business/operational functions would qualify as such; and 

Exit and insourcing strategies

As with the efforts of other ESAs, the COGs need to maintain appropriate Exit and Insourcing Plans permitting a wind-down and migration of the relevant outsourcing arrangements back to the Relevant Person or another outsourcing provider.  

In light of the above, Relevant Persons may, as part of their completion of a 360 degree risk and compliance readiness assessments, need to review their cloud outsourcing and any sub-outsourcing  in order to comply with the COGs, as well as in order to prepare for compliance with DORA.  

Outlook and next steps

While the COGs are “another” piece of rulemaking on a thematic area that has been subject to extensive, often overlapping regulatory coverage, they will still require complying with. Relevant Persons cannot point to waiting to comply with future rulemaking including DORA. In terms of immediate next steps, the COGs will be translated into the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they intend to comply with the COGs as of July 31, 2021. It is conceivable that all NCAs will confirm they will apply the COGs. 

Relevant Persons will want to consider performing a global but equally business-line specific gap analysis that maps the extent of global, EU-27, Banking Union specific and NCA-driven changes and assess which areas ought to be prioritized as part of a compliance action plan. 

Some of the factors Relevant Persons may wish to consider are how the degree of non-compliance might impact on risks to the firm, on risks to clients/counterparties and on risks to recovery and resolution planning, which, if left otherwise unremedied, could result in further adverse regulatory and supervisory scrutiny from multiple supervisors. Relevant Persons, especially smaller and/or less complex firms, will also want to consider to what extent they may rely on proportionality or simplified application of the COGs. 

In addition to the risk assessments and other points discussed above, Relevant Persons will want to update existing policies and procedures, ensure that governance and executive functions have received suitable training reflective of the risks and outcomes that the COGs aim to address and quite possibly update the Risk Appetite Framework documents and quantitative arrangements to reflect the new priorities. It may also be conceivable, that for some Relevant Persons following their review, changes may be required to insurance as well as recovery and resolution arrangements or more targeted exit plans that might be triggered as part of a solvent wind-down. 

In any event, all Relevant Persons, as part of their move to complying with the COGs and similar efforts of the other EU level authorities and the NCAs, will want to engage proactively with ICT service providers. This includes third-party and software as a service providers (SaaS) as well. Relevant Persons will also want to ensure that any documentation and non-documentation based changes that are undertaken within a specific firm (including any individual business units) are equally suitably documented i.e. through change management requests or by procuring other evidence to support that existing amendments are sufficiently resilient and continue to comply with the new frameworks.

Our Eurozone Hub lawyers are assisting a number of firms with ICT and outsourcing-risk gap analysis as well as updating of their cloud outsourcing and cyber-resilience policies and the relevant supervisory dialogue, including how to operationalize the relevant desired outcomes in documentation and non-documentation workstreams. 

If you would like to discuss any of the items mentioned above, in particular how to forward-plan and benefit from changes that are being proposed as well as how these developments fit into the 2021 supervisory priorities of the ECB-SSM, EBA and other ESAs, or how they may affect your business more generally, please contact any of our key contacts or the wider team from our Eurozone Hub.

  1. See 1st Alert in our series of deep dives on the EU’s Digital Operational Resilience Act (DORA) and 2nd Alert in our deep dives on DORA↩
  2. Having closed its July consultation on the draft COGs on September 1, 2020. ↩
  3. Available here.↩
  4. Including in Germany, through the Federal Financial Supervisory Authority’s changes to its own ICT rules and supervisory expectations discussed in our coverage here.↩
  5. Which were published February 25, 2019 and are available here and also cover outsourcing to cloud service providers↩
  6. Which the COGs define as “means any function whose defect or failure in its performance would materially impair:
    1. a firm’s compliance with its obligations under the applicable legislation;
    2. a firm’s financial performance; or
    3. the soundness or the continuity of a firm’s main services and activities;“

  7. Relevant Persons must ensure their management body has the relevant technical skills to understand the risks involved in cloud outsourcing arrangements. Small and less complex firms should at least ensure a clear division of tasks and responsibilities for the management and oversight of cloud outsourcing arrangements.↩
  8. ‘ICT concentration risk’ means, as used in DORA, an exposure to individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability, failure or other type of shortfall of the latter may potentially endanger the ability of a financial entity, and ultimately of the EU’s financial system as a whole, to deliver critical functions, or to suffer other type of adverse effects, including large losses.↩
  9. Notably ESMA states in paragraph 60 that: “ESMA has emphasized that CSPs should retain full accountability for those services that they sub-outsource, as indeed we believe that this is an important point that needs to be spelled out. This is without prejudice to the final responsibility of firms, which remain fully responsible for their outsourced functions.” Likewise, in paragraph 61 ESMA states that it “believes that the obligation for CSPs to notify firms of any planned outsourcing and the right for firms to object to such sub-outsourcing are important safeguards. ESMA has further specified that the notification period should be long enough at least for firms to carry out a risk assessment and to object or approve the sub-outsourcing. Finally, the need to distinguish between intra-group and other types of sub-outsourcing is not obvious to ESMA, considering the similar risks involved.”↩
  10. That being said, ESMA concludes in paragraph 41 that “A firm should assess such certifications and reports regularly and thoroughly, to ensure that they are adequate in terms of scope, relevant and performed according to best standards and practices. Furthermore, the use of such certifications and audit should not be interpreted as limiting the right of a firm to perform on-side audits at its discretion. ESMA has also clarified that firms should aim not to rely exclusively on such third-party certifications and audits over time.“↩