For pre-existing contracts and agreements that involve outsourcing to Cloud Service Providers, organizations have until December 31, 2022 to make the necessary adjustments. When critical and/or important functions are outsourced, organizations must notify the competent authority after this deadline, including a plan of action to complete the review (or exit strategy).
“ESMA’s guidance on this topic provides good tools to manage the main risks and make adequate arrangements with Cloud Service Providers,” says consultant Niels Huijpen. ”They contribute to being ‘in control’. Because they are relevant to many (large) supervised organizations in Europe, Cloud Service Providers, such as Microsoft and Amazon, are also responding by already making their contracts ‘compliant’.”
It’s not that only critical or important functions fall within the scope of the cloud outsourcing guidelines. The guidelines include definitions that organizations can use to determine (and record!) for themselves which guidelines or components do or do not apply. A good first step might be to determine whether the organization uses cloud services, and whether they are outsourced. And if so, does this involve outsourcing of a critical and/or important function? Every organization will have to make this analysis. Ultimately, this will yield an overview of all cloud outsourcing.
ESMA has defined nine guidelines on the following topics:
- Governance, Oversight and documentation
- Pre-outsourcing analysis and due diligence
- Key contractual elements
- Information security
- Exit strategies
- Access and Audit Rights
- Written notification to competent authorities
- Supervision of cloud outsourcing arrangements
For each of these topics, various sub-guidelines are included. The guidelines contain a combination of requirements for the organizational structure (policy and procedures), elements that must be included in contracts and Service Level Agreements and elements for which a record must be present. For example, when considering whether it is a critical or important function that is being outsourced or the register of (cloud) outsourcing.
As outlined before, the extent to which the guidelines apply to an organization depends on how critical or important the process, application or service is that is being outsourced. Because of the high organizational dependency when outsourcing functions that are critical or important, it is also important to continue to properly manage the risks. The ESMA guidelines can help with this, although implementation will require some effort in terms of record keeping.
Important to know, is that the last guideline in the list is not relevant to organizations. It is aimed at the competent authorities, i.e. the national supervisors, and also cites the risk-based approach. In practice, this means, for example, that the regulator should consider in its oversight the extent to which organizations have relevant governance, resources and implemented operational processes for entering into cloud outsourcing contracts and agreements adequately and ‘in control’.
We can imagine that the guidelines – despite their intended purpose – raise a lot of questions on your end. An example of a question we often get from our clients: Is Office 365 a cloud service and thus Microsoft a Cloud Service Provider? The answer to this is yes. However, whether this is a critical or important application for your organization is up to you. Tip: the definition of the guidelines explains how you should look at the terminology ‘critical or important’.
In a follow-up article, we will address frequently asked questions surrounding the interpretation of the ESMA Guidelines. We will delve deeper into the new organizational requirements that must be met in the absence of outsourcing of critical or important functions. In other words: “what do you need to have in place?”
Read follow-up article Contact
*AIFMs, UCITS management companies, CCPs, Trade Repositories, Investment Firms, Data reporting service providers, Market operators of trading venues, Central Securities Depositories, Credit Rating Agencies, Securitization repositories, Administrators of critical benchmarks.