Outsourcing to cloud service providers: organizational requirements

8 min reading time

In a previous article, we discussed the entry into force of the ESMA guidelines on outsourcing to cloud service providers. In the first article, we discussed the general outline of the guidelines. This time, we will delve deeper into the new organizational requirements that must be met in the absence of outsourcing of critical or important functions. In other words, “what are the minimum actions we have to take?”.


Organizational requirements

To continue on this “what” question, it is worth remembering that the Guidelines came into effect on July 31, 2021, and thus all outsourcing agreements regarding cloud services must comply with the Guidelines if they:

  • Entered into force;
  • Are or will be extended; or
  • Are amended.


Ultimately, all existing outsourcing agreements must be amended to comply with these Guidelines by December 31, 2022. One important note should be made immediately in this regard. This is because the extent to which an organization needs to comply with the guidelines depends heavily on whether the cloud services being outsourced are related to critical or important functions. If these are critical or important functions, then the organization must comply with all guidelines. However, if no critical or important functions are involved, then not all guidelines apply.

Below we will discuss the guidelines that apply if no important or critical functions are involved. In other words, the organizational requirements that all organizations must meet, regardless of whether a critical function is involved.

Guideline 1. Governance, oversight and documentation

An organization must:

  1. Have an outsourcing strategy for cloud services;
  2. Assign responsibility for documents and management of (and oversight of) cloud outsourcing agreements;
  3. Have allocated resources that ensure compliance with guidelines and legal requirements;
  4. Appoint a person responsible for managing and overseeing the risks of cloud service outsourcing agreements;
  5. Have a management body that has the technical skills to understand the risks of cloud services outsourcing agreements (or for smaller organizations ensure adequate oversight of the outsourcing agreements)
  6. Periodically reassess whether its cloud services outsourcing agreements involve a critical or important function;
  7. Maintain an updated registry containing information on all of its cloud services outsourcing agreements. Based on a risk assessment, it should be determined which data should be included in the register.

Guideline 2. Pre-outsourcing analysis and due diligence

Before entering into an outsourcing agreement, various assessments and analyses must take place. These can be divided into:

  • A classification of the function being outsourced to the cloud, critical/important or not;
  • An assessment of the risks involved with the outsourcing agreement;
  • An analysis on potential conflicts of interest in the outsourcing; and
  • Conducting appropriate due diligence on the potential service provider, also known as the Cloud Service Provider or CSP. Certifications and reports from external or internal audits may be used to support this investigation.


The analysis performed should be commensurate with the nature, size and complexity of the function to be outsourced. In the end, it comes down to an assessment that addresses the operational, legal, compliance and reputational risks to the company.

Finally, when entering into a new agreement with an already assessed CSP or when renewing an existing contract, it has to be determined again whether new due diligence is required. This may be risk-based approach.

Guideline 3. Key contractual elements

Entering into an outsourcing agreement always comes with certain rights and obligations for a company and the CSP. These rights and obligations must be clearly laid out in an agreement. In addition, the guidelines make it mandatory to include a passage on termination of the agreement. For non-critical or important functions that are outsourced to a CSP, that’s all. In our view, however, organizations should go a step further even in the case of non-critical or important functions. For example, by including, in accordance with point (g) of section 28, a passage with provisions on information security at the CSP, as is mandatory in the case of outsourcing of critical and important functions. In any case, Guideline 4 (see below) makes it clear that the intention is that information security must be part of the outsourcing agreements.

Guideline 4. Information security

Having an information security policy is a requirement for having an honest and controlled business operation. The AFM has described in its “principles for information security” how it expects organizations to deal with information security. The importance of this is also reflected in this guideline.

Guideline 4 also states that the information security level of the organization must be translated into requirements. These requirements must then be included in the outsourcing agreement with the CSP. Laying down the requirements is step one in this process. Our recommendation is to also add as a step to the outsourcing agreement that compliance with these requirements will be monitored, which will then have to be reported in the SLA reports. ESMA states that the security requirements must be in proportion to the nature, scale and complexity of the function being outsourced. A fairly open standard.

However, if it concerns a critical or important function, then the guidelines do indicate at a detailed level which components one must think of when arranging information security. To fill in the open norm when an organization has not outsourced critical or important functions, the organization could draw inspiration from those detailed obligations around information security that apply to critical or important outsourced functions.

Guideline 6. Access and Audit Rights

The other guidelines either apply only to cloud outsourcing of critical and important functions, or relate to the regulator itself (guideline 9). One exception is Guideline 6. This guideline raises many questions about the regulation of access and audit rights.

In the first paragraph of Guideline 6, ESMA writes something interesting. In this paragraph, the regulator states that the written outsourcing agreement for cloud services should not impose restrictions on the effective exercise of access and audit rights and supervisory options by the company and the competent authority.

Thus, it does not explicitly state that the right of access and audit should be a mandatory part of the outsourcing agreement. However, our advice is to always include such a right in your (cloud) outsourcing agreement. This is particularly important to enable your organization to always be able to inform itself of the quality of services/cloud services, including, for example, security requirements. An independent audit or certification can help with this and is also explicitly mentioned by ESMA. However, an audit report or certification does not detract from the company’s ultimate responsibility on these subjects.

In the explanation of the guidelines that can be found in ESMA’s response to its consultation round, ESMA clearly states that the access and audit right component should not lead to an excessive burden for both the company and the CSP. Translated: there is room to apply the guidelines proportionally. This means that if you can also secure the access and audit right, or the goal you want to achieve with it, in another way, you may do so.

In summary

When it comes to the outsourcing to CSPs of functions that are not critical or important, one still needs to have several elements from these guidelines in place. Fortunately, many of these elements correspond to obligations that organizations should already be familiar with from a management perspective.

Summarized, you should think at a minimum of:

  • Making sure that you assign someone in the organization the responsibility for managing outsourcing and making sure that this person is also given the time to do this formally;
  • Recording your outsourcings in an overview, including the considerations for deciding whether or not to classify them as critical or important and document the elements from guideline 2;
  • Arranging your outsourcing agreements properly, taking into account:
    • The ability to (and how) terminate the agreement;
    • Information security requirements;
    • How the right of access and audit for yourself and the regulator is not restricted.


Sounds simple, right? Unless your outsourced function to the Cloud is a critical or important function of course. Then you need to consider more elements of these guidelines.

Do you want advice on how exactly to determine whether an outsourced function to the Cloud is critical or important to your business? Or do you want our experts to help you determine what steps to take to successfully implement the ESMA guidelines in your organization? Please feel free to get in touch.

Request a free consultation