Cloud outsourcing: ESMA consults on new guidelines


Cloud outsourcing: ESMA consults on new guidelines

5 June 2020

Regulatory News Alert

Context and objectives

On 3 June 2020, the European Securities and Markets Authority (ESMA) published a consultation paper on guidelines on outsourcing to cloud service providers (the “Guidelines”) as cloud solutions are commonly used by financial firms. From a supervisors’ point of view, these solutions may raise challenges regarding data protection and location (to determine the applicable law), security issues and even concentration risks, which may adversely affect investor protection, market integrity and financial stability.

PDF - 433kb

Therefore, ESMA has identified a need for specific guidelines that provide ground rules for financial market participants when outsourcing to cloud service providers. In particular, the Guidelines aim to help firms and competent authorities identify, address and monitor the risks and challenges that can arise from cloud outsourcing arrangements. Furthermore, the Guidelines should reduce the risk of divergent interpretations that may lead to discrepancies in how the relevant provisions across Member States are applied and supervised (determining a risk of regulatory arbitrage and circumvention of rules).

A comparison can be drawn with the EBA cloud outsourcing guidelines published last year; therefore, the key areas covered in the Guidelines include the following:

  • The governance, documentation, oversight and monitoring mechanisms that firms should have in place. A firm should have a defined, up-to-date cloud outsourcing strategy that is consistent with its relevant strategies, such as its information and communication technology strategy, information security strategy, operational risk management strategy, and internal policies and processes.
  • The assessment and due diligence that should be undertaken before outsourcing. The pre-outsourcing analysis and due diligence performed should be proportionate to the nature, scale and complexity of the function that the firm intends to outsource and the risks inherent to this function.
  • The minimum elements that outsourcing and sub-outsourcing agreements should include. The respective rights and obligations of a firm and its cloud service provider should be clearly assigned and set out in a written agreement.
  • The exit strategies. When outsourcing critical or important functions, a firm should ensure it can exit cloud outsourcing arrangements without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with applicable legal requirements, as well as the confidentiality, integrity and availability of its data.
  • The access and audit rights. The written agreement should not limit the firm’s effective exercise of access and audit rights as well as its oversight of the cloud service provider.
  • The notification to competent authorities. If the outsourcing of critical or important functions is planned, the competent authority should be notified in a timely manner.
  • The supervision by competent authorities. Competent authorities should assess the risks arising from firms’ cloud outsourcing arrangements as part of their supervisory process. In particular, this assessment should focus on the arrangements regarding the outsourcing of critical or important functions. Competent authorities should also be satisfied that they can perform effective supervision, in particular when firms outsource critical or important functions outside the European Union.

Next steps

All interested parties should submit their comments by 1 September 2020. ESMA aims to publish the Final Report on the Guidelines by Q4 2020/Q1 2021.

How can Deloitte help?

Disrupt. Transform. Repeat. That’s the new normal. Done right, the cloud doesn’t just drive that reality—it can turn it into your advantage. Deloitte’s end-to-end capabilities and understanding of your business and industry can help amplify the transformative value of the cloud.

Our broad array of services includes:

  • Compliance assessment: gap analysis of our clients’ cloud projects compliance with laws and regulations and pragmatic recommendations for improvement.
  • Assistance in documenting the register: preparation (or quality assurance) of the cloud outsourcing register.
  • Assistance in communications with the regulator: preparation (or quality assurance) of application files and participation in regulator meetings, for example:
    • Authorization requests for financial professionals wanting to use cloud solutions.
    • Authorization requests for Support PSFs wanting to offer cloud solutions.
    • Gap analysis of CSSF requirements for cloud service providers wanting to expand in the Luxembourg financial sector.
  • Cloud strategy and readiness: your journey into the cloud needs to navigate pitfalls and opportunities that are unique to your business alone. Mapping out a clear strategy and preparing your organization are essential steps to achieving your business goals.
  • Cloud package implementation: there are multiple SaaS solutions on the market for every common business process. Each solution has its strengths and weaknesses, best uses and fits; knowing what these are and how they will affect your business is critical for success.
  • Custom migration consulting services: a simple “lift-and-shift” approach to moving your applications to the cloud often bypasses the key benefits associated with the cloud—cost saving, scalability, increased speed and flexibility.
  • IT operating model with the cloud: as the workload shifts to new and more business-aligned tasks, IT needs to adjust to this new reality. Governance, service delivery, integration architecture, supplier management and service measurement are among the areas that require recalibration.

Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better anticipate, manage and plan for upcoming regulations.


Subject matter specialists

Patrick Laurent
Partner – Technology & Innovation Leader
Tel : +352 45145 4170

Stéphane Hurtaud
Partner – Information & Technology Risk
Tel : +352 45145 4434

Roland Bastin
Partner –  Information & Technology Risk
Tel : +352 45145 2213

Irina Hedea
Partner – Information & Technology Risk
Tel : +352 45145 2944

Onur Ozdemir
Director – Information & Technology Risk
Tel : +352 45145 2207

Laureline Senequier
Director – Information & Technology Risk
Tel : +352 45145 4422

Regulatory Watch Kaleidoscope service

Simon Ramos
Partner – IM Advisory & Consulting 
Tel : +352 45145 2702

Jean-Philippe Peters
Partner – Risk Advisory
Tel : +352 45145 2276

Benoit Sauvage
Director – RegWatch, 
Risk Advisory
Tel : +352 45145 4220

Marijana Vuksic
Manager – Regulatory & Consulting
Tel : +352 45145 2311


Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?