ESMA Publishes Cloud Outsourcing Guidelines


The European Securities and Markets Authority (ESMA), the EU’s securities markets authority, has published the final report on its guidelines on outsourcing to cloud service providers (CSPs).

The Guidelines are intended to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to firms on:

  • The risk assessment and due diligence that they should undertake on their CSPs;
  • The governance, organisational and control frameworks that they should put in place to monitor the performance of their CSPs and how to exit their cloud outsourcing arrangements without undue disruption to their business;
  • The contractual elements that their cloud outsourcing agreement should include; and
  • The information to be notified to competent authorities.

In addition, the Guidelines provide guidance to competent authorities on the supervision of cloud outsourcing arrangements, with a view to fostering a convergent approach in the EU.

ESMA conducted a public consultation on these Guidelines to gather the views of relevant stakeholders. The report published today contains a feedback statement summarising the responses received and highlighting the amendments and clarifications introduced in the final guidelines to take into account the feedback received during this consultation.

Exit Strategy

For many firms the focus of effort is on evaluating the possibilities of using the cloud, choosing providers and making the transition. ESMA makes clear that firms need the reverse step, a way to leave a cloud service without disrupting the normal flow of business.

In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data. For that purpose, a firm should:

a) develop exit plans that are comprehensive, documented and sufficiently tested. These plans should be updated as needed, including in case of changes in the outsourced function;

Next steps

The guidelines will be translated into the official EU languages and published on ESMA’s website. The publication of the translations in all official languages of the EU will trigger a two-month period during which NCAs must notify ESMA whether they comply or intend to comply with the guidelines.


Click here to read the final PDF report