Editor’s Note: The European Securities and Markets Authority (ESMA) is an independent EU Authority that contributes to safeguarding the stability of the European Union’s financial system by enhancing the protection of investors and promoting stable and orderly financial markets. As part of its role in assessing risks to investors and markets, ESMA recently published consultative guidelines for cloud outsourcing. This update presents ESMA considerations for financial market participants on outsourcing cloud service providers. While focused on financial markets, the information may be beneficial for legal, business, and information technology professionals as they consider the cloud.
Consultation Paper: Draft Guidelines on Outsourcing to Cloud Service Providers
Firms are increasingly outsourcing to cloud service providers. Although cloud outsourcing can offer a number of benefits, including reduced costs and enhanced operational efficiency and flexibility, it raises challenges in terms of data protection and information security. Concentration risk can also arise, as a result of many firms using the same large cloud service providers, with potential negative outcomes for financial stability.
ESMA identified the need to develop guidance on outsourcing to cloud service providers following the European Commission’s FinTech Action Plan and feedback received from firms and stakeholders. Considering that the main risks associated with cloud outsourcing are similar across sectors, ESMA has considered the recent guidelines published by EBA and EIOPA, namely the EBA Guidelines on outsourcing arrangements, which have incorporated the EBA Recommendations on outsourcing to cloud service providers, and the EIOPA Guidelines on outsourcing to cloud service providers.
In accordance with Article 16(2) of Regulation (EU) No 1095/20105 (the ‘ESMA Regulation’), as recently amended, this paper sets out for consultation draft ESMA guidelines on outsourcing to cloud service providers.
The purpose of these draft guidelines is to provide guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. These draft guidelines are intended to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements (from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies).
ESMA Draft Guidelines on Outsourcing to Cloud Service Providers (3 June 2020)ESMA Cloud Outsourcing Guidelines – June 2020
- A Matter of Opinion? An EDPS View on the European Data Strategy
- The European Data Protection Supervisor and the 2019 EDPS Annual Report