The European Securities and Markets Authority (ESMA) has published the final report on its guidelines on outsourcing to cloud service providers (CSPs).

The Guidelines are intended to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to firms on:

  • The risk assessment and due diligence that they should undertake on their CSPs;
  • The governance, organisational and control frameworks that they should put in place to monitor the performance of their CSPs and how to exit their cloud outsourcing arrangements without undue disruption to their business;
  • The contractual elements that their cloud outsourcing agreement should include; and
  • The information to be notified to competent authorities.

In addition, the Guidelines provide guidance to competent authorities on the supervision of cloud outsourcing arrangements, with a view to fostering a convergent approach in the EU.

ESMA conducted a public consultation on these Guidelines to gather the views of relevant stakeholders. The report published today contains a feedback statement summarising the responses received and highlighting the amendments and clarifications introduced in the final guidelines to take into account the feedback received during this consultation.

Click on the link for further information.