[Newsflash n. 73]

Following the consultation launched on June 3 2020, on 18 December 2020 ESMA published the final report on its guidelines on outsourcing to cloud service providers (CSPs). The guidelines are intended to help companies identify, address, and monitor risks arising from cloud outsourcing arrangements and provide guidance to companies on a number of elements.

The guidelines address:

1. Governance, documentation, oversight and monitoring mechanisms: a firm should have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s relevant strategies and internal policies and processes, including in relation to information and communication technology, information security, and operational risk management. A firm should reassess whether its cloud outsourcing arrangements concern a critical or important function periodically and whenever the risk, nature or scale of an outsourced function has materially changed.
2. Pre-outsourcing analysis and due diligence: the pre-outsourcing analysis and due diligence on the prospective CSP should be proportionate to the nature, scale and complexity of the function that the firm intends to outsource and the risks inherent to this function. It should include at least an assessment of the potential impact of the cloud outsourcing arrangement on the firm’s operational, legal, compliance, and reputational risks. In case the cloud outsourcing arrangement concerns critical or important functions, a firm should also:
   a) assess all relevant risks that may arise as a result of the cloud outsourcing arrangement, including risks in relation to information and communication technology, information security, business continuity, legal and compliance, reputational risks, operational risks, and possible oversight limitations for the firm.
   b) take into account the expected benefits and costs of the cloud outsourcing arrangement.
3. Key contractual elements: the respective rights and obligations of a firm and its CSP should be clearly set out in a written agreement. The written agreement should expressly allow the possibility for the firm to terminate it, where necessary. In case of outsourcing of critical or important functions, the written agreement should include additional elements.
4. Exit strategies : in case of outsourcing of critical or important functions, a firm should ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.
5. Sub-outsourcing: if sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the CSP should contain additional requirements, such as indicating which functions are being outsourced and what conditions must be met in the case of sub-sourcing.
6. Communications to the competent authorities and their supervisory activities: the firm should notify in writing its competent authority in a timely manner of planned cloud outsourcing arrangements that concern a critical or important function. The firm should also notify in a timely manner and in writing its competent authority of those cloud outsourcing arrangements that concern a function that was previously classified as non-critical or non-important and then became critical or important. Competent authorities should be satisfied that they are able to perform effective supervision, in particular when firms outsource critical or important functions that are performed outside the EU.

These guidelines apply to competent authorities and to (i) alternative investment fund managers (AIFMs) and depositaries of alternative investment funds (AIFs), (ii) undertakings for collective investment in transferable securities (UCITS), management companies and depositaries of UCITS, and investment companies that have not designated a management company authorised pursuant to UCITS Directive (iii) central counterparties (CCPs), including Tier 2 third-country CCPs which comply with the relevant EMIR requirements, (iv) trade repositories (TRs), (v) investment firms and credit institutions when carrying out investment services and activities, data reporting services providers and market operators of trading venues, (vi) central securities depositories (CSDs), (vii) credit rating agencies (CRAs), (viii) securitisation repositories (SRs), and (ix) administrators of critical benchmarks.
These guidelines will become applicable from 31 July 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. Firms should review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by 31 December 2022.

For any further clarification and/or for assistance on the topic of this Newsflash, please contact your reference contact in Legália.

Contacts:

Vito Vittore
Partner

Elena Pagnoni
Partner

Rocco Disabato
Associate

Tommaso Ceschia
Associate

Roberta Talone
Associate