The European Securities and Markets Authority (ESMA), the EU’s securities markets authority, has published the final report on its guidelines on outsourcing to cloud service providers (CSPs). The guidelines are intended to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements.
They provide guidance to firms on:
- The risk assessment and due diligence that they should undertake on their CSPs;
- The governance, organizational and control frameworks that they should put in place to monitor the performance of their CSPs and how to exit their cloud outsourcing arrangements without undue disruption to their business;
- The contractual elements that their cloud outsourcing agreement should include; and
- The information to be notified to competent authorities.
In addition, the guidelines provide guidance to competent authorities on the supervision of cloud outsourcing arrangements, with a view to fostering a convergent approach in the EU.