The European Securities and Markets Authority (ESMA) published the final report on its guidelines on outsourcing to cloud service providers (CSPs) to help firms identify, address and monitor the risks arising from these arrangements.
The European regulator said, “The increasing use of outsourcing to cloud service providers by firms brings benefits but is not exempt of challenges and risks. “
Covid-19 and the move to remote working accelerated a trend that was already happening as buy and sellside firms looked to reduce costs and focus on value add profit generating opportunities.
The guidelines provide a framework for the risk assessment and due diligence that should be undertaken when selecting CSPs as well as the governance, organisational and control structures needed to be implemented to monitor them. Also on the list is how companies can exit their cloud outsourcing arrangements without undue disruption to their business.
They also recommend looking carefully at the details of their cloud outsourcing agreement as well information that needs to be provided to the competent authorities who have been given their own set of guidelines on supervision.
The guidelines dovetail with those issued by the European Banking Authority as well as the European n Insurance and Occupational Pensions Authority.
The aim is to have a harmonised set of rules across the bloc because different national edicts can hinder the usage of this technology and the respective services. A more uniform approach would not only be relevant for the financial sector, but also for the economy as a whole, according to ESMA.
ESMA launched a public consultation earlier this year, gathering views of the different and relevant stakeholders. The next step is to translate them into the official EU languages and publish on ESMA’s website.