12.1.2022

New Guidelines From ESMA on the Outsourcing of Cloud Services for the Financial Sector – Check Your Policies by the End of This Year

On 31 July 2021, the Guidelines on outsourcing to cloud service providers issued by the European Securities Market Agency (ESMA) became applicable to all cloud outsourcing arrangements entered into, renewed or amended on or after that date.

The new Guidelines help firms to identify, address and monitor the risks and challenges arising from cloud outsourcing arrangements, which are still becoming more common.

In addition to competent authorities, the Guidelines are applied to certain players in the financial sector, which include undertakings for collective investment in transferable securities, central counterparties, investment firms and credit institutions when carrying out investment services and activities, as well as credit rating agencies.

The Guidelines supplement previous guidelines on outsourcing issued by the European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority. ESMA has stated that the new Guidelines are consistent with the previously issued guidelines. Even though the consistency of the guidelines is useful for the firms falling within the scope of application of ESMA’s Guidelines, all of the guidelines on cloud outsourcing are to be examined separately, taking into account their individual scopes of application.

What do firms have to consider under the new Guidelines?

 The Guidelines set altogether nine guidelines for firms, which they must take into account in cloud outsourcing arrangements.

1. The firm must have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s strategies and internal policies and processes.

The responsibilities for the documentation, management and control of cloud outsourcing arrangements must be clearly assigned within the organisation. An internal oversight function must be arranged taking into account the nature and scale of the business. A clear allocation of tasks and responsibilities for management and oversight is the minimum requirement.

Firms not categorised as small must establish an oversight function or designate senior staff members who are directly accountable to the management body and responsible for managing and overseeing the risks. The oversight must be risk-based, with a primary focus on critical or important functions.

An updated register of information must be maintained on all cloud outsourcing arrangements. A periodical reassessment must be made about whether the cloud outsourcing arrangements concern a critical or important function, and the critical or important functions must be distinguished from other outsourcing arrangements in the register.

2. Before entering into any cloud outsourcing arrangement, the firm must conduct an analysis and a due diligence review proportionate to the nature of the arrangement in question.

The firm must assess if the cloud outsourcing arrangement concerns a critical or important function and identify and assess all relevant risks and any conflicts of interest. The analysis must include an assessment of the potential impact of the cloud outsourcing arrangement on the firm’s operational, legal, compliance, and reputational risks.

Unlike in the EBA cloud outsourcing guidelines, according to the ESMA guidelines additional factors to be considered in the due diligence on the cloud service provider consist of, for example, service support, including support plans and contacts and disaster recovery plans.

3. As a minimum requirement, the respective rights and obligations of the parties should be clearly set out in a written agreement.

The written agreement must include a clear description of the outsourced function, term and termination of the agreement, and a mention of the possibility of the firm to terminate it, the financial obligations of the parties, provisions regarding information security and protection of personal data, access and audit rights and minimum obligations set on the cloud service provider.

4. Information security requirements must be included in the cloud outsourcing agreement.

The firm must set information security requirements in its internal policies and procedures and within the cloud outsourcing agreement and monitor compliance with these requirements on an ongoing basis, including to protect confidential, personal or otherwise sensitive data.

In case of outsourcing of critical or important functions, the firm must, inter alia,

Although the EBA guidelines include provisions of a similar nature, the provisions about strong authentication mechanisms and a risk-based approach in the ESMA Guidelines are different or entirely new compared to them.

5. The agreement must include exit strategies that do not cause undue disruption to the business activities and/or services.

In case of outsourcing of critical or important functions, the firm must ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.

The firm must develop an exit strategy and identify alternative solutions. The firm must also define success criteria for the transition and assign roles and responsibilities to manage the exit strategy.

6. The agreement may not limit access and audit rights.

The firm should ensure that the cloud outsourcing written agreement does not limit the firm’s and competent authority’s effective exercise of the access and audit rights and oversight options on the cloud service provider.

Firms may enhance the efficiency of the use of audit resources and decrease the organisational burden on the cloud service provider and its clients by requiring third-party certifications and external or internal audit reports, and by pooled audits, without prejudice to their final responsibility regarding cloud outsourcing arrangements.

7. If sub-outsourcing is agreed upon, the agreement must specify clear obligations and requirements.

If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider must include certain provisions and ensure that the cloud service provider properly oversees the subcontractor.

8. The firm should notify its competent authority in writing and in a timely manner of planned cloud outsourcing arrangements that concern a critical or important function.

Also, those cloud outsourcing arrangements that concern a function that was previously classified as non-critical or non-important and then became critical or important must be notified to the competent authority.

9. The supervision by competent authorities focuses on the arrangements that relate to the outsourcing of critical or important functions.

Competent authorities assess the risks arising from firms’ cloud outsourcing arrangements as part of their supervisory process and focus in particular on the arrangements that relate to the outsourcing of critical or important functions, and assess based on this whether

Consequences and future prospects

Firms must assess and change their current cloud outsourcing arrangements to comply with the Guidelines by 31 December 2022.

Adding pressure to the assessment and possible changes is the notion that if the cloud outsourcing arrangements of critical or important functions have not been assessed by the end of 2022, the companies must notify the competent authorities about this and include in the notification the planned measures, by which the assessment will be completed, or alternatively notify the possible exit strategy.

 

Pia Ek

Miika Junttila

Lauri Laatunen

Ida Laakkonen

Latest references

We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025
We assisted Oomi Oy in its expansion into the mobile telecommunications market with the launch of Oomi Mobiili, a new MVNO brand. Our work covered the preceding due diligence process as well as structuring and negotiating key partner agreements, laying a solid foundation for Oomi’s entry into the new market. Oomi Mobiili will operate as a virtual mobile network operator, offering customers the option to purchase a mobile subscription together with their electricity contract. The phased launch is set to begin in autumn 2025, with nationwide availability targeted for early 2026. 
Case published 15.8.2025
We advised Nevel Oy in its acquisition of the business of Labio Oy. Lahti Aqua Oy and Salpakierto Oy sold their entire shareholdings in Labio to Nevel, expanding Nevel’s already significant biogas portfolio. The transaction will have no impact on Lahti Aqua’s water utility operations or Salpakierto’s municipal waste management responsibilities. Labio’s operations and customer relationships will continue as before. ‘This partnership is a natural next step for us as we continue investing in sustainable material efficiency and renewable energy solutions. By integrating Labio’s comprehensive offerings and expertise, we can provide customers with a strong platform for material circularity. We are also strengthening our market position as one of Finland’s leading material efficiency solution providers,’ says Ville Koikkalainen, Director of Industrial and Biogas Business at Nevel. Nevel is an energy infrastructure company offering advanced, climate-positive solutions for industry and real estate. It operates more than 130 energy production plants and manages over 40 district heating networks. Nevel’s annual turnover is EUR 150 million, and it employs 190 experts in Finland, Sweden and Estonia.
Case published 16.7.2025
The Supreme Administrative Court (SAC) issued a significant precedent (decision KHO:2025:23) in a case in which it found that the Finnish Motor Insurers’ Centre (Liikennevakuutuskeskus, LVK) processed patient data in accordance with the requirements concerning fairness, data minimisation, and privacy by design and by default when deciding on compensation claims. We represented LVK in this case in which the SAC upheld the Administrative Court’s decision to repeal the EUR 52,000 administrative fine imposed on LVK by the Sanctions Board of the Office of the Data Protection Ombudsman. The SAC also confirmed the Administrative Court’s decision, which, as far as we know, was the first of its kind in Finland, ordering the Office of the Data Protection Ombudsman to reimburse some of our client’s legal costs. The decision bears great significance for the insurance industry as a whole. The crux of the matter were LVK’s information requests under the Motor Liability Insurance Act for patient data that were essential in determining insurance or compensation claims. In certain cases, making a decision may require extensive patient data. The Office of the Data Protection Ombudsman had found that LVK had systematically made overly broad information requests infringing Articles 5 and 25 of the GDPR and that the information should have been provided in the form of separate medical opinions. The Administrative Court repealed the Data Protection Ombudsman’s decision and found that patient records from medical appointments are, as a general rule, essential in establishing causality in compensation matters. It also stated that the tasks related to the consideration of compensation matters are specifically the core tasks of the insurance company and not of the controller of patient data. Furthermore, the Administrative Court found no evidence indicating that LVK would have systematically made overly broad information requests. ‘Once again, our collaboration with C&S was seamless throughout this extensive process, and we could trust that our case was in expert hands’, says Visa Kronbäck, Chief Legal Officer of the Insurance Centre. The full decision is available on the SAC website (in Finnish):  KHO:2025:23.
Case published 18.6.2025