12.1.2022

New Guidelines From ESMA on the Outsourcing of Cloud Services for the Financial Sector – Check Your Policies by the End of This Year

On 31 July 2021, the Guidelines on outsourcing to cloud service providers issued by the European Securities Market Agency (ESMA) became applicable to all cloud outsourcing arrangements entered into, renewed or amended on or after that date.

The new Guidelines help firms to identify, address and monitor the risks and challenges arising from cloud outsourcing arrangements, which are still becoming more common.

In addition to competent authorities, the Guidelines are applied to certain players in the financial sector, which include undertakings for collective investment in transferable securities, central counterparties, investment firms and credit institutions when carrying out investment services and activities, as well as credit rating agencies.

The Guidelines supplement previous guidelines on outsourcing issued by the European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority. ESMA has stated that the new Guidelines are consistent with the previously issued guidelines. Even though the consistency of the guidelines is useful for the firms falling within the scope of application of ESMA’s Guidelines, all of the guidelines on cloud outsourcing are to be examined separately, taking into account their individual scopes of application.

What do firms have to consider under the new Guidelines?

 The Guidelines set altogether nine guidelines for firms, which they must take into account in cloud outsourcing arrangements.

1. The firm must have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s strategies and internal policies and processes.

The responsibilities for the documentation, management and control of cloud outsourcing arrangements must be clearly assigned within the organisation. An internal oversight function must be arranged taking into account the nature and scale of the business. A clear allocation of tasks and responsibilities for management and oversight is the minimum requirement.

Firms not categorised as small must establish an oversight function or designate senior staff members who are directly accountable to the management body and responsible for managing and overseeing the risks. The oversight must be risk-based, with a primary focus on critical or important functions.

An updated register of information must be maintained on all cloud outsourcing arrangements. A periodical reassessment must be made about whether the cloud outsourcing arrangements concern a critical or important function, and the critical or important functions must be distinguished from other outsourcing arrangements in the register.

2. Before entering into any cloud outsourcing arrangement, the firm must conduct an analysis and a due diligence review proportionate to the nature of the arrangement in question.

The firm must assess if the cloud outsourcing arrangement concerns a critical or important function and identify and assess all relevant risks and any conflicts of interest. The analysis must include an assessment of the potential impact of the cloud outsourcing arrangement on the firm’s operational, legal, compliance, and reputational risks.

Unlike in the EBA cloud outsourcing guidelines, according to the ESMA guidelines additional factors to be considered in the due diligence on the cloud service provider consist of, for example, service support, including support plans and contacts and disaster recovery plans.

3. As a minimum requirement, the respective rights and obligations of the parties should be clearly set out in a written agreement.

The written agreement must include a clear description of the outsourced function, term and termination of the agreement, and a mention of the possibility of the firm to terminate it, the financial obligations of the parties, provisions regarding information security and protection of personal data, access and audit rights and minimum obligations set on the cloud service provider.

4. Information security requirements must be included in the cloud outsourcing agreement.

The firm must set information security requirements in its internal policies and procedures and within the cloud outsourcing agreement and monitor compliance with these requirements on an ongoing basis, including to protect confidential, personal or otherwise sensitive data.

In case of outsourcing of critical or important functions, the firm must, inter alia,

Although the EBA guidelines include provisions of a similar nature, the provisions about strong authentication mechanisms and a risk-based approach in the ESMA Guidelines are different or entirely new compared to them.

5. The agreement must include exit strategies that do not cause undue disruption to the business activities and/or services.

In case of outsourcing of critical or important functions, the firm must ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.

The firm must develop an exit strategy and identify alternative solutions. The firm must also define success criteria for the transition and assign roles and responsibilities to manage the exit strategy.

6. The agreement may not limit access and audit rights.

The firm should ensure that the cloud outsourcing written agreement does not limit the firm’s and competent authority’s effective exercise of the access and audit rights and oversight options on the cloud service provider.

Firms may enhance the efficiency of the use of audit resources and decrease the organisational burden on the cloud service provider and its clients by requiring third-party certifications and external or internal audit reports, and by pooled audits, without prejudice to their final responsibility regarding cloud outsourcing arrangements.

7. If sub-outsourcing is agreed upon, the agreement must specify clear obligations and requirements.

If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider must include certain provisions and ensure that the cloud service provider properly oversees the subcontractor.

8. The firm should notify its competent authority in writing and in a timely manner of planned cloud outsourcing arrangements that concern a critical or important function.

Also, those cloud outsourcing arrangements that concern a function that was previously classified as non-critical or non-important and then became critical or important must be notified to the competent authority.

9. The supervision by competent authorities focuses on the arrangements that relate to the outsourcing of critical or important functions.

Competent authorities assess the risks arising from firms’ cloud outsourcing arrangements as part of their supervisory process and focus in particular on the arrangements that relate to the outsourcing of critical or important functions, and assess based on this whether

Consequences and future prospects

Firms must assess and change their current cloud outsourcing arrangements to comply with the Guidelines by 31 December 2022.

Adding pressure to the assessment and possible changes is the notion that if the cloud outsourcing arrangements of critical or important functions have not been assessed by the end of 2022, the companies must notify the competent authorities about this and include in the notification the planned measures, by which the assessment will be completed, or alternatively notify the possible exit strategy.

 

Pia Ek

Miika Junttila

Lauri Laatunen

Ida Laakkonen

Latest references

We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024
We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024