NEW CYSEC CIRCULAR C457 adopting ESMA Guidelines on Outsourcing to Cloud Services Providers

22 Jul 2021 | Polyvios Nikolaou

NEW CYSEC CIRCULAR C457 adopting ESMA Guidelines on Outsourcing to Cloud Services Providers

On 9 July 2021 the Cyprus Securities and Exchange Commission (“CySEC”) has adopted the Guidelines of the European Securities and Markets Authority (“ESMA”) on Outsourcing to Cloud Services Providers (“CSPs”) (the “Guidelines”).

Firms that must review and follow the new Guidelines are, among others: alternative investment fund managers (AIFMs), management companies of collective investment schemes (ManCos), trade repositories and investment firms (CIFs).

The purpose of the Guidelines is to establish a harmonized framework of uniform and effective practices for firms to follow when outsourcing to CSPs within the European System of Financial Supervision (“ESFS”).

As per the Guidelines:

  • Firms are expected to have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s internal policies and processes;
  • Pre-outsourcing analysis and due diligence must be conducted before entering into any cloud outsourcing arrangement, which is proportionate to the nature of the function that the firm intends to outsource;
  • Contractual agreements between firms and CSPs must clearly set out the rights and obligations of each party, as well as expressly prescribing that the firm may terminate the agreement;
  • Specific provisions for information security and sub-outsourcing must be encapsulated in outsourcing contracts;
  • When such agreements concern a critical or important function, firms should notify CySEC accordingly;
  • As the relevant competent authority, CySEC shall supervise and conduct a risk assessment of cloud outsourcing arrangements.

The Guidelines apply as of 31 July 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms are, therefore, required to review and amend their existing cloud outsourcing arrangements to ensure that they are in alignment with the Guidelines by 31 December 2022. In case Firms are not able to meet this deadline on cloud outsourcing arrangements of critical or important functions, they should inform CySEC, together with their plan of action for compliance with the Guidelines.


Authors: Huseyin Erguven, Polyvios Nikolaou

About this Article
Polyvios Nikolaou

Advocate / Senior

Link Copied!
Related articles