NEW CYSEC CIRCULAR C457 adopting ESMA Guidelines on Outsourcing to Cloud Services Providers

On 9 July 2021 the Cyprus Securities and Exchange Commission (“CySEC”) has adopted the Guidelines of the European Securities and Markets Authority (“ESMA”) on Outsourcing to Cloud Services Providers (“CSPs”) (the “Guidelines”).

Firms that must review and follow the new Guidelines are, among others: alternative investment fund managers (AIFMs), management companies of collective investment schemes (ManCos), trade repositories and investment firms (CIFs).

The purpose of the Guidelines is to establish a harmonized framework of uniform and effective practices for firms to follow when outsourcing to CSPs within the European System of Financial Supervision (“ESFS”).

As per the Guidelines:

Firms are expected to have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s internal policies and processes;
Pre-outsourcing analysis and due diligence must be conducted before entering into any cloud outsourcing arrangement, which is proportionate to the nature of the function that the firm intends to outsource;
Contractual agreements between firms and CSPs must clearly set out the rights and obligations of each party, as well as expressly prescribing that the firm may terminate the agreement;
Specific provisions for information security and sub-outsourcing must be encapsulated in outsourcing contracts;
When such agreements concern a critical or important function, firms should notify CySEC accordingly;
As the relevant competent authority, CySEC shall supervise and conduct a risk assessment of cloud outsourcing arrangements.

The Guidelines apply as of 31 July 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms are, therefore, required to review and amend their existing cloud outsourcing arrangements to ensure that they are in alignment with the Guidelines by 31 December 2022. In case Firms are not able to meet this deadline on cloud outsourcing arrangements of critical or important functions, they should inform CySEC, together with their plan of action for compliance with the Guidelines.

Authors: Huseyin Erguven, Polyvios Nikolaou

Cookie	Type	Duration	Description
cookielawinfo-checkbox-necessary	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	persistent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
PHPSESSID	persistent	1 year	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	persistent	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	persistent	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
_ga	persistent	1 year	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat_gtag	persistent	1 year	Identification code of website for tracking visits.
_gid	persistent	1 year	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_hjid	persistent	1 year	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	persistent	1 year	This cookie is set to let Hotjar know whether that visitor is included in the sample which is used to generate Heatmaps, Funnels, Recordings, etc.
has_recent_activity	persistent	1 year	This cookie is used to signal to the code repository website if the user has browsed other website resources during the current session.
tk_ai	persistent	1 year	Gathers information for our own, first party analytics tool about how our services are used. A collection of internal metrics for user activity, used to improve user experience.
tk_lr	persistent	1 year	This cookie is set by JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack
tk_or	persistent	1 year	This cookie is set by JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack
tk_qs	persistent	1 year	Gathers information for our own, first party analytics tool about how our services are used. A collection of internal metrics for user activity, used to improve user experience.
tk_r3d	persistent	1 year	The cookie is installed by JetPack. Used for the internal metrics fo user activities to improve user experience

Cookie	Type	Duration	Description
_fbp	persistent	1 year	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	persistent	1 year	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.

NEW CYSEC CIRCULAR C457 adopting ESMA Guidelines on Outsourcing to Cloud Services Providers

About this Article

Author

Polyvios Nikolaou

Share

NEW CYSEC CIRCULAR C457 adopting ESMA Guidelines on Outsourcing to Cloud Services Providers

About this Article

Author

Polyvios Nikolaou

Share

Related articles

Stay Always In Touch