ESMA Guidelines on Outsourcing to Cloud Service Providers

ESMA's Guidelines on Outsourcing to Cloud Service Providers (ESMA50-157-2cloud, published February 2021) apply to investment firms under MiFID II, fund managers under AIFMD and UCITS, and trade repositories and CCPs under EMIR. The guidelines establish requirements across six areas: pre-outsourcing analysis and due diligence, contractual requirements, information security, exit strategies, oversight and monitoring, and documentation. They align with and partially cross-reference EBA guidelines on ICT risk (EBA/GL/2019/04) and the broader DORA framework, which supersedes certain provisions for in-scope entities from January 2025. Compliance requires firms to classify cloud arrangements as "outsourcing" or "non-outsourcing" based on the materiality and substitutability of the function, with material outsourcing attracting the full set of requirements.

Engineering compliance with the ESMA cloud guidelines requires building a cloud governance framework with specific technical components. Contractual requirements (Section IV of the guidelines) mandate that agreements with cloud service providers include provisions for: audit rights (or equivalent certifications such as ISO 27001, SOC 2 Type II), sub-outsourcing notification and approval, data portability and return on termination, business continuity obligations, and regulator access rights. Firms must maintain a register of all cloud outsourcing arrangements accessible to competent authorities. The security requirements align with ISO/IEC 27017 (cloud-specific security controls) and require encryption of data in transit and at rest, key management controls, and access logging. Monitoring obligations require ongoing performance metrics, incident reporting from the CSP, and annual review of material outsourcing arrangements.

The intersection with DORA (for in-scope financial entities from January 2025) creates layered obligations: DORA's Chapter V on ICT third-party risk management imposes additional requirements around concentration risk monitoring, threat-led penetration testing of critical ICT third-party providers, and the EU oversight framework for critical ICT third-party providers designated by ESAs. A practical complexity is the exit strategy requirement: firms must document and periodically test their ability to exit a material cloud arrangement and either insource or transfer to an alternative provider within defined timeframes, requiring working knowledge of data export formats, application portability (containers, IaC), and transition service agreements.

We implement ESMA cloud outsourcing compliance programs covering contractual gap analysis against CSP agreements, cloud register construction and maintenance, security control mapping to ISO 27017, and technical exit strategy documentation including data portability testing and alternative provider readiness assessments. Our governance tooling integrates with DORA ICT third-party risk management obligations.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.