ESMA revises cloud outsourcing guidelines to align with DORA

The European Securities and Markets Authority (ESMA) has published its final report, updating the 2021 guidelines on outsourcing to cloud service providers in line with the Digital Operational Resilience Act (DORA). The 2021 guidelines were designed to assist firms in identifying, managing and monitoring risks associated with cloud outsourcing. However, since the implementation of DORA in January, which covers the same scope including ICT third-party risks, these guidelines are no longer needed for most financial entities. However, DORA does not apply to certain depositories under the Alternative Investment Fund Managers Directive (AIFMD) and the Undertakings for Collective Investment in Transferable Securities Directive (UCITSD). Therefore, ESMA revises the scope of the 2021 guidelines to apply only to these specific depositaries that fall outside DORA′s coverage. According to ESMA, the content of the guidelines has not substantively changed. The updated guidelines will now be translated into all official EU languages and published on ESMA's website. National competent authorities must notify ESMA within two months of publication whether they comply or intend to comply with guidelines.

Return to main website.