Summary of CySEC's Circular C457
Memo #31-2021
CySEC Circular No: C457
Date: 09/07/2021
Subject: ESMA Guidelines on Outsourcing to Cloud Services Providers
Purpose: To inform Affected Persons that CySEC has adopted the Guidelines of the ESMA on Outsourcing to Cloud Services Providers (“CSPs”).
In Summary:
CySEC has issued the Circular C457 on 09/07/2021 to inform the Alternative investment fund managers (“AIFMs”) and Depositaries of alternative investment funds (“AIFs”), UCITS management companies and depositaries of UCITS, Central counterparties (“CCPs”) and Tier 2 third country CCPs which comply with the relevant EMIR requirements pursuant to Article 25(2b)(a) of EMIR, Trade repositories as defined in Article 2(2) of EMIR and in Article 3(1) of SFTR, Investment firms and credit institutions which carry out investment services and activities, Data reporting services providers and Market operators of trading venues, Central securities depositories (“CSDs”) as defined Article 2(1)(1) of CSDR, Credit rating agencies as defined in Article 3(1)(b) of the CRA Regulation, Securitisation repositories as defined in Article 2(23) of SECR and Administrators of critical benchmarks as defined in Article 3(1)(25) of the Benchmarks Regulation, that CySEC has adopted the Guidelines of the European Securities and Markets Authority (“ESMA”) on Outsourcing to Cloud Services Providers (“CSPs”) (the “Guidelines”).
The guidelines are 9 in total and aim to help firms and competent authorities identify, address and monitor the risks and challenges arising from cloud outsourcing arrangements, from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies and for the content of the relevant contractual arrangements. The requirements under the Guidelines are proportionate and more stringent where the outsourcing concerns critical or important functions.
The Guidelines apply from 31 July 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date.
CySEC notes that Firms should review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by 31 December 2022. Where the review of cloud outsourcing arrangements of critical or important functions is not finalised by 31 December 2022, firms should inform their Competent Authority of this fact, including the measures planned to complete the review or the possible exit strategy.
As defined in this Curcular C457, Cloud Services Providers (“CSPs”) means a third-party delivering cloud services under a cloud outsourcing arrangement; whereas cloud means a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources (for example servers, operating systems, networks, software, applications, and storage equipment) with self-service provisioning and administration on demand.
The ESMA Guidelines can be found on the following link: https://www.esma.europa.eu/sites/default/files/library/esma_cloud_guidelines.pdf