On Sep. 30, 2025, EU ESMA issued ESMA65-294529287-4737 Guidelines on outsourcing to cloud service providers in English and in other official EU languages.
The guidelines apply from their publication online in EU official languages and to all cloud outsourcing arrangements signed, renewed, amended on or after this date.
Within two months of the date of publication of the guidelines on ESMA’s website in all EU official languages, i.e. Nov. 30, 2025, competent authorities to which the guidelines apply must notify ESMA whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines.
On May 10, ESMA issued cloud service provider outsourcing guidance.
ESMA issued translations of guideline on outsourcing to cloud service providers (CSPs).
Provide information on cloud outsourcing requirements to financial market participants.
To help identify, address, monitor risks/challenges of cloud outsourcing arrangements.
The ESMA guidelines apply to competent authorities and to alternative investment fund managers (AIFMs) and depositories of alternative investment funds (AIFs).
Together with undertakings for collective investment in transferable securities (UCITS).
Management companies and depositories of UCITS, and investment companies that have not designated a management company authorized pursuant to UCITS directive.
Also apply to central counterparties (CCPs), including tier 2 third-country CCPs which comply with the relevant EMIR requirements, and to trade repositories (TRs).
To investment firms and credit institutions when carrying out investment services and activities, data reporting services providers and market operators of trading venues.
Central securities depositories (CSDs), credit rating agencies (CRAs), securitization repositories (SRs), and they also apply to administrators of critical benchmarks.
ESMA will take these guidelines into account when assessing extent to which compliance with relevant EMIR requirements by a tier 2 third-country CCP is satisfied by its compliance with comparable rules in 3rd country per EMIR, art 25(2b)(a).
Overview
Guidance on risk assessment and due diligence firms should undertake on their CSPs.
Governance, organizational and control frameworks to monitor CSP performance and how to exit cloud outsourcing arrangements without undue disruption to business.
Contractual elements that their cloud outsourcing agreement should include.
Together with the information that should be notified to competent authorities.
Also provide guidance to competent authorities on the supervision of cloud outsourcing arrangements, with a view to fostering a convergent approach across the EU.
Effectiveness
Following translation into 23 official EU languages, it applies to all cloud outsourcing arrangements that are entered into, renewed or amended on or after Jul. 31, 2021.
Firms should review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by Dec. 31, 2022.
Where the review of cloud outsourcing arrangements of critical or important functions is not finalized by Dec. 31, 2022, firms should then inform their competent authority.
This includes measures planned to complete the review or the possible exit strategy.
Nov. 2021 Compliance Table
On Nov. 24, 2021, EU ESMA published compliance table dated Nov. 5 on authorities complying/intending to comply with guide on outsourcing to cloud service providers.
Jan. 2022 Updated Compliance Table
On Jan. 28, 2022, EU ESMA updated guideline compliance table on national authorities complying/intending to comply with guide on outsourcing to cloud service providers.
Sep. 2022 Compliance Table Update
On Sep. 1, 2022, EU ESMA updated compliance table with data up to Sep. 1, 2022.
May 2023 Updated Compliance Table
On May 17, 2023, EU ESMA updated compliance table with data up to May 17, 2023.
May 2024 Compliance Table
On May 2, 2024, EU ESMA reissued compliance table with data up to Apr. 22, 2024.
All competent authorities comply or intend to comply, with exception of POL FSA.
Jul. 11, 2025 Updated Guidelines
On Jul. 11, 2025, EU ESMA issued updated Guidelines on outsourcing to cloud service providers due to Digital Operational Resilience Act (DORA) in force from Jan. 17, 2025.
DORA constitutes a consolidation of the EU legal framework on digital operational resilience, covering also the area of ICT 3rd party risk, hence the subject matter which ESMA's original 2021 Guidelines covered has been incorporated into DORA.
DORA has amended several Regulations and Directives that constituted legal basis for the 2021 Guidelines; DORA does not apply to certain addressees of 2021 Guidelines.
Consequently, ESMA intends to amend scope of addressees of the 2021 Guidelines to exclude financial entities covered by DORA, but considers guidelines on outsourcing to cloud service providers should be kept for certain entities listed not subject to DORA.
Therefore it is amending the scope of the addressees of the 2021 Guidelines, but is not substantively changing their content, did not consult on changes as are very limited.
Updated Guidelines will be translated into all official EU languages and issued on ESMA website, national competent authorities will then have 2 months to notify compliance.
Sep. 2025 Translated Guidelines
On Sep. 30, 2025, EU ESMA issued ESMA65-294529287-4737 Guidelines on outsourcing to cloud service providers in English and in other official EU languages.
The guidelines apply from their publication online in EU official languages and to all cloud outsourcing arrangements signed, renewed, amended on or after this date.
Within two months of the date of publication of the guidelines on ESMA’s website in all EU official languages, i.e. Nov. 30, 2025, competent authorities to which the guidelines apply must notify ESMA whether they (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the guidelines.
