Consob Notice of 13 July 2021

Notice regarding the Guidelines issued by ESMA about outsourcing to cloud services providers

Consob complies with the Guidelines on "Outsourcing to cloud services providers" issued by the European Securities and Markets Authority (ESMA), integrating them into its supervisory practices.

The Guidelines, published in the official languages of the Union on 10 May 2021, provide recommendations on the identification, management and monitoring of risks originating from agreements for the outsourcing of activities and services to companies providing cloud services, with particular reference to:

• the risk assessment and due diligence to be carried out on cloud service providers;
• the governance, supervision and control requirements to be put in place to monitor the performances of cloud service providers, as well as how to exit from such outsourcing agreements without interruption of its activities;
• the contractual requirements between the parties (companies and cloud service providers), there including their respective rights and duties;
• IT security requirements and exit strategies from outsourcing agreements;
• the compliance with the requirements if the cloud service provider on behalf of a company uses other subjects for the performance of certain critical or important functions (or parts thereof) (so-called sub-outsourcing);
• the information to be notified to the competent Authorities.

The Guidelines provide that the same apply to the competent Authorities, to which guidance is given on the supervision of such arrangements, in order to promote a convergent approach in the European Union, as well as the following subjects:

1. alternative investment fund managers (AIFMs) and alternative investment fund depositaries (AIFD);
2. undertakings for collective investment in transferable securities (UCITS), management companies and UCITS custodians and investment companies that have not designated a company management authorized under the UCITS Directive;
3. central counterparties (CCPs), including those of second tier third countries that satisfy the requirements provided by the EMIR;
4. trade repositories;
5. investment firms and credit institutions when they carry out investment services and activities;
6. data communication service providers (DRSPs);
7. trading venues managers;
8. central securities depositories (CSDs);
9. credit rating agencies;
10. securitization depositories;
11. administrators of critical benchmarks.

The Guidelines will be applicable from 31 July 2021 to all outsourcing agreements with cloud service providers entered into or renewed from that date. The aforementioned subjects will have time until 31 December 2022 to review and amend, where necessary, the existing outsourcing agreements with the cloud service provider to ensure that they take into account the aforementioned Guidelines.

The Guidelines are also available in the Italian language on the Consob institutional website.

ESMA was informed of the compliance with the Guidelines pursuant to Regulation (EU) no. 1095/2010.

THE CHAIRMAN
Paolo Savona

Consob Notice of 13 July 2021 PDF version