• Dr. Martin Rehker, Jan Leverenz
  • Published: 01 July 2020

The relevance of cloud adoption continues to grow strongly for financial market participants, and not just through the effects of COVID-19. Financial market players can reap benefits such as greater efficiency and lower costs by outsourcing their critical and non-critical functions to cloud service providers (CSPs). These benefits come with various risks and challenges. 

To ensure that these risks are adequately managed and to protect the stability of financial markets, the European Securities and Markets Authority (ESMA) has initiated a consultation on draft guidelines to: 

  • advise financial market participants on how to identify, address and monitor the risks for outsourcing their activities, and also
  • help financial market participants make the right decisions when outsourcing to the cloud or selecting and contracting with cloud service providers . 
    These guidelines are similar to outsourcing frameworks formulated by other authorities, e.g. for banks or insurance companies. Below we summarize the risks that need to be addressed for cloud outsourcing and the compliance requirements proposed by ESMA.  
    ESMA identified the following (non-exclusive) risks arising from cloud adoption in the financial industry, which can occur when moving IT activities into the cloud:
  • Financial market participants may find it challenging to assess benefits and risks of cloud adoption beforehand, on the overall level and/or on the level of functions being outsourced. 
  • Financial market participants may not have the required knowledge, tools, standards, and resources to adequately monitor their cloud infrastructure, platforms, services, and applications.
  • Sudden changes in the CSP situation (service availability, service levels offered, other factors affecting service provision by the CSP) may endanger business continuity or lead to high costs, if no well-defined and documented exit strategies from cloud are in place.
  • Cyberattacks on the financial industry could de-stabilize financial markets if no specific attention is paid to cloud IT and data security. 
  • Moving functions to the cloud can lead to decreased control of an otherwise solid and well-defined IT governance framework.


Considering the above-mentioned risks, ESMA’s guidelines for financial market participants propose the following:

  1. Financial market participants must have defined cloud outsourcing strategies such as information technology strategy, information security strategy and operational risk management strategy as well as internal policies and processes to ensure compliance when outsourcing functions to the cloud.
  2. Furthermore, financial market participants need to ensure continuous oversight of cloud activities by assigning responsibilities and allocating sufficient internal resources to compliance and proper documentation of cloud outsourcing, especially for critical functions.
  3. Mandatory and standardized pre-outsourcing analysis and due diligence are needed to help make the right decision whether to outsource a given function to the cloud and which CSP to select. During that process, risks need to be fully analyzed, documented and mitigated, potentially by introducing additional contractual requirements with the given CSP (e.g. SLAs).
  4. To ensure information security, measures such as the securing of APIs, business continuity and disaster recovery plans, encryption, and key management requirements as well as operations and network security will be necessary.
  5. Financial market participants must have defined, documented and tested exit strategies for their cloud undertakings to ensure a safe return of sensitive data and functions.
  6. Financial market participants must be able to access and audit the CSP, in such a way that an adequate oversight between the financial market participant and CSP is created. Additional agreements should be considered if sub-contracting of cloud services becomes an issue.
  7. Finally, written notification to the regulator is required with the specified detailed minimum content upon outsourcing a function to the cloud. 
    In conclusion, the regulator has introduced a broad set of requirements on cloud outsourcing. Full compliance with these requirements for financial institutions internally is expected by 30th June 2021, while full compliance related to arrangements with CSPs is required by 31st December 2022. Meeting each of these deadlines will be a challenge for financial institutions, particularly while still in crisis recovery mode. 



Capco can support financial market participants in taking the full advantage of their cloud journeys by sharing lessons learned by our teams in other areas of the financial industry. We have experience in setting up value-adding, compliant cloud journeys and can assist with creating compliant cloud governance frameworks, defining and implementing efficient policies (e.g. cloud architecture, information security, data protection, risk management) as well as standards, guidelines and processes (e.g. secure development, change and configuration management, identity and access management, business continuity and disaster recovery, procurement). 

Contact us to discuss how efficient, compliant, and timely cloud outsourcing can benefit your business. 


Oliver Geiseler, Partner
M +49 172 131 8328

Martin Rehker, Managing Principal
M +49 174 334 6440