Time is running out for firms that are regulated by the European Securities and Markets Authority (ESMA) to achieve full compliance with the ESMA guidelines on outsourcing to cloud service providers (Guidelines). 

Whilst the Guidelines came into force after Brexit, and so do not apply to firms who operate only in the UK, firms with entities in Europe will still need to ensure that those entities comply with the Guidelines.

The Guidelines impose two deadlines on EMSA-regulated firms. The first of these was 31 July 2021 – firms were required to ensure that all cloud outsourcing contracts entered into after that date comply with the Guidelines. The second deadline is 31 December 2022 – firms are required to ensure that all other ‘critical or important’ cloud outsourcing arrangements i.e. those entered into before 31st July 2021 comply with the Guidelines by that date.

Firms should therefore be well on their way to achieving this full compliance. Firms that fail to meet the deadline will be required to inform their relevant European competent authority, together with details of the measures they have planned to complete the exercise (or its strategy for exiting any arrangements which do not comply).

How we can help

Deloitte Legal has developed a comprehensive end-to-end service to help ESMA-regulated entities identify, manage and remediate contracts that are subject to the Guidelines, and is currently working with a number of firms to achieve compliance by the December deadline. For more information please contact Paul O’Hare or Emilie Dawson.

Content from the Deloitte Legal blog can now be sent direct to your inbox. Choose the topic and frequency by subscribing here.