top of page
Search

DORA: ESMA final report on guidelines on outsourcing to cloud service providers by non-DORA depositaries


On July 11 2025, the European Securities and Markets Authority (ESMA) published a final report amending its guidelines on outsourcing to cloud service providers. The primary purpose of this update is to align the existing policies with the Digital Operational Resilience Act (DORA), which became applicable on January 17, 2025.


The most significant change is a major reduction in the scope of the guidelines. Since DORA now provides a comprehensive legal framework for digital resilience and ICT third-party risk for most financial entities, ESMA has amended its policies to avoid regulatory duplication and potential conflicts of interest.


The core content and requirements of the guidelines themselves have not undergone substantive changes. The update is focused entirely on clarifying which entities remain subject to them.

ree

Key Changes and Rationale


  1. Exclusion of DORA-Covered Entities: The guidelines will no longer apply to the majority of financial entities (such as banks and investment firms) as they are now governed by the specific, legally binding requirements of DORA for cloud and ICT outsourcing. This simplifies the regulatory landscape for these firms.

  2. New Narrowed Scope: The amended guidelines are now specifically targeted at a small subset of firms that DORA does not cover. This includes:

    • Certain depositaries of Alternative Investment Funds (AIFs) under AIFMD (Article 21(3)(c)).

    • Certain depositaries of UCITS funds under the UCITS Directive (Article 23(2)(c)).

  3. Reason for Retention: ESMA has maintained the guidelines for this specific group of depositaries due to their market relevance, the critical functions they perform, and the funds they manage. This ensures that a consistent standard of risk management for cloud outsourcing remains in place, even where DORA does not.


Implications for Firms and Providers


The implications of this change vary significantly depending on the type of entity.


For Financial Entities covered by DORA (Most Banks, Investment Firms, etc.):


  • Shift in Focus: Your primary source for compliance regarding cloud outsourcing is now DORA and its associated Regulatory Technical Standards (RTS).

  • Action Required: You should transition away from the ESMA guidelines and ensure your governance, risk management, contracts, and oversight processes for cloud arrangements are fully compliant with DORA's more extensive framework. This removes a layer of guidance and replaces it with a formal regulation.


For AIF and UCITS Depositaries NOT covered by DORA:


  • Business as Usual: The regulatory expectations for your cloud outsourcing arrangements remain unchanged. You were subject to the 2021 guidelines, and you remain subject to these amended guidelines.

  • Action Required: Confirm that your entity falls outside the scope of DORA. Continue to use the ESMA guidelines as the benchmark for your cloud outsourcing practices, including due diligence, contractual terms, security measures, and exit strategies.


For Cloud Service Providers (CSPs):


  • Fragmented Compliance: You will now need to support clients under two different EU regulatory regimes. Some clients will require you to demonstrate compliance with DORA, while the specific depositaries will require adherence to the ESMA guidelines.

  • Action Required: Understand which regulatory framework applies to each of your financial sector clients. Your contractual terms, audit reports, and service agreements must be aligned with both sets of requirements to serve the entire EU financial market effectively.


Summary of a Firm's Obligations (under the amended guidelines):


For the depositaries still in scope, the guidelines continue to mandate a structured approach to cloud outsourcing, including:


  • Governance & Oversight: A clear cloud strategy, defined responsibilities, and a register of all cloud outsourcing arrangements.

  • Pre-Outsourcing Analysis: Rigorous due diligence on providers and a thorough risk assessment, especially for critical functions.

  • Key Contractual Elements: Written agreements must cover data location, security, audit rights, sub-outsourcing conditions, and service levels.

  • Information Security: Implementing robust security measures for data protection, access management, and encryption.

  • Exit Strategies: Developing and testing comprehensive exit plans to ensure an orderly transition away from a provider without service disruption.

  • Access and Audit Rights: Ensuring the firm and its regulators have effective rights to audit the cloud service provider.

  • Notification: Informing competent authorities promptly of plans to outsource critical functions.


 
 
 

Comments

bottom of page