ESMA has published its final report on outsourcing to cloud service providers. The guidelines cover:
- risk assessment and due diligence on providers;
- governance, organisational and control frameworks for monitoring CSP performance – including access and audit rights, information security and sub-outsourcing;
- arrangements for exiting agreements without undue disruption to business;
- required and recommended contractual provisions; and
- information to be notified to regulators.