Guidelines on outsourcing to cloud service providers now available for national supervisory authorities. The Guidelines shall provide guidance to market participants on how the outsourcing provisions set forth in the Directive 2009/138/EC, in the Commission's Delegated Regulation 2015/35 and in EIOPA's Guidelines on System of Governance need to be applied in the case of outsourcing to cloud service providers.
EIOPA developed these guidelines addressed to national supervisory authorities with the following objectives:
- To provide clarification and transparency to market participants avoiding potential regulatory arbitrages
- To foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing
The use of cloud outsourcing is a common practice to all financial undertakings and not only to insurance and reinsurance undertakings. Moreover, the main associated risks are similar across sectors. Acknowledging these facts and recognising the potential risks of regulatory fragmentation, in developing these guidelines - in addition to the (re)insurance provisions on outsourcing - EIOPA also considered the most recent guidance published by the European Banking Authority.
Content of the guidelines
EIOPA published the Final Report on Public Consultation approved by its Board of Directors, which contains:
- the final text of the EIOPA Guidelines on outsourcing to cloud service providers,
- the feedback statement to the Public Consultation,
- the final Impact Assessment; and
- the resolution of non-confidential comments provided by the stakeholders during the Public Consultation.
EIOPA's Guidelines cover the following areas:
- Criteria to distinguish whether cloud services should be considered within the scope of outsourcing
- Principles and elements of governance of cloud outsourcing including documentation requirements and list of information part of the notification to supervisory authorities
- Pre-outsourcing analysis, including a set of criteria to be followed to assess whether a cloud outsourcing arrangement relates to an operational function or activity that is critical or important; and principle based instructions on how the risk assessment of the cloud outsourcing and the due diligence on the cloud service providers should be performed;
- Contractual requirements
- Management of access and audit rights; security of data and systems; sub-outsourcing of critical or important operational functions or activities, monitoring and oversight of cloud outsourcing and exit strategies
- Principle based instructions for the national supervisory authorities on the supervision of cloud outsourcing arrangements including, where applicable, at group level
These guidelines have been developed according to Article 16 of the Regulation (EU) 1094/2010. Under this Article EIOPA may issue Guidelines and Recommendations addressed to competent authorities and financial institutions with a view to establish consistent, efficient and effective supervisory practices and ensuring the common, uniform and consistent application of Union law.
In accordance with Article 16(3) of that Regulation, competent authorities and financial institutions are required to make every effort to comply with those Guidelines and Recommendations.
From 1 July to 30 September 2019, the European Insurance and Occupational Pension Authority (EIOPA) run a Public Consultation on its Guidelines on outsourcing to cloud service providers. Several stakeholders provided their contributions helping EIOPA in preparing the final version of these Guidelines, which have been streamlined taking into account the principle of proportionality and a risk-based approach on their implementation.