On 11 July 2025, the European Securities and Markets Authority (ESMA) published its Final Report updating the Guidelines on outsourcing to cloud service providers (CSPs), to align with the Digital Operational Resilience Act (DORA), which came into effect on 17 January 2025.
The Impact of DORA on Cloud Outsourcing
The previous 2020 guidelines (referred to as the “2021 guidelines”) were designed to assist financial firms in identifying, managing, and monitoring risks related to cloud outsourcing. However, since the implementation of DORA, which now covers ICT third-party risks, these guidelines have become largely redundant for most financial entities.
Scope of the Revised ESMA Guidelines
ESMA’s revised guidelines narrow the scope, focusing specifically on entities not covered by DORA, such as certain depositaries under the Alternative Investment Fund Managers Directive (AIFMD) and the Undertakings for Collective Investment in Transferable Securities Directive (UCITSD).
Next Steps and Implementation
The updated guidelines will be translated into all official EU languages and published on ESMA’s website. This will initiate a two-month period during which competent authorities in EU Member States must notify ESMA of their compliance or intention to comply.
This update ensures regulatory clarity and continued oversight for financial entities outside DORA’s scope, maintaining robust cloud outsourcing risk management across the EU financial sector.
For full details, access the official report here:
ESMA Final Report on revised Guidelines on outsourcing to cloud service providers (PDF)
For more information or support, please contact us