On 12 July 2021, the Luxembourg regulator of the financial sector, the CSSF, published its Circular 21/777 implementing the ESMA’ guidelines on outsourcing to cloud service providers (ESMA50-164-4285, “ESMA Guidelines”).
The CSSF considers that CSSF Circular 17/654 on cloud outsourcing, as amended (the “Cloud Circular”) (applicable inter alia to credit institutions, investment firms, professionals of the financial sector and investment fund managers) and its current regulatory practice are already in line with the substance requirements of the ESMA Guidelines.
The CSSF, however, extends the scope of the Cloud Circular to align it with the ESMA Guidelines by including the following financial market professionals in the scope of the Cloud Circular as of 31 July 2021 (“New Entities”):
- – depositaries of AIFs (under article 21, paragraph 3 of the AIFMD)
- – UCITS, depositaries of UCITS (under article 2, paragraph 1, a) of the UCITS Directive) and investment companies that have not designated a management company authorised pursuant to the UCITS Directive
- – as well as other professionals such as central counterparties, data reporting services providers, market operators of trading venues, central securities depositories, administrators of critical benchmarks.
For new cloud outsourcing arrangements (entered into, renewed or amended on or after 31 July 2021), the New Entities would have to comply with the provisions of the Cloud Circular. The New Entities would have until 31 December 2022 to revisit their existing cloud outsourcing arrangements for compliance with the Cloud Circular.
CSSF Circular 21/777 does not require entities already in scope of the Cloud Circular to take specific action with regards the ESMA Guidelines.
The CSSF does not take the opportunity to comment on points such as the definition of cloud computing and critical or important functions, the initial due diligence and sub-outsourcing requirements etc. on which the Cloud Circular seems to diverge from the ESMA Guidelines.