On 3 June 2026, the European Securities and Markets Authority (ESMA) published a compliance table detailing how national competent authorities have implemented its guidelines on outsourcing to cloud service providers. The document, issued by ESMA's Markets and Digital Innovation unit, provides a transparency tool for market participants to assess the degree of convergence in supervisory practices across EU member states.
The compliance table covers the guidelines originally adopted by ESMA in May 2021, which set out expectations for financial firms when outsourcing critical functions to cloud providers. The guidelines aim to ensure that firms maintain adequate oversight, data security, and business continuity when relying on third-party cloud services. By publishing the table, ESMA offers a snapshot of which national authorities have fully complied, partially complied, or not yet complied with the guidelines, as well as any alternative measures taken.
Policy orientations and trade-offs ESMA's guidelines strike a balance between enabling innovation in cloud adoption and mitigating risks related to operational resilience, data protection, and concentration risk. The compliance table reveals varying levels of implementation across the EU, highlighting a tension between harmonisation and national discretion. Some authorities have adopted the guidelines in full, while others have introduced additional national requirements or exemptions, potentially creating fragmentation for cross-border firms.
Impact on stakeholders - Financial firms (banks, investment firms, insurers): They face a patchwork of compliance obligations depending on where they operate, increasing costs for those active in multiple jurisdictions. Firms in fully compliant member states benefit from clearer expectations. - Cloud service providers (e.g., AWS, Microsoft, Google): Divergent national rules may complicate contract negotiations and service standardisation across the EU. - National competent authorities: The table encourages peer pressure and convergence, but also exposes resource constraints or differing risk appetites. - Consumers and investors: Ultimately benefit from stronger operational resilience and data protection, though at the cost of potentially slower cloud adoption by financial institutions.
Expected institutional follow-up ESMA will monitor the compliance table as part of its ongoing supervisory convergence work. The European Commission may consider legislative action if persistent divergence undermines the single market for financial services. The next review of the guidelines is expected in 2027, taking into account evolving cloud market dynamics and cybersecurity threats.
← Atlas › News › Digital & Communication