The European Securities and Markets Authority (ESMA) has published official translations of its final report updating the 2021 guidelines on outsourcing to cloud service providers. The updated guidelines, initially published in July, narrow the scope to exclude entities covered by the Digital Operational Resilience Act (DORA), ensuring they remain applicable only to financial entities outside DORA's remit, specifically, certain types of depositary under the Alternative Investment Fund Managers Directive and the Undertakings for Collective Investment in Transferable Securities Directive. The revision aims to prevent regulatory overlap, as DORA now governs ICT third-party risk for most financial entities. The revised guidelines apply from 30 September. National competent authorities must notify ESMA by 30 November whether they comply or intend to comply with the guidelines, and must inform ESMA of their reasons for non-compliance. Firms are not required to report on whether they comply.
[View source.]
