EIOPA guidelines on outsourcing to cloud service providers

5 mn

On 6 February 2020, the European Insurance and Occupational Pensions Authority (“EIOPA”) has published its final guidelines (the “EIOPA Guidelines”) on outsourcing to cloud service providers (“CSPs”)[1].

On 24 June 2020, the Luxembourg supervisory authority of the insurance sector, the Commissariat aux Assurances (“CAA”), has issued a Circular Letter 20/13, in which the CAA confirms that it has informed EIPOA that the CAA will apply the EIOPA Guidelines and invites the insurance and reinsurance undertakings subject to its supervision to comply with the latter.

The CAA has further specified in such Circular Letter 20/13 that the provisions of the EIOPA Guidelines apply without prejudice to the rules provided for in Article 300 of the amended law of 7 December 2015 on the financial sector, which refers to the duty to professional secrecy.

 

I. Purpose and Scope of the EIOPA Guidelines

The EIOPA Guidelines shed light on how the outsourcing provisions set forth in the Directive 2009/138/EC (the “Solvency II Directive”) and in the Delegated Regulation (EU) no. 2015/35 (the “Delegated Regulation”) are to be applied in case of outsourcing by insurance and reinsurance undertakings to CSPs.

Where outsourcing arrangements are set up with service providers that are not CSPs, the EIOPA Guidelines nevertheless apply if the relevant service providers rely significantly on cloud infrastructures to deliver their services.

In terms of timing, two dates should be borne in mind:

 

Undertakings should further update their internal processes and procedures by such same date;

 

 

II. Overview of the main general requirements of the EIOPA Guidelines applicable to all cloud outsourcing arrangements

 

1. Assessing whether an arrangement qualifies as an “outsourcing” arrangement

Undertakings are required to determine whether an arrangement with a cloud service provider falls within the scope of the definition of “outsourcing” pursuant to Article 13(28) of the Solvency II Directive.

In doing so, undertakings should assess:

 

 

2. Pre-outsourcing analysis

Prior to entering into any outsourcing arrangement with CSPs, undertakings should:

 

 

 

 

3. Governance requirements

The undertakings’ written outsourcing policy (as well as any other relevant internal policies and processes) should be updated in order to take into account cloud outsourcing specificities and risks in each of the areas specified in paragraph 20 of the EIOPA Guidelines.

Undertakings are further required to keep a record of all of their outsourcing arrangements, which should be updated over time and also include terminated cloud outsourcing arrangements during an appropriate retention period.

 

4. Contractual requirements

The respective rights and obligations of the undertakings and their CSPs should be clearly allocated and set out in a written agreement.

 

5. Access and audit rights

Undertakings are required to ensure that they have effective access and audit rights as well as control options on the outsourced cloud services in order to fulfil their regulatory obligations.

 

6. Security of data and systems

Undertakings should ensure that CSPs comply with European and national regulations as well as appropriate ICT security standards.

 

7. Monitoring and oversight of cloud outsourcing arrangements

Undertakings should set up mechanisms in order to monitor, on a regular basis, the performance of the outsourced activities as well as the security measures and adherence level by their CSPs in accordance with a risk based approach.

 

III. Key specific requirements of the EIOPA Guidelines applicable to the outsourcing of critical or important operational functions or activities

The EIOPA Guidelines include a series of specific requirements that are only applicable to the outsourcing of critical or important operational functions and many of the general requirements applicable to all outsourcing arrangements are more onerous in case of outsourcing of such critical or important functions:

 

 

IV. Other connected European texts

The EIOPA Guidelines are closely aligned with the Guidelines on outsourcing arrangements published by the European Banking Authority (“EBA”) on 25 February 2019[2], which have incorporated the Recommendations on outsourcing to cloud service providers published by the EBA on 20 December 2017[3].

On 3 June 2020, the European Security and Markets Authority (“ESMA”) has published a Consultation Paper on Draft Guidelines on Outsourcing to Cloud Service Providers[4] (the “ESMA Guidelines”), which contain requirements similar to those laid down in the EIOPA Guidelines.

 


[1] EIOPA-BoS-20-002.
[2] EBA/GL/2019/02.
[3] EBA/REC/2017/03.
[4] ESMA50-164-3342.

Download the press release

2020.07.14 – Luxembourg Newsflash – EIOPA guidelines on outsourcing to cloud service providers

pdf132 KB