In Short: EIOPA Guidelines on Outsourcing to Cloud Service Providers

Home Knowledge In Short: EIOPA Guidelines on Outsourcing to Cloud Service Providers

In Short: EIOPA Guidelines on Outsourcing to Cloud Service Providers

February 7, 2020

On 6 February 2020, EIOPA published its Guidelines on outsourcing to cloud service providers (the Guidelines). The Guidelines will apply from 1 January 2021 to all cloud outsourcing arrangements entered into or amended on or after that date.

The Guidelines address a number of issues, including, the following:

what should be considered within the ‘scope’ of outsourcing to cloud service providers;
governance of cloud outsourcing arrangements, including the requirement that thorough risk assessments be carried out when outsourcing any critical or important functions or activities (CIFA) to a cloud service provider;
changes to the risk profile of the undertaking as a result of the outsourcing to a cloud service provider should be reflected in its Own Risk Solvency Statement (ORSA);
papering of cloud outsourcing arrangements, including documenting the arrangement in a written agreement, updating the undertaking’s outsourcing policy and making notifications to the undertaking’s supervisory authority;
due diligence of cloud outsourcing arrangements, including a set of criteria to be followed to assess whether a cloud outsourcing arrangement relates to a CIFA; and
sub-outsourcing of CIFAs to cloud service providers.

The Guidelines will apply to both individual insurance and reinsurance undertakings and to groups as defined in the Solvency II Directive.