Global menu

Our global pages


EIOPA Guidance on Cloud Outsourcing – July 2019

EIOPA Guidance on Cloud Outsourcing – July 2019
  • United Kingdom
  • Commercial and IT
  • Financial services and markets regulation
  • Insurance and reinsurance
  • Financial services


What is EIOPA? What is the purpose of the Guidelines? Who do they apply to?

On 1 July 2019, the European Insurance and Occupational Pensions Authority (“EIOPA”) published its consultation paper1 (the “Consultation Paper”) on draft guidelines for insurers on outsourcing to cloud service providers (the “Guidelines”).

The Guidelines are issued in accordance with Article 16 of the EIOPA Regulation (1094/2010), and as part of the European Commission’s Fintech action plan2 and are designed to provide guidance on how the Solvency II Directive (2009/138/EC)3 and the Solvency II Delegated Regulation ((EU) 2015/35)4 should be applied when outsourcing to cloud service providers.

EIOPA, which forms part of the European System of Financial Supervision, has issued the Guidelines specifically to insurance and reinsurance undertakings (“Insurance Undertakings”) with the aim of: (i) ensuring a clear and consistent regulatory framework for financial institutions; and (ii) providing clarification to both firms and national supervisory authorities on the application of existing regulations to cloud services.5

The Guidelines cover a range of topics in respect of an Insurance Undertaking’s outsourcing to the cloud, including: (i) risk assessment and due diligence of the cloud service provider; (ii) governance, reporting and oversight arrangements; (iii) audit and access rights; (iv) security of data and systems; (v) sub-outsourcing and visibility of the service provider’s supply-chain; (vi) termination and exit strategies; and (vii) guidance for national supervisory authorities on the supervision of cloud outsourcing arrangements.

What is ‘outsourcing’ for the purposes of the Guidelines?

Undertakings should establish whether its arrangements with cloud service providers fall within the definition of ‘outsourcing’ of the Solvency II Directive (Article 13(28)), being:

“an arrangement of any form between an insurance or reinsurance undertaking and a service provider, whether a supervised entity or not, by which that service provider performs a process, a service or an activity, whether directly or by sub-outsourcing, which would otherwise be performed by the insurance or reinsurance undertaking itself” .6

The EIOPA guidance to firms is that if they are not sure if an arrangement satisfies the outsourcing test, to err on the side of caution and assume that it is. Then the Insurance Undertaking should consider: (i) whether the function being outsourced is performed on a recurrent or an ongoing basis; and (ii) whether this function (or part thereof) would normally fall within the scope of functions that would or could normally be performed by the Insurance Undertaking in the course of its regular business activities.7 That is not to say that a firm should not exercise due care and diligence when contracting with a third party for short-term consultancy project, only that it is unlikely to satisfy the test for outsourcing.

How do the Guidelines interact with the EBA Guidelines?

Avoiding the risk of regulatory fragmentation is a focus of EIOPA (and the European Commission). The Authority also recognise that some Insurance Undertakings may perform activities which bring them into the regulatory framework for banks and credit institutions. They also recognise financial institutions are increasingly pushing workloads, data and applications into the Cloud and that the issues are similar across sectors. For these reasons the EIOPA Guidance mirrors a the themes taken by the European Banking Authority in its guidance on outsourcing arrangements (“EBA Guidelines”) .8

For example, EIOPA has determined that Insurance Undertakings should assess if the cloud outsourcing is considered ‘material’ (“the outsourcing of critical or important operational functions or activities”) and whether such an outsourcing may affect the risk profile of the Insurance Undertaking. The firm should also assess:

• the potential impact of disruptive events or failure of the cloud service;

• the importance of identifying and managing all foreseeable risks;

• the size, cost and complexity of the outsourcing;

• the ability to transfer the service to another service provider on expiry or termination (e.g. avoiding “vendor lock-in”); and

• the protection of personal and non-personal data and the potential impact of a breach.

As for other material outsourcing arrangements, an Insurance Undertaking should provide written notification of its material cloud outsourcings to its regulators, and maintain a detailed register of all its cloud outsourcing arrangements.

How do the Guidelines work alongside GDPR?

The Guidelines are intended to work alongside the General Data Protection Regulation9 (“GDPR”) and seek to build a robust regulatory framework for the availability, integrity security and resilience of systems, applications and data in the cloud.

As part of the materiality assessment of a cloud outsourcing, the Guidelines provide that Insurance Undertakings should consider various factors, including:

• the protection of personal data and non-personal data;

• the potential impact of a breach;

• the potential impact of a failure to ensure data availability and/or integrity; and

• a particular focus on data that is business sensitive and/or critical.

Guideline 12 specifically focuses on the security of data and systems. Undertakings should ensure that cloud service providers comply with appropriate information security and data protection standards, that data and system security requirements are defined in the outsourcing agreement, and various additional factors are met prior to entering the outsourcing agreement including in relation to business continuity requirements, the management of data incidents and the efficiency of control mechanisms.

For “standardised” cloud services firms should ensure that the cloud service provider’s policies and procedures provide an adequate level of protection (and this assessment should be undertaken early in the procurement process).

That said firms must recognise that - for Infrastructure or Platform as a Service offerings as an example - the responsibility for defining security controls or encryption standards cannot be delegated to the service provider.

Finally firms must ensure that they constantly evaluate the adequacy of systems and controls throughout the lifecycle of the contract.

What about Brexit?

The UK regulators have made clear that EU Withdrawal remains one of their key priorities 10; a common framework of international financial services regulation will be critical to ongoing market access and competition as and when the UK leaves the European Union. The FCA have used similar language to EIOPA, when referring to the importance of avoiding “regulatory arbitrage” and it would surprise most commentators if the UK adopted a radically different approach to outsourcing and the cloud. By the same token, for insurers or re-insurers operating both in the EU and the UK, many will be using common platforms and systems, and it would be reasonable to assume that they will adopt common processes, procedures and controls across their various cloud service providers.

Do the rules apply to intermediaries?

Whilst the EIOPA Guidelines do not apply directly to brokers, agents and other intermediaries, they can expect insurers and re-insurers to flow them down by contract. All FCA authorised firms will be expected to meet the general outsourcing requirements set out in SYSC811 and it is likely that similar requirements may eventually be imposed on insurance intermediaries.

Key dates and Submissions to the Consultation Process

The Guidelines shall apply to all cloud outsourcing arrangements from 1 July 2020, and Undertakings are required to review and amend their existing arrangements to ensure compliance by 1 July 2022.

Please contact your usual contact at Eversheds Sutherland, or one of the contacts listed below, if you are unsure as to how the proposed Guidelines might affect your organisation, your existing relationships with cloud service providers, your contract policies and risk & compliance procedures.

Submissions to the Consultation Paper are invited by 30 September 2019. Please also contact us if you would like to make a submission as part of the consultation process.

  1. European Insurance and Occupational Pensions Authority - Consultation paper on the proposal for Guidelines on outsourcing to cloud service providers
  2. COM (2018) 109 Final
  3. DIRECTIVE 2009/138/EC on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II)
  4. COMMISSION DELEGATED REGULATION (EU) 2015/35 of 10 October 2014 supplementing Directive 2009/138/EC of the European Parliament and of the Council on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II)
  5. see the “Background” section of the Consultation Paper
  6. Solvency II Directive
  7. See paragraph 10 of the Consultation Paper
  8. EBA Guidelines on outsourcing arrangements EBA/GL/2019/02
  9. REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  10. see for example the FCA Business Plan 2019/20
  11. FCA Handbook, Senior Management Arrangements, Systems and Controls, Chapter 8. Note that for firms other than common platform firms, the rules can be read as “guidance” under SYSC 8.1.1.A