The rules and guidelines of the Dubai Financial Services Authority ("DFSA") relevant to outsourcing state that the DFSA's regulated entities (i.e., Authorized Persons, as defined below) must abide by a number of specific contractual requirements for cloud outsourcing, namely the following:

• An Authorized Person (i.e., (i) An Authorized Firm — a person, other than an Authorized Market Institution, that holds a license or (ii) an Authorized Market Institution — a person licensed by the DFSA in relation to carrying out financial services) must establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programs.
• An Authorized Person must enter into an appropriate and written outsourcing contract.
• An Authorized Person must ensure that outsourcing contracts neither reduce its ability to fulfill its obligations toward customers and the DFSA, nor hinder the DFSA's supervision of the Authorized Person.
• An Authorized Person must ensure that the terms of its outsourcing contract with each service provider under a material outsourcing contract require the service provider to do the following:
  • Provide for the provision of information^[1] in relation to the Authorized Person and access to its business premises for the DFSA.
  • Deal in an open and cooperative way with the DFSA.

The Guidelines for Financial Institutions Adopting Enabling Technologies provide specific recommendations to be followed in relation to cloud service providers, including recommendations of what the contract should cover.

[1] This refers to the information listed under Section 11.1 of the DFSA Rulebook on information gathering and DFSA access to information. This section requires Authorized Persons — where reasonable — to share specific information related to their activities with the DFSA when required and to allow the DFSA to access it.