The European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019/02) ("EBA Guidelines") should be considered when assessing whether an outsourcing agreement relates to a function that is considered critical or important, and the factors that a financial institution should consider, together with the outcome of the risk assessment.

Under the European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (ESMA 50-164-4285) ("ESMA Guidelines"), in line with the EBA Guidelines, "cloud outsourcing arrangement" is defined as an arrangement of any form, including delegation arrangements, between the following:

• A firm and a cloud service provider by which that provider performs a function that would otherwise be undertaken by the firm itself
• A firm and a third-party that is not a cloud service provider, but that relies significantly on such a provider to perform a function that would otherwise be undertaken by the firm itself (In this case, a reference to a cloud service provider in these guidelines should be read as referring to such third party.)

The ESMA Guidelines define a cloud service provider as a third party delivering cloud services under a cloud outsourcing arrangement.

According to the European Insurance and Occupational Pensions Authority Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002) ("EIOPA Guidelines"), the undertaking should establish whether an arrangement with a cloud service provider falls under the definition of outsourcing pursuant to the Solvency II Directive . Within the assessment, consideration should be given to the following:

1. Whether the operational function or activity outsourced is performed on a recurrent or an ongoing basis.
2. Whether this operational function or activity would normally fall within the scope of operational functions or activities that would be performed by the undertaking during its regular business activities, even if the undertaking has not done so in the past

Where an arrangement with a service provider covers multiple operational functions or activities, the undertaking should consider all aspects of the arrangement within its assessment.

In cases where the undertaking outsources operational functions or activities to service providers that are not cloud service providers, but rely significantly on cloud infrastructures to deliver their services (for example, where the cloud service provider is part of a sub-outsourcing chain), the arrangement for such outsourcing falls within the scope of the EIOPA Guidelines.

In the context of EU regulation of the European Parliament and of the Council on digital operational resilience for the financial sector, 2022/2554, ("DORA Regulation"), cloud outsourcing falls within the scope of the DORA Regulation when it is considered to be an information and computer technology third-party service provided to regulated financial entities.