New rules apply to group 1 insurance companies’ outsourcing to cloud service providers as of 1 January 2021
In the summer of 2020, a new outsourcing regulation came into force, according to which financial undertakings, in particular banks, were to comply with a number of new requirements in connection with outsourcing. By this, the Outsourcing Regulation was harmonised with the requirements in the European Banking Authority's (EBA) guidelines.
In January 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its final guidelines on outsourcing to cloud service providers applicable to group 1 insurance companies, which have so far been (and still are) regulated by the Danish Financial Business Act and the rules in Article 274 of the Solvency II Regulation.
It follows from the Danish Financial Supervisory Authority’s website that “the Danish rules on outsourcing will be enforced in accordance with EIPOA's guidelines on outsourcing to cloud service providers when they come into effect 1 January 2021”.
In principle, only group 1 insurance companies are subject to EIOPA's guidelines. However, the FSA states that EIOPA’s guidelines on outsourcing to cloud service providers include a number of relevant points which businesses making use of cloud services should give special attention.
It was expected that EIPOA’s guidelines on outsourcing to cloud providers would be implemented by a new separate outsourcing regulation for insurance companies and pension funds. But the FSA has now announced that there will be no further implementation of the guidelines, which are therefore to be applied directly by insurance companies and pension funds.
In the final version, EIOPA's guidelines on outsourcing to cloud providers have been aligned with EBA’s guidelines on outsourcing (and thus also with the new Outsourcing Regulation). For instance, the rule of presumption that all cloud agreements constitute outsourcing has been removed, the requirements for registration of arrangements have been modified, and EIOPA has reverted to using the importance or criticality assessment instead of the materiality assessment.
Please contact our Technology and Outsourcing team if you have any questions to EIOPA's guidelines or the Outsourcing Regulation.