As a financial market infrastructure and financial technology company, and not a bank, Nasdaq and its affiliates are generally not affected by the EBA draft recommendations, but as a potential user of cloud services it nevertheless welcomes the work of EBA and the opportunity to comment. Nasdaq believes that the EBA draft recommendations are generally appropriate and useful and will provide good support for outsourcing entities as well as service providers and regulators when dealing with cloud services, although they are on a high level. To ensure a harmonized approach across the EU and across different financial sectors, Nasdaq would welcome if a framework corresponding to the EBA draft recommendations was also adopted within ESMA in respect of financial infrastructure firms.
Response to Question 1:
Nasdaq believes that the EBA draft recommendations are generally appropriate, clear and sufficiently detailed to be used in the context of cloud outsourcing.
In the context of the duty to adequately inform the supervisors however (section 4.2 of the EBA draft recommendations), Nasdaq believes that it is important to have full information regarding the ownership structure and ultimate/beneficial owner(s) of the cloud service provider and that this should be part of the EBA draft recommendations.
In the context of access and audit rights (section 4.3), Nasdaq believes that it would be more appropriate to require outsourcing agreements to include a right for competent authorities to access “relevant business centers” of the cloud outsourcing provider, rather than “head offices” , as this may not be relevant for the particular services provided under the relevant arrangement. Also, very extensive audit and access rights, that also include areas not immediately relevant to the particular service, may not be possible to achieve in relation to the service providers.
In the context of contingency plans and exit strategies (section 4.8), Nasdaq would like to point out that there are considerable difficulties involved in conducting a complete “live” test of exit arrangements and that it is important that any requirements on exit strategy testing are appropriate and proportionate.
In the context of contingency plans and exit strategies (section 4.8), Nasdaq thinks it would make sense to emphasize in the EBA draft recommendations that the cloud service provided should be required to disclose what proprietary resources of the service provided that are being used for the provision of the service and would have to be replaced in the event of a termination of the cloud service arrangement. The purpose of this would be to facilitate the process to exit and replace a cloud service arrangement.