Outsourcing is widely and increasingly used across the alternative investment management industry. With clear advantages including operational efficiencies and cost-effectiveness, it is unlikely that this trend will slow or reverse in the future.  Regulatory standards on outsourcing and/or third-party relationships (or their risk management) are set out in primary legislation, principles, rules or guidance issued by the relevant regulatory or supervisory authorities and/or codified supervisory practices.

Current work:

In the European Union, the European Securities and Markets Authority (ESMA) has issued new guidelines on outsourcing to cloud service providers. The new ESMA guidelines, which entered into force on 31 July 2021, aim to help firms identify, address and monitor the risks arising from cloud outsourcing arrangements.

In Ireland, the Central Bank of Ireland (CBI) has published a consultation on the CBI's proposed Cross-Industry Guidance on Outsourcing. The CBI recognises the increasing reliance of many regulated firms on outsourced service providers. This includes the use of both intragroup entities and third party providers, both regulated and unregulated. The guidance is being introduced to supplement existing sectoral legislation, regulations and guidelines on outsourcing, by setting out the CBI's expectations of good practice for the effective management of outsourcing risk.

Upcoming actions:

31 December 2022, ESMA guidelines apply to any cloud outsourcing arrangements entered into prior to 31 July 2021.

(Last updated: 20 September 2021)

Other relevant workstreams

Operational Resilience

Operational risk and resilience is expected to be a key regulatory focus over the coming years. The aim of regulators is to bring about change in how the finance industry thinks about operational resilience in order to build a more resilient financial system.

Cyber and Technology

In recent years, cyber security has increasingly become the top global risk for business, with regulators and policy-makers also paying increased attention to financial institutions’ cyber security planning.


The EU's Cross-Border Distribution of Funds Directive and Regulation came into force on 2 August 2021. Review of the AIFMD and the related Level 2 Regulation is currently ongoing. A European Commission proposal is expected in November/December 2021.


The EU's Cross-Border Distribution of Funds Directive and Regulation came into force on 2 August 2021. EU and UK confirm extension for the UCITS exemption under PRIIPs.

Other resources

EU Official Texts on Outsourcing

All of the directives, regulations, amending texts, ESA texts, etc. that apply with respect to outsourcing in Ireland and Luxembourg all in one spot.