c. assign roles, responsibilities and sufficient resources to manage exit plans and the transition of
activities;
d. define success criteria for the transition of outsourced functions and data; and
e. define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under
Section 14), including indicators based on unacceptable service levels that should trigger the exit.
European Insurance and Occupational Pension Authority (EIOPA)
On 6 February 2020, EIOPA also issued Guidelines on outsourcing to cloud service providers which include specific
requirements on termination rights and exit strategies.
Guideline 15 – Termination rights and exit strategies
55. In case of cloud outsourcing of critical or important operational functions or activities, within the cloud
outsourcing agreement the undertaking should have a clearly defined exit strategy clause ensuring that it is able
to terminate the arrangement, where necessary. The termination should be made possible without detriment to
the continuity and quality of its provision of services to policyholders. To achieve this, the undertaking should:
a. develop exit plans that are comprehensive, service based, documented and sufficiently tested (for example,
by carrying out an analysis of the potential costs, impacts, resources and timing implications of the various
potential exit options);
b. identify alternative solutions and develop appropriate and feasible transition plans to enable the
undertaking to remove and transfer existing activities and data from the cloud service provider to
alternative service providers or back to the undertaking. These solutions should be defined with regard to
the challenges that may arise because of the location of data, taking the necessary measures to ensure
business continuity during the transition phase;
c. ensure that the cloud service provider adequately supports the undertaking when transferring the
outsourced data, systems or applications to another service provider or directly to the undertaking;
d. agree with the cloud service provider that once retransferred to the undertaking, its data will be completely
and securely deleted by the cloud service provider in all regions.
56. When developing exit strategies, the undertaking should consider the following:
a. define objectives of the exit strategy;
b. define the trigger events (for example, key risk indicators reporting an unacceptable level of service) that
could activate the exit strategy;
c. perform a business impact analysis commensurate to the activities outsourced to identify what human and
other resources would be required to implement the exit plan and how much time it would take;
d. assign roles and responsibilities to manage exit plans and transition activities;
e. define success criteria of the transition.
European Securities and Markets Authority (ESMA)
On 3 June 2020 ESMA as a third European supervisory authority opened a public consultation on outsourcing to
cloud service providers. At the time of writing of this whitepaper this document is still in consultation format, but
it provides insight into the expectations set forward by this authority. Guideline 5 of this principles based
document covers exit strategies:
44. In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit cloud
outsourcing arrangements without undue disruption to its business activities and services to its clients, and without
any detriment to its compliance with the applicable legal requirements, as well as the confidentiality, integrity and
availability of its data. To achieve this, a firm should: