CySEC aligns local rules with European digital resilience standards

The Cyprus Securities and Exchange Commission (CySEC) recently announced the adoption of European guidelines on outsourcing to cloud service providers, while it also issued a reminder regarding updated stress test rules for money market funds.

The developments were outlined in two separate circulars which together address cloud outsourcing arrangements for certain depositaries and requirements for fund managers.

In the first circular, CySEC explained that it has adopted the latest European standards for outsourcing to cloud service providers, which apply to specific entities operating in Cyprus’ investment sector.

The guidelines are addressed to depositaries of alternative investment funds and depositaries of collective investment schemes (UCITS), specifically in cases where these depositaries are not already covered by the newer Digital Operational Resilience Act (DORA).

CySEC explained that the scope of these rules has been revised because the DORA regulation now governs digital operational resilience for most financial entities across the European Union.

Because of this new framework, previous cloud outsourcing standards no longer apply to financial entities that are already captured by the DORA regulation.

As a result, the revised guidelines now focus exclusively on certain depositaries that remain outside the scope of that specific legislation.

The regulator clarified that the revision does not change the actual requirements but instead narrows their application to ensure they remain relevant to the entities still covered by them.

These standards were issued under the founding regulations of the European Securities and Markets Authority (ESMA) to ensure consistent and effective supervisory practices across the EU.

They are intended to support a uniform application of regulatory requirements whenever a financial firm moves its data or services to the cloud.

The guidelines are directed at both the national supervisory authorities and the supervised entities themselves.

In total, the framework includes nine separate guidelines designed to help firms and regulators identify and manage risks linked to cloud outsourcing.

These cover essential issues such as the initial decision to move to the cloud, the selection of a specific provider, and the ongoing monitoring of those outsourced activities.

They also include requirements related to exit strategies, ensuring that firms have a plan in place if they need to end a relationship with a cloud provider.

CySEC confirmed that these guidelines are now in effect following their official publication in all European Union languages.

The regulator also stated that this new circular replaces the previous guidance issued on the subject in July 2021.

In a separate circular, C760, CySEC addressed updated European guidelines regarding stress test scenarios for money market funds.

The relevant circular was addressed to managers of alternative investment funds and management companies that fall under CySEC’s supervision.

The regulator reminded these entities that the European authorities issued updated stress testing parameters on February 24, 2025.

CySEC explained that these guidelines apply to national authorities, money market funds, and the professionals who manage them.

They relate specifically to the legal framework that governs how these funds must conduct regular resilience testing.

Under these guidelines, common reference points are established for the scenarios that must be used when funds test their ability to withstand market shocks.

These parameters aim to ensure greater consistency in how funds assess potential risks, thereby strengthening the stability of the entire sector.

CySEC explained that these updated standards became applicable two months after their official publication in all EU languages.

However, the regulator clarified that while some specific updates follow this new timeline, other core provisions remain applicable based on the original implementation dates of the money market fund laws.

CySEC also stated that this circular replaces the previous guidance on the same subject that was issued in April 2024.

The regulator concluded by urging regulated entities to make every effort to comply with the guidelines where they apply.