ESMA Guidelines:
Operational Resilience for Investment Management
ESMA's expectations for ICT outsourcing, cloud adoption, and operational continuity — and how they align with a replatforming-first continuity strategy.
Executive Summary
The European Securities and Markets Authority has progressively strengthened its expectations around ICT outsourcing and operational resilience for investment firms, fund managers, and market infrastructure operators. Across AIFMD, UCITS, and MiFID II, ESMA's guidelines create consistent requirements for exit planning, service continuity, and demonstrable resilience. This paper examines the key ESMA guidance applicable to firms using critical ICT vendors and explains how DORAssure's architecture supports compliance.
ESMA's Role in ICT Resilience
ESMA does not directly supervise ICT service providers, but it sets the regulatory expectations that national competent authorities apply when supervising financial entities. Its guidelines on outsourcing — across AIFMD, UCITS, and MiFID II frameworks — have consistently required that outsourcing arrangements for critical functions include robust exit strategies.
With DORA's entry into force in January 2025, ESMA's role in ICT risk has expanded. ESMA is one of three European Supervisory Authorities (ESAs) with joint authority over the DORA framework, and it leads the oversight of critical ICT third-party service providers serving investment management entities.
For investment managers, the interplay between DORA and the existing AIFMD/UCITS/MiFID II outsourcing frameworks creates layered obligations. ESMA's guidance on both must be read together.
ESMA Guidelines on Outsourcing
ESMA's Guidelines on outsourcing to cloud service providers (ESMA50-157-2403, 2021) — applicable to AIFMs, UCITS management companies, and MiFID investment firms — set out requirements that remain in force alongside DORA.
Exit planning requirements
The guidelines require documented exit strategies that cover both orderly exit and exit in distressed circumstances. They explicitly require assessment of whether the firm could maintain continuity of service during a transition and whether the exit strategy is "realistic and has been tested."
Concentration risk
ESMA requires firms to assess concentration risk arising from reliance on a single ICT provider for critical functions. Where substitutability is limited — as it typically is for bespoke trading or risk management systems — firms must demonstrate credible alternatives, not merely document them.
Sub-outsourcing chains
Where a third-party ICT provider itself relies on sub-providers for critical infrastructure, ESMA expects firms to understand and assess the full chain. DORAssure's architecture is designed to be independent of the incumbent vendor's sub-provider relationships — our build environment operates separately from the vendor's stack.
MiFID II Organisational Requirements
Commission Delegated Regulation (EU) 2017/565 under MiFID II requires investment firms to maintain organisational arrangements that are appropriate to ensure continuity and regularity in the performance of investment services. For firms whose front-office or post-trade systems are outsourced to critical ICT vendors, this creates direct obligations around business continuity.
"Investment firms shall establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to their systems and procedures, the preservation of essential data and functions, and the maintenance of investment services and activities."
— MiFID II Delegated Regulation Article 21
Where that continuity depends on a third-party vendor, the firm cannot delegate responsibility for it. The firm remains liable. DORAssure's model makes that obligation enforceable — with a contractual SLA, tested activation process, and clear handover documentation.
AIFMD and UCITS: Fund-Level Obligations
Alternative investment fund managers and UCITS management companies face additional obligations under their respective frameworks. Delegation arrangements must satisfy specific conditions, and supervisors apply heightened scrutiny to arrangements where the manager's operational capabilities are substantially dependent on the delegated party.
For managers relying on technology vendors for portfolio management, risk systems, or investor reporting, this creates a direct line between ICT resilience and licensing risk. A failure to demonstrate credible exit capability may constitute a deficiency in organisational arrangements — a supervisory ground for intervention.
DORAssure's ESMA Alignment
Tested exit strategy
Quarterly full build-and-deploy exercises produce documented evidence that the exit strategy has been tested — directly satisfying ESMA's requirement that exit plans be "realistic and tested."
Concentration risk mitigation
DORAssure operates as a structurally independent continuity provider — architecturally separate from your ICT vendor's stack, with its own build infrastructure and on-call engineering team.
Regulatory audit trail
Replatforming to modern standards produces clean IP and auditable architecture documentation — supporting supervisory review and satisfying the evidential burden that regulators increasingly expect from investment firms.
Demonstrate ESMA-aligned continuity
Request an assessment of your current outsourcing and exit planning arrangements.