Banking & Fintech /

ESAs published joint final Report on the draft technical standards on subcontracting under DORA

On July 26, 2024, the three European Supervisory Authorities (ESAs), namely:

  • the European Banking Authority (EBA), 
  • the European Insurance and Occupational Pensions Authority (EIOPA), and
  • the European Securities and Markets Authority (ESMA),

published their joint final report on the draft Regulatory Technical Standards (RTS).

On July 26, 2024, three European Supervisory Authorities (EBA, EIOPA, ESMA) published a joint final report on the draft Regulatory Technical Standards (RTS).

These standards define the rules for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Regulation (DORA).

Purpose and Significance of the New Standards

The aim of these Regulatory Technical Standards (RTS) is to enhance the operational resilience of the EU financial sector by improving the management of ICT risks related to subcontracting by financial entities.

The ESAs are required to jointly develop these standards to precisely define the elements that financial entities must consider when assessing and implementing the subcontracting of ICT services supporting critical or important functions.

This task is mandated by Article 30(5) of Regulation (EU) 2022/2554, known as DORA. When developing these RTS, the ESAs had to consider the size, risk profile, and the nature, scale, and complexity of the financial entities’ activities.

In line with DORA, the RTS outlines the requirements for financial entities when using subcontracted ICT services that support critical or important functions. The standards also specify the conditions that must be met when subcontracting such services.

According to the report, Article 30(2x)(a) of DORA requires financial entities to include a clear and detailed description of all ICT functions and services provided by an external ICT service provider in their contracts.

What the RTS Contains

According to the report, Article 30(2)(a) of DORA requires financial entities to include in their contracts for ICT services a clear and comprehensive description of all ICT functions and services to be provided by the external ICT service provider. The contracts must specify whether subcontracting of ICT services supporting critical or significant functions (or significant parts thereof) is permitted, and if so, the terms and conditions applicable to such subcontracting.

The RTS particularly emphasizes the obligation for financial entities to assess the risks associated with subcontracting at the pre-contractual stage, including due diligence. The standards also set out requirements for the implementation, monitoring, and management of subcontracting agreements for ICT services supporting critical or important functions, ensuring that financial entities can effectively monitor the entire ICT subcontracting chain.

If you want to stay updated on the latest information and regulations, subscribe to our newsletter. If you have any questions, feel free to contact us at [email protected] — we’re here to help!

Author team leader DKP Legal Piotr Glapiński
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Piotr Glapiński

Contact us

Flaga Polski.POZNANPOLAND
Młyńska 16
61-730 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.WROCLAWPOLAND
Swobodna 1
50-088 Wrocław
+48 61 853 56 48[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]