ESAs published joint final Report on the draft technical standards on subcontracting under DORA
On July 26, 2024, the three European Supervisory Authorities (ESAs), namely:
- the European Banking Authority (EBA),
- the European Insurance and Occupational Pensions Authority (EIOPA), and
- the European Securities and Markets Authority (ESMA),
published their joint final report on the draft Regulatory Technical Standards (RTS).
These standards define the rules for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Regulation (DORA).
Purpose and Significance of the New Standards
The aim of these Regulatory Technical Standards (RTS) is to enhance the operational resilience of the EU financial sector by improving the management of ICT risks related to subcontracting by financial entities.
The ESAs are required to jointly develop these standards to precisely define the elements that financial entities must consider when assessing and implementing the subcontracting of ICT services supporting critical or important functions.
This task is mandated by Article 30(5) of Regulation (EU) 2022/2554, known as DORA. When developing these RTS, the ESAs had to consider the size, risk profile, and the nature, scale, and complexity of the financial entities’ activities.
In line with DORA, the RTS outlines the requirements for financial entities when using subcontracted ICT services that support critical or important functions. The standards also specify the conditions that must be met when subcontracting such services.
What the RTS Contains
According to the report, Article 30(2)(a) of DORA requires financial entities to include in their contracts for ICT services a clear and comprehensive description of all ICT functions and services to be provided by the external ICT service provider. The contracts must specify whether subcontracting of ICT services supporting critical or significant functions (or significant parts thereof) is permitted, and if so, the terms and conditions applicable to such subcontracting.
The RTS particularly emphasizes the obligation for financial entities to assess the risks associated with subcontracting at the pre-contractual stage, including due diligence. The standards also set out requirements for the implementation, monitoring, and management of subcontracting agreements for ICT services supporting critical or important functions, ensuring that financial entities can effectively monitor the entire ICT subcontracting chain.
If you want to stay updated on the latest information and regulations, subscribe to our newsletter. If you have any questions, feel free to contact us at [email protected] — we’re here to help!