The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today published their joint Final report on the draft Regulatory Technical Standards (RTS) specifying how to determine and assess the conditions for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Act (DORA). These RTS aim at enhancing the digital operational resilience of the EU financial sector by strengthening the financial entities’ ICT risk management over the use of subcontracting.
These RTS focus on ICT services provided by ICT subcontractors that support critical or important functions, or material parts of them. In addition, they specify the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers. In particular, they require financial entities to assess the risks associated with subcontracting during the precontractual phase, including the due diligence process.
Requirements for the implementation and management of contractual arrangements on subcontracting conditions are defined with these RTS, to ensure that financial entities effectively monitor the subcontractors effectively underpinning the ICT services that support critical or important functions and remain in control of their risks.
Legal basis and background
Article 30(5) of the Digital Operational Resilience Act (DORA) mandates the ESAs to develop, through the Joint Committee, draft RTS to specify further the elements referred to in Article 30(2) point (a), which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions or material parts thereof. Art 30(2)(a) requires, where subcontracting is permitted, that the contractual arrangements with the third-party service provider specify the conditions applying to such subcontracting.
Today’s RTS follow the publication of the ESAs’ second batch of regulatory products under DORA.
