DORA – Draft RTS to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions

By Simon Lovegrove (UK), Floortje Nagelkerke (NL) & Anna Carrier (BE) on July 25, 2024

On 26 July 2024, the European Supervisory Authorities (ESAs) published a Final Report on draft regulatory technical standards (RTS) to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the Digital Operational Resilience Act (DORA).

Article 30(2)(a) DORA requires from financial entities that:

“…the contractual arrangements on the use of ICT services shall include at least the following elements […] a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting.”

Article 30(5) of DORA provides:

“the ESAs shall, through the Joint Committee, develop draft regulatory technical standards to specify further the elements referred to in paragraph 2, point (a), which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.”

The draft RTS:

Sets out requirements when the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers is permitted by financial entities and set out the conditions applying to such subcontracting.
Requires financial entities to assess the risks associated with subcontracting during the precontractual phase including the due diligence process.
Sets out the requirements regarding the implementation, monitoring and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof ensuring that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions.

Next steps

The ESAs will submit the draft RTS to the European Commission for adoption.

Global Regulation Tomorrow

DORA – Draft RTS to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions

About

Topics

Archives