On Tuesday, 8 December 2020, the outgoing German Presidency of the Council held another working group to continue its substantive review of the European Commission’s proposal for regulation on digital operational resilience in financial services (DORA). On the agenda for discussion was, among other, in-depth review of certain provisions concerning third-party ICT service providers. Key issues discussed included:
Key principles for a sound management of ICT third party risk
- In advance of a meeting last week, the Presidency prepared a note listing key points for discussion. This focused mainly on the interaction between DORA and the relevant outsourcing provisions included in sectoral legislation. Taking into the account comments previously expressed by Member States and a non-paper prepared by the Commission specifically for the purpose of last week’s discussion, the Presidency asked for delegations’ views about the proposed complementary nature of the existing sector specific rules on outsourcing and DORA, and on the ESA Guidelines on Outsourcing having to – potentially – be reviewed, and also on the need to further clarify the relationship between the provisions in DORA and sectoral rules.
Oversight framework of critical ICT third-party service providers
- In order to structure the discussions last week, the Presidency prepared a short note summarising key issues that warrant more in-depth review. This includes the definitions of ICT, ICT third-party service providers and critical ICT third-party service providers, and their interaction with the Article 28 DORA provisions on designation of critical third-party ICT service providers. Noting that neither of the definitions is exhaustive, the Presidency sought Member States’ views on this interaction between the definitions and Article 28 DORA provisions. In respect of the criteria for designation of critical third-party ICT service providers, the Presidency noted that some delegations requested further clarification and asked for further information as to which provisions should prospectively be amended.
- Some Member States also requested further clarification regarding certain provisions concerning third-party ICT service providers located in third countries. This in particular pertains to the proposed DORA provisions prohibiting EU financial entities from using the services of third-party ICT service providers that are located in third-countries and that would be deemed “critical” if established in the EU – unless they have “business/presence in the Union”. The qualification of what is meant by “business/presence in the Union” was deemed particularly unclear and was the subject of further discussion. Finally, the proposed oversight structure for the critical third-party ICT service providers – and in particular placing responsibilities of a “Lead Overseer” upon one of the European Supervisory Authorities – was also on the agenda for last week’s discussion.