The three European Supervisory Authorities (ESAs) have published their final report on the draft regulatory technical standards (RTS) specifying how to determine and assess the conditions for subcontracting ICT services that support critical or important functions under the Digital Operational Resilience Act (DORA).
The ESAs, the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), have published several draft RTS on DORA, as companies across the European Union prepare to become fully compliant by 17 January 2025. The ESAs are also helping companies prepare for DORA with a ‘dry run’ exercise on the reporting of registers of information.
“These RTS aim at enhancing the digital operational resilience of the EU financial sector by strengthening the financial entities’ ICT risk management over the use of subcontracting,” the ESAs stated.
This set of RTS focuses on ICT services provided by ICT subcontractors that support critical or important functions, or material parts of them. In addition, they specify the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers. In particular, they require financial entities to assess the risks associated with subcontracting during the pre-contractual phase, including the due diligence process.
“Requirements for the implementation and management of contractual arrangements on subcontracting conditions are defined with these RTS, to ensure that financial entities monitor the subcontractors effectively underpinning the ICT services that support critical or important functions and remain in control of their risks,” the ESAs stated.
Recent Stories