ESAs Publish Draft Standarts for ICT Subcontracting Under DORA
On 26 July 2024, the European Supervisory Authorities (EBA, EIOPA, and ESMA, collectively known as the “ESAs”) published their joint final report on the draft Regulatory Technical Standards (RTS) under the Digital Operational Resilience Act (DORA). These standards aim to enhance the digital operational resilience of the financial services sector by improving ICT risk management, especially concerning ICT subcontracting. The RTS outline specific elements that financial entities must assess when subcontracting ICT services supporting critical or important functions.
Article 1 of the RTS outlines the factors financial entities should consider when determining their size, risk profile, and the nature, scale, and complexity of their services, including the type of ICT services covered by contractual arrangements and the location of ICT subcontractors. It also addresses the length of the subcontracting chain and the concentration of ICT services to a single or a few subcontractors. Article 2 clarifies the applicability of DORA’s ICT subcontracting rules to corporate groups, ensuring consistent implementation across all group financial entities.
Article 3 details the due diligence and risk assessment elements for financial entities when subcontracting critical functions, including the due diligence processes of ICT third-party service providers and the financial entity’s ability to oversee the subcontracted ICT service. Article 4 emphasizes the need for clear contractual arrangements that specify eligible ICT services for subcontracting and the conditions under which these services can be subcontracted. It also mandates that ICT third-party service providers monitor all subcontracted services to ensure compliance with their contractual obligations.
Articles 5 through 7 provide further conditions for subcontracting, including the identification and updating of the ICT subcontracting chain, handling material changes to subcontracting arrangements, and the conditions under which financial entities can terminate contracts with ICT third-party service providers. With DORA becoming fully enforceable on 17 January 2025, businesses must assess their compliance with DORA and develop strategies to manage ICT risk under European and international cyber laws.