The European Commission has adopted a draft delegated regulation under the Digital Operational Resilience Act (DORA). The regulatory technical standards (RTS) bring greater clarity to “the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions”.
Some aspects the rules cover include proportionality, due diligence, and conditions for subcontracting ICT services.
Financial entities are now required to take into account their size and overall risk profile when considering the choice of ICT subcontractors, the location of the ICT subcontractors, and type of ICT services that “support critical or important functions”. Consideration should be given, for example, to whether the ICT subcontractors are authorised or subject to oversight by a competent authority in a member state.
Under due diligence, financial entities should only enter into contractual agreements with ICT third-party service providers if several conditions have been met. One of these conditions is that the ICT third-party service provider should be able to “select and assess the operational and financial abilities of potential ICT subcontractors” including by participating in digital operational resilience testing under DORA.
The RTS in this draft regulation have been developed based on the responses to a consultation paper published on 8 December 2023. The regulation will enter into force on the 20th day following its publication in the Official Journal of the European Union.
