In a significant step aimed at strengthening digital resilience within the European Union's financial sector, the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), in December 2023 have opened a public consultation on the second batch of mandates under the Digital Operational Resilience Act (DORA).
This comprehensive package encompasses four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. By addressing these critical aspects, the ESAs aim to fortify the digital infrastructure of financial entities and ensure a resilient and secure operational environment Scope and Timelines
Policy Focus: Building a Robust Digital Framework
The consultation period is set to run until March 4, 2024, providing stakeholders and industry participants with a window to contribute their insights and feedback. This inclusive approach reflects the ESAs' commitment to gathering diverse perspectives and ensuring that the resulting regulatory framework is well-informed and effective.
Aim of the RTSThe RTS aim to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions to ICT third-party service providers. The RTS also set out the requirements and conditions for the use of subcontracted ICT services, such as risk assessment, contractual arrangements, monitoring and termination rights.
The RTS apply to all financial entities that are subject to Digital Operational Resilience for the financial sector (DORA), Regulation (EU) 2022/2554, which covers credit institutions, investment firms, insurance and reinsurance undertakings, payment service providers, electronic money institutions, central securities depositories, central counterparties, trade repositories, and credit rating agencies. The RTS also apply to ICT third-party service providers that provide ICT services supporting critical or important functions to financial entities. The public consultation on the draft RTS runs until 4 March 2024, and the ESAs aim to submit the final RTS to the European Commission for adoption in July 2024. The current public consultation on the second batch of mandates, including Regulatory Technical Standards (RTS) on subcontracting ICT services, underscores the commitment to a robust and secure digital framework.
Scope and timeline
As financial entities navigate the consultation period until March 4, 2024, it is imperative for them to actively participate, offering insights and feedback to shape the regulatory landscape. DORA in-scope entities must diligently assess the draft RTS's detailed requirements, such as risk assessments, contractual arrangements, and monitoring obligations. Taking proactive steps, financial entities should prioritize internal assessments and due diligence processes to align with the forthcoming regulations. Additionally, fostering collaboration with ICT third-party service providers is crucial for compliance. With the ESAs aiming to submit the final RTS to the European Commission in July 2024, stakeholders should use this opportunity to strengthen their digital operational resilience, ensuring a seamless transition into the new regulatory landscape.
We are pleased to share BDO’s deep dive into the contents of the the Regulatory Technical Standards (RTS) on subcontracting ICT services supporting critical or important functions.
Get in touch
Want to know more?