DORA Regulation: ICT Service Subcontracting in Finance

DORA Regulation

The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, represents a landmark regulatory framework aimed at fortifying the digital operational resilience of financial entities across the European Union. As digital transformation accelerates within the financial sector, the reliance on Information and Communication Technology (ICT) services has become pivotal to operational efficiency and customer satisfaction. Recognising the critical importance of ICT in financial operations, DORA establishes stringent standards to mitigate risks associated with ICT service subcontracting.

On July 26, 2024, the European Supervisory Authorities (ESAs) published the Final Report on the draft Regulatory Technical Standards (RTS), as mandated by Article 30(5) of DORA. These RTS provide a detailed blueprint for financial entities to manage and assess the risks involved in subcontracting ICT services that support critical or important functions. This comprehensive guide delves into the intricate technical and regulatory aspects of these draft RTS, highlighting the essential elements financial entities must determine and assess to ensure compliance and operational resilience.

Source

[1]

DORA Regulation: Latest Commission Delegated Regulations

The Digital Operational Resilience Act (DORA) enhances cybersecurity and operational resilience for EU financial entities. It sets standards for managing ICT-related incidents, enforcing risk management, and regulating third-party providers.

GrandAlessandro Micagni

[2]

DORA Regulation: ICT Third Party Service Provider Registers

On April 11, 2024, EIOPA announced a voluntary exercise led by ESAs for financial entities to collect registers of information on ICT third-party service providers, aligning with upcoming DORA regulations.

GrandAlessandro Micagni

Objectives of DORA Regulation

The primary objective of DORA is to establish a harmonised regulatory framework that enhances the resilience of financial entities against ICT-related disruptions. By setting forth clear guidelines and standards, DORA aims to:

• Enhance Risk Management: Ensure robust mechanisms for identifying, assessing, and mitigating ICT risks.
• Standardize Practices: Promote uniformity in ICT risk management practices across the EU, ensuring a level playing field.
• Improve Oversight: Strengthen the supervisory capabilities of regulatory bodies through standardised reporting and compliance requirements.
• Increase Resilience: Boost the overall resilience of financial entities against cyber threats, operational failures, and other ICT-related risks.

Key Provisions of DORA and the Draft RTS

Article 30(2)(a) - Contractual Arrangements

DORA mandates that financial entities include specific elements in their contractual arrangements when using ICT services. These elements must encompass a clear and complete description of all functions and ICT services provided by the ICT third-party service provider. It must also indicate whether the subcontracting of ICT services supporting critical or important functions, or their material parts, is permitted and under what conditions.

Article 30(5) - Development of Draft RTS

Article 30(5) of DORA empowers the ESAs, through the Joint Committee, to develop draft RTS that further specify the elements mentioned in Article 30(2)(a). These standards are crucial for financial entities to determine and assess the subcontracting of ICT services supporting critical or important functions.

Detailed Analysis of the Draft RTS

Requirements for Subcontracting ICT Services

The draft RTS set forth comprehensive requirements for financial entities when subcontracting ICT services. These requirements are divided into several key areas:

Permitted Subcontracting Conditions

Financial entities must clearly define the conditions under which ICT services supporting critical or important functions can be subcontracted. These conditions must be explicitly stated in the contractual agreements with ICT third-party service providers.

Risk Assessment During Pre-contractual Phase

Financial entities are required to conduct thorough risk assessments associated with subcontracting ICT services during the pre-contractual phase. This includes a rigorous due diligence process to evaluate potential risks and ensure the ICT third-party service provider can meet the necessary standards.

Implementation, Monitoring, and Management

The draft RTS outline the requirements for the implementation, monitoring, and management of contractual arrangements concerning subcontracting conditions. Financial entities must have robust systems in place to monitor the entire subcontracting chain of ICT services supporting critical or important functions, ensuring continuous oversight and management of risks throughout the subcontracting lifecycle.

Group Context Application

The draft RTS address the application of these standards in a group context. Parent undertakings in the EU or Member States must ensure that subcontracting ICT services supporting critical functions is consistently implemented across their subsidiaries. This ensures group-wide management of ICT third-party risks.

Responsibilities and Governance

The use of ICT subcontractors does not absolve financial entities or their management bodies of responsibility for risk management and compliance. The draft RTS emphasise the need for sound governance arrangements, including risk management and internal controls, throughout the lifecycle of subcontracting arrangements.

Quality Assurance

To ensure that subcontracted ICT services are provided with the necessary quality, financial entities must assess the resources, expertise, and organizational structure of ICT third-party providers and their subcontractors. This includes evaluating their financial, human, and technical resources, ICT security arrangements, and internal controls.

Policy Issues Considered in Draft RTS Development

Policy Issue 1: Monitoring the Chain of Subcontracting

Options Considered

• Option A: Monitoring the associated ICT risks along the entire ICT subcontracting chain, focusing on subcontractors that effectively underpin the provision of critical functions.
• Option B: Monitoring the associated ICT risks over a limited number of subcontractors.
• Option C: Relying wholly on direct ICT third-party providers for monitoring associated risks.

Preferred Option

Option A was chosen as it ensures financial entities are ultimately responsible for assessing risks across the entire ICT subcontracting chain and complying with legislative and regulatory obligations.

Policy Issue 2: Application of Proportionality

Options Considered

• Option A: No need to specify criteria for the application of the proportionality principle.
• Option B: Specifying further elements of reduced or increased risk to be considered for proportionality.

Preferred Option

Option B was selected to provide clearer guidance for diverse financial entities on implementing proportionality in compliance with the RTS requirements.

Policy Issue 3: Definition of ICT Services and Critical and Important Functions

Options Considered

• Option A: Relying on DORA definitions but providing detailed criteria regarding "critical and important functions" and "ICT services".
• Option B: Referring to DORA definitions only.

Preferred Option

Option B was preferred to maintain flexibility and ensure the definitions remain relevant across different types of financial entities.

DORA Regulation: Cost-Benefit Analysis / Impact Assessment

The draft RTS includes a detailed cost-benefit analysis and impact assessment. This section evaluates the potential costs and benefits of implementing the RTS for financial entities, third-party providers, and the broader financial sector.

Potential Costs

• Implementation Costs: Financial entities may incur costs to implement the new standards, including updating contracts, enhancing due diligence processes, and improving monitoring and reporting systems.
• Operational Costs: Continuous monitoring and assessment of ICT subcontractors require resources, including personnel training and technological investments.
• Compliance Costs: Ensuring compliance with the new standards might involve legal and consultancy fees, as well as costs related to audits and inspections.

Potential Benefits

• Enhanced Risk Management: Improved identification, assessment, and management of ICT risks can reduce the likelihood and impact of disruptions in critical services.
• Increased Resilience: A standardized approach to managing ICT third-party risks enhances the overall digital operational resilience of financial entities.
• Regulatory Alignment: Compliance with EU-wide standards ensures a level playing field, facilitating smoother operations across borders and reducing regulatory arbitrage.
• Market Stability: By mitigating concentrated ICT risks, the standards contribute to the stability of the financial market.

DORA Draft RTS: Overall Impact on Financial Entities

The draft RTS aim to ensure financial entities have an exhaustive approach to subcontracting ICT services, covering all steps of the life cycle of such ICT third-party contractual arrangements. This includes assessing associated risks along the entire ICT subcontracting chain and ensuring compliance with legislative and regulatory obligations.

Harmonising practices regarding the use of subcontracting will benefit financial entities by creating transparency regarding regulatory requirements and supervisory expectations. This will facilitate compliance and reduce costs associated with implementing processes. Additionally, standardized contractual requirements will strengthen the negotiation position of financial entities when dealing with ICT third-party service providers.