DORA Regulation: RTS on Subcontracting ICT Services

DORA Regulation marks a significant shift in the EU financial sector, focusing on ICT services outsourcing and operational resilience. It mandates thorough risk assessments, longer contract negotiations, and enhanced infrastructure investment for financial institutions.

DORA Regulation: RTS on Subcontracting ICT Services
EU Regulatory Standards for ICT Subcontracting in Financial Entities

DORA Regulations: New Technical Standards for Financial Entities Subcontracting ICT Services

European Banking Authority keywords DORA Regulation ICT Services

In a significant development for the financial sector, the European Supervisory Authorities (ESAs) have unveiled a comprehensive draft of the Regulatory Technical Standards (RTS), a pivotal document under the Digital Operational Resilience Act (DORA), known formally as Regulation (EU) 2022/2554. This draft is particularly relevant for financial institutions that engage in outsourcing Information and Communication Technology (ICT) services, as it delineates the essential requirements for such practices.


The ESAs' announcement invites industry stakeholders to provide their input on this draft until March 2024, emphasizing the collaborative approach in shaping these critical standards. The RTS draft is a cornerstone in ensuring that financial entities not only identify but also meticulously manage the risks associated with subcontracting ICT services. This proactive risk assessment is mandated to occur in the initial, pre-contractual phase of any outsourcing agreement.


Moreover, the draft RTS stresses the importance of continuous monitoring and management of these ICT subcontracting arrangements. This ongoing oversight is crucial for maintaining operational resilience and safeguarding the financial sector's digital infrastructure. By setting these standards, the ESAs aim to equip financial institutions with a robust framework, enabling them to effectively oversee their entire ICT subcontracting chain, thereby enhancing the sector's overall digital resilience.


The consultation period represents a unique opportunity for stakeholders in the financial sector to contribute their insights and experiences, shaping the final form of these standards. Post-consultation, the ESAs plan to refine and finalize the RTS, with the objective of submitting it to the European Commission for adoption in July 2024. This process underscores the commitment of the European financial regulatory bodies to strengthen the operational resilience of the financial sector in an increasingly digitalized world.


By focusing on these developments, financial institutions can stay ahead in compliance and operational resilience, ensuring they are well-prepared for the evolving digital landscape in the financial industry.




DORA Regulation: A Key Shift in Financial Sector Dynamics


The Digital Operational Resilience Act (DORA) introduces a significant transformation within the European Union’s financial sector. Its draft Regulatory Technical Standards (RTS) focus on Information and Communication Technology (ICT) services outsourcing, marking a critical juncture for financial institutions. This regulation is specifically designed to enhance the operational resilience of entities such as banks, insurance companies, investment firms, and payment service providers.


Key aspects of DORA for financial institutions include:


  • Comprehensive Risk Assessments: Prior to engaging in any ICT subcontracting agreements, financial institutions must conduct thorough risk evaluations. This ensures a deeper understanding of potential risks associated with ICT subcontracting.

  • Extended Contract Negotiations: The need for in-depth risk assessments under DORA may lead to longer and more resource-intensive contract negotiations with ICT service providers.

  • Investment in Infrastructure: DORA mandates continuous monitoring and management of ICT subcontracting, necessitating significant investments in both ICT infrastructure and personnel training.



The DORA Regulation’s Broader Impact on ICT Services and Compliance Strategies


The DORA Regulation's influence extends beyond operational procedures within financial institutions; it also significantly impacts the ICT services market. The regulation is set to reshape the dynamics between financial entities and ICT service providers.


The broader impact of the DORA Regulation includes:


  • Preference for Risk-Managed ICT Services: Financial entities are likely to favor ICT service providers that excel in risk management and transparency.

  • Market Consolidation: This emerging preference could lead to a consolidation in the ICT services sector, intensifying competition among providers.

  • Engagement in Consultation Process: With the ESAs aiming to finalize the RTS by July 2024, financial institutions have a critical opportunity to influence the shaping of these standards.

  • Adaptation to Regulatory Changes: Proactive adaptation to these regulations is crucial for maintaining compliance and staying ahead in the evolving digital landscape of the financial industry.



Read More

Joint Regulatory Technical Standards on subcontracting ICT services supporting critical or important functions - European Banking Authority
These Regulatory Technical Standards (RTS) set out requirements and conditions for the use of subcontracted ICT services supporting critical or important functions or material parts. In particular, the RTS require that financial entities assess the risks associated with subcontracting during the precontractual phase; this includes the due diligence process.




Grand is Live

Check out our GPT4 powered GRC Platform

Sign up Free

Reduce your
compliance risks