DORA Regulation: RTS on Subcontracting ICT Services

Alessandro Micagni
On December 11th, 2023

DORA Regulation marks a significant shift in the EU financial sector, focusing on ICT services outsourcing and operational resilience. It mandates thorough risk assessments, longer contract negotiations, and enhanced infrastructure investment for financial institutions.

DORA Regulation: RTS on Subcontracting ICT Services
EU Regulatory Standards for ICT Subcontracting in Financial Entities

DORA Regulations: New Technical Standards for Financial Entities Subcontracting ICT Services

European Banking Authority keywords DORA Regulation ICT Services

The European Supervisory Authorities (ESAs) have released a thorough draft of the Regulatory Technical Standards (RTS), a crucial document under the Digital Operational Resilience Act (DORA), officially known as Regulation (EU) 2022/2554, which is a significant development for the banking sector. Because it outlines the necessary conditions for outsourcing information and communication technology (ICT) services, this draft is especially pertinent to financial institutions.


The ESAs' statement highlights the collaborative process in defining these important standards and welcomes industry stakeholders to submit their opinion on this draft until March 2024. One of the most important tools for ensuring that financial organizations properly identify and manage the risks involved in subcontracting ICT services is the RTS draft. The first, pre-contractual stage of every outsourcing transaction must include this proactive risk assessment.


Furthermore, the draft RTS emphasizes how crucial it is to manage and monitor these ICT subcontracting agreements continuously. Preserving the digital infrastructure of the financial sector and ensuring operational resilience require constant monitoring. The ESAs hope to improve the sector's overall digital resilience by providing financial institutions with a strong framework that will allow them to manage their whole ICT subcontracting chain.


Stakeholders in the financial sector have a rare opportunity to shape the final form of these standards by providing their ideas and experiences throughout the consultation period. Following the consultation, the ESAs intend to polish and complete the RTS in order to submit it for adoption in July 2024 to the European Commission. The European financial regulatory authorities' dedication to enhancing the financial sector's operational resilience in an increasingly digitalized world is demonstrated by this approach.


Financial institutions may maintain a competitive edge in terms of compliance and operational resilience by keeping a close eye on these changes. This will also help them to stay ready for the rapidly changing digital landscape of the financial sector.



DORA Regulation: A Key Shift in Financial Sector Dynamics


The European Union's banking sector is about to undergo a major transition because to the Digital Operational Resilience Act (DORA). An important turning point for financial institutions is that its draft Regulatory Technical Standards (RTS) center on outsourcing of information and communication technology (ICT) services. The purpose of this rule is to improve the operational resilience of businesses including payment service providers, banks, insurance companies, and investment firms.


Key aspects of DORA for financial institutions include:


  • Thorough Risk Assessments: Financial institutions are required to carry out comprehensive risk assessments before entering into any ICT subcontracting arrangements. This guarantees a more thorough comprehension of the possible hazards related to ICT subcontracting.

  • Prolonged Contract discussions: Prolonged and resource-intensive contract discussions with ICT service providers may result from DORA's requirement for thorough risk assessments.

  • Infrastructure Investment: DORA requires ongoing oversight and administration of ICT subcontracting, which calls for large expenditures in both IT infrastructure and employee development.


The DORA Regulation’s Broader Impact on ICT Services and Compliance Strategies


The DORA Regulation has a substantial impact on the ICT services industry in addition to operational procedures within financial institutions. The law is expected to change how financial institutions and ICT service providers interact.


The broader impact of the DORA Regulation includes:


  • Preference for Risk-Managed ICT Services: Companies that excel at risk management and transparency are probably going to be preferred by financial entities.

  • Market Consolidation: As a result of this growing preference, there may be more competition among providers of ICT services, which would cause a consolidation in the market.

  • Participation in the Consultation Process: Financial institutions have a crucial chance to shape the RTS, as the ESAs intend to conclude it by July 2024.

  • Adaptation to Regulatory Changes: Staying ahead in the financial industry's ever-evolving digital ecosystem and preserving compliance need proactive adaptation to these requirements.


Read More

Joint Regulatory Technical Standards on subcontracting ICT services supporting critical or important functions - European Banking Authority
These Regulatory Technical Standards (RTS) set out requirements and conditions for the use of subcontracted ICT services supporting critical or important functions or material parts. In particular, the RTS require that financial entities assess the risks associated with subcontracting during the precontractual phase; this includes the due diligence process.
European Banking Authority



Grand is Live

Check out our GPT4 powered GRC Platform

Sign up Free

Reduce your
compliance risks

Sign Up Free Request Demo