The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) today published their joint Final report on the draft Regulatory Technical Standards (RTS) specifying how to determine and assess the conditions for subcontracting information and communication technology (ICT) services that support critical or important functions under the Digital Operational Resilience Act (DORA). These RTS aim at enhancing the digital operational resilience of the EU financial sector by strengthening the financial entities’ ICT risk management over the use of subcontracting.
These RTS focus on ICT services provided by ICT subcontractors that support critical or important functions, or material parts of them. In addition, they specify the requirements throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers. In particular, they require financial entities to assess the risks associated with subcontracting during the precontractual phase, including the due diligence process.
Requirements for the implementation and management of contractual arrangements on subcontracting conditions are defined with these RTS, to ensure that financial entities monitor the subcontractors effectively underpinning the ICT services that support critical or important functions and remain in control of their risks.