DORA: Demystifying the legal acts
Regulatory Technical Standards (RTS) on subcontracting ICT services supporting critical or important functions
In a significant step aimed at strengthening digital resilience within the European Union’s financial sector, the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), in December 2023 have opened a public consultation on the second batch of mandates under the Digital Operational Resilience Act (DORA).
Policy Focus: Building a Robust Digital Framework
This comprehensive package encompasses four draft regulatory technical standards (RTS), one set of draft implementing technical standards (ITS) and two sets of guidelines (GL). These policy instruments aim to ensure a consistent and harmonised legal framework in the areas of major ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management and oversight over critical ICT third-party providers. By addressing these critical aspects, the ESAs aim to fortify the digital infrastructure of financial entities and ensure a resilient and secure operational environment
Timeline
The consultation period is set to run until March 4, 2024, providing stakeholders and industry participants with a window to contribute their insights and feedback. This inclusive approach reflects the ESAs’ commitment to gathering diverse perspectives and ensuring that the resulting regulatory framework is well-informed and effective.
Aim of the RTS
The RTS aim to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions to ICT third-party service providers. The RTS also set out the requirements and conditions for the use of subcontracted ICT services, such as risk assessment, contractual arrangements, monitoring and termination rights.
Scope and timeline
The RTS apply to all financial entities that are subject to Digital Operational Resilience for the financial sector (DORA), Regulation (EU) 2022/2554, which covers credit institutions, investment firms, insurance and reinsurance undertakings, payment service providers, electronic money institutions, central securities depositories, central counter-parties, trade repositories, and credit rating agencies. The RTS also apply to ICT third-party service providers that provide ICT services supporting critical or important functions to financial entities. The public consultation on the draft RTS runs until 4 March 2024, and the ESAs aim to submit the final RTS to the European Commission for adoption in July 2024.
领英推荐
Summary of the RTS
The draft RTS consists of eight articles that cover the following aspects:
The current public consultation on the second batch of mandates, including Regulatory Technical Standards (RTS) on subcontracting ICT services, underscores the commitment to a robust and secure digital framework. As financial entities navigate the consultation period until March 4, 2024, it is imperative for them to actively participate, offering insights and feedback to shape the regulatory landscape. Organizations subject to DORA must diligently assess the draft RTS’s detailed requirements, such as risk assessments, contractual arrangements, and monitoring obligations. Taking proactive steps, financial entities should prioritize internal assessments and due diligence processes to align with the forthcoming regulations. Additionally, fostering collaboration with ICT third-party service providers is crucial for compliance. With the ESAs aiming to submit the final RTS to the European Commission in July 2024, stakeholders should use this opportunity to strengthen their digital operational resilience, ensuring a seamless transition into the new regulatory landscape.
BDO Malta: Your Partner for DORA Compliance
The European Union has set January 17th, 2025 as the deadline to achieve DORA compliance . While this might seem a distant target, in fact achieving DORA compliance is a very complex and challenging task which requires a concerted effort by the in-scope financial entities.
At BDO Malta, we understand the profound impact that the journey towards DORA compliance has on such organisations. Our team of regulatory and compliance technical experts is dedicated to helping your company navigate this complex environment.?Our comprehensive range of services includes:
Is your company ready for DORA?
Get in touch with our Technology Team