The three European supervisory authorities (EBA, EIOPA and ESMA): They) published today joint summary report on draft regulatory technical standards (RTS), that they mention how to determine and evaluate information and communication technology (ICT) subcontracting terms which support essential or critical functions according to Regulation (EU) 2022/2554 (DORA).
Requirements set by DORAimplementation and management of contractual agreements on the sub-contractual conditions set forth in this RTS, which are aimed at ensure that financial institutions effectively supervise subcontractors of ICT services That support for critical or important functionsand who are therefore in control risks adequately connected.
L’art 30, paragraph 5DORA effectively mandates ESAs to develop, through a joint committee, RTS projects to be more specific elements, is indicatedart 30, paragraph 2, letter a), that isthe financial institution must determine and evaluate; when authorizes the subcontracting of ITC services that support essential or critical functionsor substantial parts thereof.
L’art 30(2)(a) DORA essentially provides that in case of subcontracting by ICT suppliers contractual agreements with a third party IT service provider the conditions applicable to such subcontractingmore specifically, financial entities shall enter into contractual agreements regarding the use of ICT servicesThat:
- includes at least one description clear and complete with all ICT functions and services to be provided by the ICT service provider
- mentionPossible authorization of subcontracting of ITC service supporting an essential or important function or significant parts thereof
- with permission: the terms of this subcontract.
The RTS published today by the ESAs therefore, in summary, sets out requirements regardingimplementational monitoring and to contract management regarding subcontract conditions, For use of ITC services that support essential or critical functions or relevant parts thereof.
These requirements will help financial institutions comply with DORA by allowing them to:
- assess risks associated with the subcontract at the pre-contract stage through the process proper diligence
- control The entire subcontracting chain of ICT services that support important or critical functions.