Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector ( “DORA”) establishes the EU legislative framework for enhancing digital resilience within the EU’s financial industry. Enforcement commences on 17th January 2025 and the EU Commission is tasked with issuing Regulatory Technical Standards (“RTS”) which supplement DORA.
The EU Commission publishes the RTS in the Official Journal as Commission Delegated Regulations, but they are largely based on the input of the European Supervisory Authorities (“ESA”) which comprise of ESMA, EBA and EIOPA.
The draft RTS submitted to the European Commission so far are split into three batches, and the MFSA has issued a circular for each:
- MFSA Circular on the 19th of January 2024 with the first set of RTS submitted to the EU Commission on the 17th of January 2024
- MFSA Circular on the 18th of July 2024 with the second set of RTS submitted to the EU Commission on the 17th of July 2024
- MFSA Circular on the 31st of July 2024 with the third submission to the EU Commission which was exclusively on ICT subcontracting. The ESA submitted these standards on the 26th of July 2024.
So far, the only set of RTS published in the Official Journal is the first set and other Level II regulations related thereto. In a circular dated the 12th of September 2024 and titled “Commission Delegated Regulations under Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector Published in the EU Official Journal (Update 1)”, the MFSA outlined the topics covering the published RTS. The following are the EU Commission Delegated Regulations (“CDR”) published so far in relation to DORA:
- CDR 2024/1773: Specifies the detailed content required in policies for contractual arrangements with ICT third-party service providers. These policies concern the use of ICT services that support critical or important functions.
- CDR 2024/1774: Outlines the regulatory technical standards for ICT risk management, including tools, methods, processes, and policies. It also provides a simplified framework for managing ICT risks.
- CDR 2024/1772: Establishes criteria for classifying ICT-related incidents and cyber threats. It sets materiality thresholds and details the requirements for reporting major incidents.
- CDR 2024/1502: Defines the criteria for designating ICT third-party service providers as critical to financial entities, identifying providers whose services are essential for financial stability.
- CDR 2024/1505: Determines the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and specifies the payment procedures for these fees.
The second set of RTS covers the standards for assessing the cumulative costs or damages arising from significant ICT-related incidents, criteria for outsourcing ICT services that are essential to critical or key functions, a structured approach for conducting threat-driven penetration testing, protocols for the notification of substantial ICT-related incidents, and mechanisms for coordination between ESAs and national competent authorities to ensure consistent oversight under DORA.
From a practical point of view, the RTS that will affect most Maltese entities which are in scope of DORA is the third draft publication on the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the DORA Act.
Draft RTS on ICT subcontracting
The draft RTS on ICT subcontracting under DORA (which is mentioned in the MFSA circular of the 31st July quoted above) outlines requirements for financial entities when subcontracting ICT services that support critical or important functions. These standards specify the elements a financial entity must assess to ensure compliance with DORA’s provisions on ICT third-party risk management. The RTS mandates that financial entities conduct thorough risk assessments during the precontractual phase, including due diligence processes, to evaluate the potential risks associated with subcontracting ICT services. Furthermore, the standards emphasise the need for continuous monitoring and management of contractual arrangements related to subcontracting ICT services, ensuring that financial entities maintain the ability to supervise the entire ICT subcontracting chain. This includes monitoring all entities within the subcontracting chain, whether they are within the same group or external third-party providers, as specified in DORA.
The draft RTS clarifies that financial entities retain full responsibility for managing their risks, regardless of the involvement of third-party ICT providers or subcontractors. Intragroup ICT subcontracting, even when conducted within the same institutional protection scheme, is not treated differently from external subcontracting. The financial entities must ensure that ICT subcontractors, whether internal or external, meet the same regulatory requirements, as set out by DORA.
Furthermore, the draft RTS on ICT subcontracting also provides requirements for applying these standards in a group context, ensuring consistent implementation across all relevant levels within a financial group. This approach aims to facilitate a unified management of ICT third-party risks at a group-wide level, taking into account both intragroup and external subcontracting arrangements.
Moreover, the draft RTS on ICT subcontracting provides detailed provisions regarding the entire lifecycle of contractual arrangements with ICT third-party service providers. It includes guidelines from the planning phase—prior to entering into an agreement—covering risk assessments and due diligence, to the ongoing monitoring, auditing, and eventual termination of such contracts. It also mandates that financial entities ensure that the subcontracted ICT services meet required levels of quality and security, with adequate resources, expertise, and infrastructure in place.
The draft RTS aligns with existing EU guidelines on outsourcing and ICT risk management but is tailored to address the unique risks presented by ICT subcontracting under the DORA framework, enhancing harmonisation across the EU’s financial sector.
These draft standards on ICT sub-outsourcing aim to improve transparency and ensure effective supervision and compliance throughout the subcontracting chain in terms of DORA’s 5 pillars, especially the pillar on monitoring outsourcing.
DORA applies to a wide range of financial entities and ICT service providers within the EU – with enforcement commencing on 17th January 2025.
To assist with preparation, including information on whether DORA is applicable to an entity, we have launched a dedicated microsite on DORA.
This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact the DORA team on: dora@mamotcv.com