On 26 July 2024, the European Supervisory Authorities ("ESAs") released the final report on draft regulatory technical standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions ("RTS") complementing the regulatory obligations under Regulation (EU) 2022/2554 on Digital Operational Resilience for the financial sector ("DORA").
What is new in the final report on the rts?
- Apparent flexibilities in the implementation of the RTS...
- Proportionality principle: Article 1 of the draft RTS specifies the criteria that can be taken into consideration by financial entities ("FE") for the application of the requirements under the RTS in a proportionate way (including the size and overall risk profile of the FE). However, it is specified in the "Overview of the questions for consultation" attached to the RTS that the proportionality principle does not allow FEs to waive the requirements of the RTS.
- The RTS no longer require that the agreement between the ICT third-party service provider(s) ("ICT TPSP") and its sub-contractors "replicates" the agreement between the FE and its ICT TPSP but rather that it allows the FE to comply with its obligations under DORA and contain adequate audit, inspection and access rights, which is slightly more flexible (Article 3(1)c)). This amendment provides more flexibility to the FE when negotiating with their ICT TPSP.
- ...but reinforcement of the core obligations of the FE
- Obligation to specify in the agreement the responsibility of the latter for the provision of the services provided by the ICT subcontractors (Article 4(1)(a)).
Despite of the respondents' comments regarding the expected difficulties in implementing the requirements of the RTS, the ESAs have clearly reinforced the obligations of the FE, notably with respect to the agreement to be entered into between the FE and the ICT TSPT:
- Confirmation that the changes to the agreement shall be implemented in a timely manner and as soon as possible and that the FE shall document the planned timeline for updating agreements (Article 4(2)).
- Requirement that the chain of ICT subcontractors providing ICT services supporting critical or important functions is identified in the agreement and that this identification remains up to date over time in order for the FE to maintain its register of information (Article 5(1)).
Next steps
The RTS published on 26 July 2024 (as well as the previous batch published on 17 July 2024 as summarized in our newsflash of 19 July 2024) have been submitted to the European Commission, which will review them with the objective of adopting them formally in the coming months before the DORA implementation deadline (i.e. 17 January 2025).
Practical impact
With the publication of the RTS, the DORA package is now complete and it is becoming urgent for FEs to:
- list all agreements entered into by the FE with respect to the use of ICT services and identify which ones are supporting critical or important business functions;
- establish a planned timeline to update these agreements in light of DORA requirements; and
- document in writing all efforts undertaken to update these agreements (e.g. various contacts and follow-up with ICT TSPT).
Finally, it is expected that the largest ICT TPSP will now issue their template agreements in line with DORA requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.