The European supervisory authorities' final report on digital operational resilience act standards for ICT subcontracting highlights the urgent need for financial entities to revise their service agreements, according to the law firm Elvinger Hoss Prussen.
The three European financial supervisory authorities--the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority--jointly published the final report on draft regulatory technical standards (RTS) for subcontracting information and communication technology (ICT) services. Released on 26 July 2024, this report outlines the essential elements that financial entities must consider when subcontracting ICT services for critical or important functions, in accordance with EU regulation on digital operational resilience for the financial sector (Dora).
According to Anaïs Sohler and Sophie Dupin, partners at the law firm of Elvinger Hoss Prussen, the final RTS introduces some new flexibilities in implementation. Article 1 of the draft RTS allows financial entities to apply the requirements proportionately, considering factors such as size and overall risk profile. However, the ESAs clarified that the proportionality principle does not permit financial entities to waive the requirements of the RTS.
Sohler and Dupin observed in a note for clients that the RTS no longer require that agreements between ICT third-party service providers (ICT TPSPs) and their subcontractors replicate the agreement between the financial entities and its ICT TPSP. Instead, these agreements must enable the financial entity to comply with its Dora obligations and include adequate audit, inspection and access rights. This amendment provides more flexibility for financial entities during negotiations, envisions Sohler and Dupin.
According to the duo, despite feedback regarding implementation challenges, the ESAs have reinforced the core obligations for financial entities, and these obligations include clearly specifying the ICT TPSP's responsibility for services provided by subcontractors. Changes to the agreement must be implemented promptly, with the financial entity required to document the planned timeline for updating agreements. Additionally, agreements must identify and maintain an up-to-date record of all ICT subcontractors involved in providing critical or important functions, commented Sohler and Dupin.
The RTS have been submitted to the European Commission for review, with the aim of formal adoption before the Dora implementation deadline of 17 January 2025, stated the partners.
Implications
With the publication of the RTS, the Dora framework is now complete, noted Sohler and Dupin, and urged that the financial entities must urgently undertake several actions.
They need to review all agreements related to ICT services and identify those supporting critical or important business functions. Dupin added, "Luxembourg entities under the scope of Dora need to establish a planned timeline to update of their agreements with ICT third-party service providers." Sohler remarked that the financial entities "should in addition document their efforts when negotiating with these service providers to be able to show these efforts to the Luxembourg financial regulator, the CCSF."
Sohler and Dupin anticipated that the largest ICT TPSPs will soon issue template agreements in line with Dora requirements.
This article first appeared in Delano on 2 August 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.