European Union: Drafted Regulatory Technical Standards on the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers

On 10 January 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published a draft Regulatory Technical Standard (RTS) to further harmonise ICT risk management tools, methods, processes and policies as mandated under DORA. These proposed RTS outline governance, risk management, and internal control requirements for financial entities when engaging ICT third-party service providers, aiming to ensure control over operational risks, information security, and business continuity throughout the contractual lifecycle. The draft standard relies on the definition of critical functions provided in DORA without adding detailed criteria to maintain flexibility. Regarding governance arrangements for ICT services supporting critical functions, the standard specifies responsibilities, policy review frequency, and the role of internal controls to ensure effective oversight, mandating coverage of the entire contractual lifecycle to manage risks effectively from pre-phase to exit. The standard would mandate the same risk assessment requirements for both third-party and intra-group ICT service providers to ensure consistency and risk mitigation but different approaches for due diligence to reflect the known entities in intra-group arrangements. In particular, the standard would require independent sources for assessing third-party service providers to ensure objectivity and reliability. Finally, the draft standard includes specific contractual clauses specified in the regulation to ensure clarity and standardisation, as well as requiring continuous monitoring to ensure compliance with contractual arrangements and regulatory requirements. The European Commission will review the drafted technical standard with the aim of adopting it.