European Union: Drafted Regulatory Technical Standards on the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers

Description

Drafted Regulatory Technical Standards on the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers

On 10 January 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published a draft Regulatory Technical Standard (RTS) to further harmonise ICT risk management tools, methods, processes and policies as mandated under DORA. These proposed RTS outline governance, risk management, and internal control requirements for financial entities when engaging ICT third-party service providers, aiming to ensure control over operational risks, information security, and business continuity throughout the contractual lifecycle. The draft standard relies on the definition of critical functions provided in DORA without adding detailed criteria to maintain flexibility. Regarding governance arrangements for ICT services supporting critical functions, the standard specifies responsibilities, policy review frequency, and the role of internal controls to ensure effective oversight, mandating coverage of the entire contractual lifecycle to manage risks effectively from pre-phase to exit. The standard would mandate the same risk assessment requirements for both third-party and intra-group ICT service providers to ensure consistency and risk mitigation but different approaches for due diligence to reflect the known entities in intra-group arrangements. In particular, the standard would require independent sources for assessing third-party service providers to ensure objectivity and reliability. Finally, the draft standard includes specific contractual clauses specified in the regulation to ensure clarity and standardisation, as well as requiring continuous monitoring to ensure compliance with contractual arrangements and regulatory requirements. The European Commission will review the drafted technical standard with the aim of adopting it.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
digital payment provider (incl. cryptocurrencies), DLT development, infrastructure provider: cloud computing, storage and databases
Implementation Level
supranational
Government Branch
executive
Government Body
other regulatory body

Complete timeline of this policy change

Hide details
2023-11-16
in consultation

On 16 November 2023, the European Commission released the Draft Regulatory Technical Standards outl…

2023-12-14
processing consultation

On 14 December 2023, the European Commission closed its public consultation on the Draft Regulatory…

2024-01-10
under deliberation

On 10 January 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published a dr…