Aug 142024

DORA – ESAs Publish Draft Technical Standards on ICT Subcontracting

William RM Long, Francesca Blythe and Arthur Clover
, , , , , ,

On 26 July 2024, the European Supervisory Authorities (EBA, EIOPA and ESMA, collectively, the “ESAs”) published their joint final report on the draft Regulatory Technical Standards (“RTS”) specifying the elements that a financial entity should determine and assess when subcontracting ICT services supporting critical or important functions under Article 30(5) of the Digital Operational Resilience Act (“DORA”). The RTS are intended to assist with the enhancement of the digital operational resilience of the financial services sector by improving in-scope entities’ ICT risk management, specifically with respect to the issue of ICT subcontracting.

Please see below for a brief summary of the contents of each article of the RTS:

  • Article 1 provides the elements financial entities should consider when determining their size and risk profile and the nature, scale and complexity of their services, activities and operations, including the type of ICT services covered by the contractual arrangements; the location of any ICT subcontractor; the length of chain of subcontractors used by an ICT third-party service provider; the nature of the data shared with ICT subcontractors; whether the provision of ICT services is concentrated to single subcontractor or a small number of such subcontractors; and more.
  • Article 2 provides clarity on the applicability of the rules on ICT subcontracting under DORA to corporate groups, i.e. where DORA applies on a sub-consolidated or consolidated basis, the parent undertaking that is responsible for providing the consolidated or sub-consolidated financial statements for the group shall ensure that the conditions for subcontracting are implemented consistently in all group financial entities and are adequate for the effective application of DORA at all relevant levels.
  • Article 3 details the due diligence and risk assessment elements for financial entities to consider when subcontracting to support critical or important functions, including the due diligence processes implemented by the ICT third-party service provider who is subcontracting; the ability of a third-party service provider to identify, notify and inform the financial entity of any subcontractors in the chain of subcontracting; the financial entity having adequate expertise and resources to oversee the ICT service which has been subcontracted; the risks associated with the location of the potential subcontractors; and more.
  • Article 4 provides the need for contractual arrangements to identify which ICT services are eligible for subcontracting and under which conditions. For instance, for each eligible ICT service, the contractual agreement between the financial entity and ICT third-party service provider shall specify that the third-party service provider is responsible for the provision of services provided by any ICT subcontractors; that the ICT third-party service provider is required to monitor all subcontracted services to ensure its own contractual obligations with the financial entity are continuously met; and more.
  • Article 5 provides the conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function, including that the contract between the financial entity and the ICT third-party service provider must provide the chain of ICT subcontractors being identified; that the identification of the chain remains up-to-date over time; and more.
  • Article 6 provides for material changes to the subcontracting arrangements of ICT services supporting critical or important functions.
  • Article 7 provides the conditions under which a financial entity can exercise its right to terminate contractual arrangements with the ICT third-party service provider.

DORA will be fully enforceable as of 17 January 2025. Due to the complex nature of the DORA requirements, businesses should consider assessing whether they are in scope of DORA, either as a financial entity or as an ICT third-party service provider. In addition, they should review the requirements set out in DORA, in particular in relation to third-party ICT risk management, and develop strategies for minimising risk under DORA and other European and international cyber laws.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Arthur Clover

Trainee Solicitor

aclover@sidley.com

You might also like
EU Governments Sign-off Proposed Reforms to GDPR Procedural Rules and Council Reaches Common Member States’ Position

On 24 May 2024, the Council of the European Union (the “Council”) released new details of a proposed reform of the General Data Protection Regulation’s (“GDPR”) procedural rules, which representatives of EU national governments approved on 29 May 2024. On 13 June 2024, the Council issued a press release detailing its agreed common Member States’ position that maintains the general thrust of the original proposed reforms, but which seeks to: (i) introduce clearer timelines; (ii) improve efficiency of cooperation; and (iii) provide an early resolution mechanism.

UK proposes New Cyber Security and Resilience Bill to Boost the UK’s Cyber Defences

During the King’s Speech on 17 July 2024, the newly appointed UK Prime Minister announced the UK Government’s intention to introduce a new Cyber Security and Resilience Bill to strengthen the UK’s defences against the global rise in cyberattacks and to protect the UK’s critical infrastructure. In background briefing notes published together with the King’s Speech, the UK Government stated that the new Cyber Security and Resilience Bill will “strengthen our defences and ensure that more essential digital services than ever before are protected.” According to the briefing notes, the Cyber Security and Resilience Bill intends to address the concern that the UK has not kept up-to-date with recent legislative advancements made by the EU in the cybersecurity space, resulting in the UK being “comparably more vulnerable.” Although the form of the proposed Cyber Security and Resilience Bill has yet to be released, the UK Government has indicated that it plans to introduce the bill in the coming months.

Important Changes to Malaysia’s Data Protection Laws

In July 2024, Malaysia’s legislative body approved significant changes to the country’s Personal Data Protection Act. The changes have the effect of aligning Malaysia’s personal data protection laws more closely with international data protection laws. The effective date and other implementation guidelines are expected to follow closely.