On 26 July 2024, the 3 European Supervisory Authorities (ESAs) (the European Banking Authority – EBA, European Insurance and Occupational Pensions Authority – EIOPA and European Securities and Markets Authority – ESMA) published their Joint Final Report on the draft RTS specifying how to determine and assess the conditions for subcontracting ICT services that support critical or important functions under DORA. The RTS strengthen the financial entities’ (FEs’) ICT risk management over the use of subcontracting. They focus on ICT services provided by ICT subcontractors that support critical or important functions or material parts of them, specify the requirements throughout the lifecycle of contractual arrangements between FEs and ICT third-party service providers (TPSPs) and provide requirements for the implementation and management of contractual arrangements on subcontracting conditions. The RTS require FEs to assess risks associated with subcontracting during the precontractual phase, including the due diligence process.
The ESAs will submit the draft RTS to the Commission for adoption.