Financial Services

ESAs publish Final Report and Joint Guidelines on exchange of supervisory information in the context of DORA

Written by

Dr. Michael Huertas

RegCORE – Client Alert | EU Digital Single Market

QuickTake

On 17 July 2024, the Joint Committee of the European Supervisory Authorities (ESAs), representing the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) published a Final Report and the final Joint Guidelines on oversight cooperation and information exchange between the ESAs and competent authorities under the Digital Operational Resilience Act (DORA).Available hereShow Footnote The Joint Guidelines are intended to apply from 17 January 2025.

DORA introduced a pan-European oversight framework that applies to (i) financial sector entities’Financial sector entities are those entities that fall within the scope of DORA, as defined in Article 2 of the DORA and that use the ICT services provided by the CTPPs. They have to comply with DORA and the relevant financial regulations, manage their ICT third-party risk and take into account the recommendations issued by the LO.Show Footnote dealings with as well as (ii) the activities of information and communication technology (ICT) third-party service providers designated as critical (CTPP).CTPPs are those ICT service providers that have been designated as critical by the ESAs or have requested to be designated as such and that provide ICT services that support the supply of financial services by financial sector entities. They are subject to the oversight of the LO and have to cooperate in good faith, provide information and follow the recommendations issued by the LO.Show Footnote Each of the ESAs and (national) competent authorities ((N)CAs) have received new roles and supervisory responsibilities under DORA. For the ESAs, specifically when acting as Lead Overseer (LO), they are responsible to exercise oversight activities in respect of CTPPs, issue recommendations and follow-up with CTPPs on these recommendations. For NCAs, these participate in the LO’s oversight of CTPPs as part of Joint Examination Teams (JETs)See Client Alert on the composition of JETs available here.Show Footnote and follow up with financial sector entities concerning the risks identified in the respective recommendations.

The final Joint Guidelines are the newest means of operationalising a consistent and convergent supervisory approach and thus to further establish a more level playing field where financial sector entities are using ICT services provided by CTPPs across EU Member States. Close cooperation between NCAs and ESAs, through (but not limited to) mutual exchange of information and provision of assistance in the context of relevant supervisory activities are thus crucial. So too is adopting a coordinated approach on oversight activities so as to avoid duplications and overlaps in activities aimed at monitoring CTPPs’ risks. It is expected that all NCAs will confirm to the ESAs that they intend to comply with the Joint Guidelines.

This Client Alert, which should be read in conjunction with further analysis available on the EU RegCORE Thought Leadership website, assesses the aims and outcomes of the Joint Guidelines and what the impact is for both financial services firms and their DORA-relevant dealings.

Key takeaways from the Joint Guidelines

The ESAs ran a public consultation on its proposed draft Joint Guidelines between 8 December 2023 and 4 March 2024. The ESAs received 29 responses to that Consultation Paper. The ESAs noted that respondents broadly welcomed the Joint Guidelines and that the feedback received has been updated in the final Joint Guidelines as appropriate.

Timely cooperation and communication are central to an appropriate functioning of DORA’s framework of how oversight and supervision is conducted (the Oversight Framework). The Oversight Framework involves the following main actors:

  1. the LO, one of the ESAs appointed according to Article 31(1)(b) of DORA and responsible for carrying out the oversight tasks and being the single point of contact for the CTPPs;
  2. the (N)CAs, identified in Article 46 of DORA and responsible for supervising the compliance of financial sector entities with DORA and other relevant financial regulations; and 
  3. the other two ESAs that have not been appointed as LOs for a particular CTPP, being involved in the oversight activities through their participation in the JETs as defined in Article 40 and in the Joint Oversight Network (JON) as defined in Article 34 of DORA.

The Joint Guidelines set out the practical application of the Oversight Framework on an intra-institutional basis. The Joint Guidelines are divided into four sections: (i) general considerations; (ii) designation of CTPPs; (iii) core oversight activities; and (iv) follow-up of the recommendations. The scope of the Joint Guidelines relates only to Section II of Chapter V (Articles 31-44) of DORA and does not cover articles related to tasks that only apply to either one specific (N)CA or ESA, or that apply to financial entities and CTPPs, or the cooperation among (N)CAs or among the ESAs.

The first section of the Joint Guidelines sets out some general principles and modalities for the cooperation and information exchange between the ESAs and the (N)CAs. The ESAs and the (N)CAs should make available the information referred to in the Joint Guidelines by electronic means, unless agreed otherwise and should establish single points of contact in the form of a dedicated institutional/functional email address for information exchanges. The ESAs and the (N)CAs should also use a dedicated secure online tool to share information, which should be limited to the information specified in the Joint Guidelines and any additional information necessary for the LO and the (N)CAs to carry out their respective duties under DORA. The ESAs and the (N)CAs should ensure that the information exchanged is accurate, complete, relevant and timely and that it is treated as confidential and protected from unauthorised use or disclosure. The ESAs and the (N)CAs are also reminded that they should “also respect the linguistic diversity of the EU and ensure that the information exchanged is clear and inclusive for all parties”. It remains to be seen whether and how this would operate in practice in particular given the underlying subject matter in scope.

The second section of the Joint Guidelines deals with the information exchanges between the ESAs and the (N)CAs for the purposes of designating the CTPPs that are critical for financial entities. (N)CAs should make available to the ESAs the full register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, as required by Article 28(3) of DORA, without undue delay following the receipt of the register of information from financial entities. Furthermore, (N)CAs should also make available to the ESAs any relevant quantitative or qualitative information at their disposal to facilitate the criticality assessment envisaged in Article 31(2) of DORA, taking into account the delegated act adopted by the European Commission. The ESAs should make use of Article 35(2) of their founding regulations to request the full register of information and any additional information from the (N)CAs and the formats and procedures for the transmission of the information will be specified in a joint Board of Supervisors’ Decision in 2024 (see separate coverage that will follow from our EU RegCORE).

The ESAs should make available to the (N)CAs of the financial entities using the ICT services provided by an ICT third-party service provider, the legal name, identification code, country of the registered office of the ICT third-party service provider and, if it belongs to a group, of the parent group that submitted a request to be designated as critical according to Article 31(11) of DORA, within 10 working days following the receipt from the ICT third-party service provider. The LO should also share with the (N)CAs of the financial entities using the ICT services provided by a CTPP, the following information: the notification of the CTPP about any changes to the structure of the management of the subsidiary established in the EU according to Article 31(13) of DORA, within 10 working days following the receipt from the CTPP; the legal name, identification code, country of the registered office of the ICT third-party service provider and, if it belongs to a group, of the parent group that has been designated as critical according to Article 31(1)(a) of DORA, within 10 working days after the submission of the notification of a decision to designate the ICT third-party service provider as critical to the ICT third-party service provider.

The third section of the Joint Guidelines covers the information exchanges between the LO and the (N)CAs in relation to the core oversight activities, namely the oversight plans, the general investigations and the inspections. Prior to the finalisation of the annual oversight plan referred to in Article 33(4) of DORA, the LO should make available the draft annual oversight plan to the (N)CAs of the financial entities using the ICT services provided by a CTPP. The draft annual oversight plan should include the type, scope, objectives and timeframe of the envisaged general investigations or inspections. (N)CAs may provide comments on the draft annual oversight plan within 30 working days following the receipt thereof. Within 10 working days following the adoption, the LO should make available to the (N)CAs the annual oversight plan and the multi-annual oversight plan. The LO should also make available any material updates to the annual oversight plan and the multi-annual oversight plan to the CAs without undue delay following the adoption of the updates. (N)CAs may provide comments on the material updates to the annual oversight plan within 30 working days following the receipt. Keeping to the aforementioned processes and timeframes may come under the most intra-institutional pressure and/or delays due to availability of resources and/or other constraints.

At least three weeks before the start of the general investigation or inspection according to Articles 38(5), 39(3) and 36(1) of DORA, or with the shortest possible delay in case of an urgent investigation or inspection, the LO should inform the (N)CAs of the financial entities using the ICT services provided by a CTPP, the identity of the authorised persons for the general investigation or inspection. The authorised persons include the members of the JET, the staff of the LO and the staff of the other ESAs. The LO should also inform the (N)CAs where the authorised persons find that a CTPP opposes an inspection, including imposing any unjustified conditions to the inspection, according to Article 39(7) of DORA.

The LO should make available to the JON and the (N)CAs, the relevant scope of the request for information submitted to the CTPP according to Articles 36(1) and 37(1) of DORA, within 10 working days following the adoption of the request for information. The LO should also inform the (N)CAs of any major incidents with direct or indirect impact on financial entities within the EU when reported by the CTPP, including relevant details to determine the significance of the incident on financial entities and assess possible cross-border impacts; any relevant changes in the strategy of the CTPP on ICT third-party risk(s); any events that could represent an important risk to the continuity and sustainability of the provision of ICT services; and any reasoned statement that may be submitted by the CTPP evidencing the expected impact of the draft oversight plan on customers which are entities falling outside of the scope of DORA and where appropriate, formulating solutions to mitigate risks. Accordingly, (N)CAs should make available to the LO, any communications of the CTPP with the (N)CAs for the purposes of all matters related to the oversight and remind the CTPP that the LO is the primary point of contact for the CTPP for the purposes of all matters related to the oversight.

The fourth section of the Joint Guidelines deals with the information exchanges between the LO and the (N)CAs to ensure the follow-up of the recommendations issued by the LO to the CTPPs according to Article 35(1)(d) of DORA. The LO should make available to the (N)CAs of the financial entities using the ICT services provided by a CTPP, the following information: the notification of the CTPP to follow the recommendations issued by the LO and the remediation plan prepared by the CTPP; the reasoned explanation of the CTPP for not following the recommendations; the report specifying the actions that have been taken or the remedies that have been implemented by the CTPP; the fact that the CTPP failed to send the notification within 60 calendar days after the issuance of recommendations to the CTPP; the assessment as to whether the CTPP's explanation for not following the LO’s recommendations is deemed sufficient and, if so, the LO’s decision concerning amendment of recommendations; the assessment of the reports specifying the actions that have been taken or the remedies that have been implemented by the CTPP; the decision imposing a periodic penalty payment on the CTPP; and the assessment as to whether the refusal of a CTPP to endorse recommendations could adversely impact a large number of financial sector entities, or a significant part of the financial sector. The LO should make available this information to the (N)CAs within 10 working days following the receipt from the CTPP or the adoption by the LO, as applicable.

The Joint Guidelines equally reinforce the point that (N)CAs should make available to the LO the following information where CTPPs have not endorsed in part or entirely recommendations addressed to them by the LO: the notification to the financial entity of the possibility of a decision being taken where a (N)CA deems that a financial sector entity fails to take into account or to sufficiently address within its management of ICT third-party risk the specific risks identified in the recommendations issued by the LO; the individual warnings issued by (N)CAs and relevant information which allows the LO to assess whether such warnings have resulted in consistent approaches mitigating the potential risk to financial stability; the outcome of the consultation with those authorities designated under the EU’s NIS2 DirectiveThe NIS2 Directive refers to Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU, which supervises the essential and important entities that may also be designated as CTPPs.Show Footnote prior to taking a decision, where possible; the material changes to existing contractual arrangements of financial entities with CTPPs made to address the risks identified in the recommendations; and the start of executing exit strategies and transition plans of the financial entities. (N)CAs should make available this information to the LO within 10 working days following the adoption by the (N)CA, the consultation with NIS2 authorities, or the receipt of the information from financial entities, as applicable.

The Joint Guidelines also specify that (N)CAs should inform the LO of their intention to notify a financial sector entity of the possibility of a decision being taken if the financial entity does not adopt appropriate contractual arrangements to address the specific risks identified in the recommendations, according to Article 42(4) of DORA. (N)CAs should also make available to the LO all relevant information regarding the possible decision and highlight if they intend to adopt an urgent decision. After the receipt of the information, the LO should assess the potential impact such decision might have for the CTPP whose service would be temporarily suspended or terminated. The LO should make that assessment available to the (N)CAs concerned within 10 working days from the receipt of the information or with the shortest possible delay in case of an urgent decision. Where two or more (N)CAs plan to take or have taken decisions regarding financial entities making use of ICT services provided by the same CTPP, the LO should inform them about any inconsistent or divergent supervisory approaches that could lead to an unlevel playing field where financial entities are using the ICT services provided by a CTPP across Member States.

Key considerations and challenges for firms

DORA’s regulatory requirements and the expectations set in the Oversight Framework have wide-reaching implications for both financial sector entities and CTPPs. The Joint Guidelines aim to clarify how ESAs and (N)CAs cooperate but thus also cement the tone and timing of supervisory engagement that firms will face. Firms will want to be aware of how the Joint Guidelines are supposed to operate and how (N)CAs and the ESAs move to this new state of cooperation in furtherance of the Oversight Framework’s objectives. One area that remains particularly important concerns the issue of potential inconsistencies or divergences in the supervisory approaches of different (N)CAs regarding the same CTPP. Firms will want to seek clarification from the LO and/or the (N)CAs if needed.

These challenges include, but are not limited to, the following:

  1. The designation of CTPPs will require a complex and dynamic assessment of the criticality, substitutability and interconnectedness of the ICT services provided to financial sector entities, taking into account the potential impact of ICT-related incidents on the financial system and the public interest. The Joint Guidelines provide some criteria and indicators for this assessment, but also leave room for discretion and judgment by the ESAs and the (N)CAs. The designation process will also involve consultation and notification mechanisms between the ESAs and the (N)CAs, as well as with the CTPPs and the financial sector entities concerned. The Joint Guidelines set out the procedural steps and timelines for these mechanisms, but also acknowledge the need for flexibility and adaptation to the specific circumstances of each case. The designation of CTPPs will have significant implications for their contractual and operational arrangements with financial sector entities, as well as for their compliance with the DORA requirements and the oversight activities of the ESAs and the (N)CAs.
  2. The core oversight activities will entail a range of supervisory tools and measures that the ESAs and the (N)CAs can use to monitor, assess and address the ICT-related risks and vulnerabilities of CTPPs and financial sector entities. These include, among others, information requests, on-site inspections, audits, testing, reporting and recommendations. The Joint Guidelines provide some guidance on the scope, frequency and intensity of these activities, but also stress the need for proportionality, coordination and cooperation among the ESAs and the (N)CAs, as well as with the CTPPs and the financial sector entities involved. The core oversight activities will pose significant operational and legal challenges for the CTPPs and the financial sector entities, such as ensuring the availability, accuracy and security of the information requested, complying with the recommendations issued and managing the potential conflicts of laws and jurisdictions that may arise from the cross-border nature of the ICT services and the Oversight Framework as well as further requirements set by certain (N)CAs – including the European Central Bank on a couple of conceptual related matters.
  3. The follow-up of the recommendations will require the ESAs and the (N)CAs to monitor and evaluate the implementation and effectiveness of the recommendations issued to the CTPPs and the financial sector entities, as well as to take further actions if necessary. The Joint Guidelines specify the roles and responsibilities of the ESAs and the (N)CAs in this regard, as well as the information and reporting obligations of the CTPPs and the financial sector entities. The follow-up of the recommendations will also involve the possibility of imposing sanctions or penalties for non-compliance, as well as the right to appeal or challenge the recommendations or the sanctions before the ESAs or the competent courts. The Joint Guidelines refer to the relevant provisions of DORA and the sectoral legislation for these matters, but also highlight the need for consistency and cooperation among the ESAs and the (N)CAs, as well as with the CTPPs and the financial sector entities concerned. The follow-up of the recommendations will have significant legal and reputational consequences for the CTPPs and the financial sector entities, as well as for the credibility and effectiveness of the Oversight Framework.

Importantly and in addition to the above, firms will also have to generally be prepared for the possibility of receiving individual warnings or decisions from the (N)CA, requiring them to adopt or amend their contractual arrangements with CTPPs, or to cease using their ICT services, if the (N)CA deems that they fail to address the specific risks identified in the recommendations issued by the LO. The Joint Guidelines clarify the timing around how and when such warnings or decisions are processed through the Oversight Framework.

Given the above, firms will have to review and update their internal policies, procedures and controls to ensure compliance with the Oversight Framework and the Joint Guidelines and to provide adequate training and awareness to their staff and management on the new requirements and expectations.

More fundamentally, firms will have to consider the implications of the Oversight Framework and the Joint Guidelines on their strategic and operational decisions regarding the selection, use and termination of ICT services provided by CTPPs and the costs and benefits associated with them.

Finally, firms will have to ensure that they have adequate exit strategies and transition plans in place in case they need to switch or discontinue the use of ICT services provided by CTPPs and that they can maintain their operational continuity and resilience in such scenarios.

Outlook and next steps

The publication of the Joint Guidelines marks a significant step in the implementation of DORA, which will have a profound impact on the digital operational resilience of financial sector entities and their ICT third-party service providers. The Joint Guidelines aim to ensure a consistent and effective application of DORA’s Oversight Framework across the EU, based on cooperation and information exchange between the ESAs and the (N)CAs. However, the Joint Guidelines also raise some practical and legal challenges for the parties involved, as well as for the firms and CTPPs subject to the Oversight Framework.

In light of these challenges, it is essential for the CTPPs and the financial sector entities to prepare for the entry into force of the Joint Guidelines and the operationalisation of the Oversight Framework and to anticipate and mitigate the potential risks and impacts on their business operations and relationships.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.