ESAs publish joint report and draft RTS on subcontracting ICT services supporting critical or important functions under DORA
RegCORE – Client Alert | EU Digital Single Market
QuickTake
As evidenced on 19 July 2024 major IT outages, including those caused by a simple yet apparently defective “content update”, can quickly cascade into systemic cyber incidents. The Crowdstrike “Blue Screen of Death” outage that rapidly hit industries across the world, affecting everything from cancelled flights through to a breadth of delays and disruptions across banking, payments, healthcare and shopping, has highlighted the fragility that regulatory reforms focusing on digital operational resilience aim to fix. The outage also sharpened awareness on contracting and subcontracting chains. So too have the findings on a cyber-resilience stress test conducted by the European Central Bank (ECB), acting in its capacity at the head of the Banking Union’s Single Supervisory Mechanism (SSM) with results published on 26 July 2024.See details here and further Thought Leadership coverage from our EU RegCORE. In general, the stress test revealed that of the 109 banks surveyed many have established response and recovery frameworks however, there are still some areas that could be enhanced. These matters are being addressed individually as part of the ECB-SSM led Supervisory Review and Evaluation Process (SREP). Every bank was required to complete a questionnaire and provide documentation for the supervisors to review. Additionally, a subset of 28 banks was selected for more thorough examination. The 81 banks participating in the standard assessment were asked to complete a questionnaire and provide supporting evidence, including SSM cyber incident reporting notifications, internal policies and procedures related to ICT risk, and the results of previous IT recovery tests with a similar scenario to the 2024 SSM cyber resilience stress test. Furthermore, the 28 banks participating in the enhanced assessment were also required to conduct a real IT recovery test that aligns with the 2024 SSM cyber resilience stress test scenario. They were also expected to provide evidence of a successful recovery. In addition, these banks underwent an on-site inspection to ensure further quality assurance.Show Footnote
As coincidence would have it, the Joint Committee of the European Supervisory Authorities (ESAs), representing the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) on 26 July 2024 published a joint report and draft regulatory technical standards (RTS) on subcontracting information and communication technology (ICT) services that support critical or important functions.Joint Final Report and DORA Subcontracting RTS available here.Show Footnote This new RTS and the ESA’s “second batch of regulatory products”See here and detailed Thought Leadership coverage from our EU RegCORE.Show Footnote aims to support the operationalisation of the EU’s Digital Operational Resilience Act (DORA) regulatory and oversight framework.
The DORA Subcontracting RTS focus on ICT services provided by subcontractors that support critical or important functions or material components of them. They further specify the requirements throughout the lifecycle of contractual arrangements between financial entities (in scope of DORA) and ICT third-party service providers (equally in scope of DORA). Financial entities are required to assess the risks associated with subcontracting during the pre-contractual phase, including the due diligence process
This Client Alert assesses the requirements of the DORA Subcontracting RTS on financial services firms and the supervisory expectations of the ESAs, the (national) competent authorities ((N)CAs) and the ECB-SSM in line with DORA, its Oversight Framework and more broadly. The analysis in this Client Alert should be read in conjunction with further Thought Leadership coverage from our EU RegCORE.
Key takeaways from DORA Subcontracting RTS
DORA introduced a pan-European oversight framework (the Oversight Framework) that applies to (i) financial sector entities’Financial sector entities are those entities that fall within the scope of DORA, as defined in Article 2 of the DORA and that use the ICT services provided by the CTPPs. They have to comply with DORA and the relevant financial regulations, manage their ICT third-party risk and take into account the recommendations issued by the LO.Show Footnote dealings with as well as (ii) the activities of information and communication technology (ICT) third-party service providers designated as critical (CTPP).CTPPs are those ICT service providers that have been designated as critical by the ESAs or have requested to be designated as such and that provide ICT services that support the supply of financial services by financial sector entities. They are subject to the oversight of the LO and have to cooperate in good faith, provide information and follow the recommendations issued by the LO.Show Footnote Each of the ESAs and ((N)CAs) have received new roles and supervisory responsibilities under DORA. For the ESAs, specifically when acting as Lead Overseer (LO), they are responsible to exercise oversight activities in respect of CTPPs, issue recommendations and follow-up with CTPPs on these recommendations. For NCAs, these participate in the LO’s oversight of CTPPs as part of Joint Examination Teams (JETs)See Client Alert on the composition of JETs available here.Show Footnote and follow up with financial sector entities concerning the risks identified in the respective recommendations.
After identifying weaknesses in contracting and subcontracting, the ESAs were mandated under DORA to assess key regulatory principles that are set out in the joint report that provides context to the rules and supervisory expectations set out in the DORA Subcontracting RTS. Like most of DORA’s requirements on contracting, the DORA Subcontracting RTS are jurisdiction and governing law agnostic. That being said, governing law and jurisdiction specifics matter, in particular where these change concepts and principles through (sub-)contracting chains. Such changes, unless catered for may introduce conceptual gaps, breaks in chains that require remedy and/or where relevant contractual arrangements along the chain follow different types and forms of agreements or have evolved in a legacy manner with multiple amendments across multiple documents and no clear inventory of relevant arrangements nor established documentation hierarchy.
The DORA Subcontracting RTS apply to financial entities as defined under DORA, which includes a broad range of institutions such as credit institutions, investment firms, insurance undertakings and others. The standards are designed to ensure that these entities can manage and monitor the risks associated with subcontracting ICT services, particularly those that are critical or important to their operations. The RTS are binding and directly applicable across all Member States, ensuring a harmonised approach to the management of ICT third-party risk in the financial sector. These RTS should be read on other RTS on contracting more generally.
The DORA Subcontracting RTS emphasise the principle of proportionality, taking into account the size, structure, and internal organisation of financial entities, as well as the nature and complexity of their activities. This principle is crucial for ensuring that the requirements are applied in a manner that is appropriate for all financial entities, regardless of their scale. The standards provide criteria for assessing risks associated with subcontracting, including the type of ICT services, the location of subcontractors, and the length of the subcontracting chain.
In summary the DORA Subcontracting RTS states that financial entities must:
- thoroughly assess risks associated with subcontracting during the pre-contractual phase, including due diligence process, the size and the overall risk profile of the financial entity and the nature, scale and elements of increased or reduced complexity of its services, activities and operations both in the context of its contracting and further subcontracting. This includes assessing the operational and financial capabilities of potential ICT subcontractors and ensuring that contractual arrangements with subcontractors allow financial entities to comply with their own legal and regulatory obligations;
- implement, monitor and manage contractual arrangements regarding subcontracting conditions. These arrangements must include clear descriptions of all functions and ICT services to be provided, indicating whether subcontracting is permitted and under what conditions. The standards also require financial entities to monitor the performance of ICT service provision and any relevant changes within their subcontracting chain. For financial entities that are part of a group, the RTS stipulate that the parent undertaking must ensure consistent implementation of subcontracting conditions across all group entities. Intragroup subcontractors providing ICT services are treated as third-party service providers and the same requirements apply to them as to external subcontractors;
- be able to monitor the entire ICT subcontracting chain for critical or important functions. The RTS cover the entire life cycle of contractual arrangements with ICT third-party service providers, including planning, ongoing service delivery, monitoring, auditing, and exit strategies. Financial entities must assess whether they as well as the respective ICT third-party service providers and their subcontractors have sufficient resources and appropriate organisational structures to effectively monitor subcontracted ICT services;
- assess the extent of subcontracting needs that are to be set out in the written contract between the financial institution and the ICT provider, including where chains of subcontractors are involved. This assessment must be reviewed when there are material changes to the contract. Financial entities must be informed of any material changes to subcontracting arrangements with a notice period sufficient to assess the impact on risks. If such changes exceed the financial entity’s risk tolerance, they have the right to terminate the contract with the ICT third-party service provider;
- consider how and when the financial entity can terminate the contract on the basis of material changes by the ICT provider. The RTS provide financial entities with termination rights in specific circumstances related to material changes in subcontracting arrangements. These rights are designed to ensure that financial entities can exit arrangements that no longer meet their risk management requirements without incurring penalties; and
- be aware on how the DORA Subcontracting RTS’ specific requirements impact the overall DORA compliance responsibility of the financial entity.
The draft RTS were previously subject to public consultation which was published on 27 November 2023 and which closed on 4 March 2024. Responses highlighted concerns about proportionality, monitoring responsibilities, requirements imposed on ICT third-party service providers, termination rights, and transition periods. The ESAs have considered these comments and made amendments where appropriate to clarify and adjust the drafting. The changes between the draft and the final DORA Subcontracting RTS include:
- greater focus on a continuous monitoring requirement to identify all source of ICT risk. The revised document emphasizes the need for financial entities to continuously monitor ICT services and identify all sources of ICT risk. The revised text includes specific criteria for assessing the complexity and risk of subcontracting arrangements, such as the type of ICT services, the length of the subcontracting chain, and the location of data processing and storage;
- insertion of a more defined proportionality principle by specifically stating that “Financial entities vary widely in their size, structure, and internal organisation and in the nature and complexity of their activities. It is therefore necessary to take into account that diversity while imposing certain fundamental regulatory requirements which are appropriate for all financial entities when developing the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions and to ensure that those requirements are applied in a manner that is proportionate”;
- greater flexibility in determining the best method for conducting due diligence and risk assessments by stating that financial entities “…should identify the most appropriate way to perform the due diligence on the subcontractors and risk assessment directly by themselves or indirectly through their ICT third-party service providers, considering the specificities of the contractual arrangements and having regard of their final responsibility stemming from…” DORA;
- inserting an ICT intra-group subcontractors clause subjecting them to same standards as for non-intra-group subcontractors in stating: “"ICT intra-group subcontractors providing ICT services supporting critical or important functions or material parts thereof, including those fully or collectively owned by financial entities within the same institutional protection scheme, where applicable, should be considered as ICT subcontractors. In accordance with [DORA], the requirements applicable for the use of intra-group subcontracting are the same as those applicable to non-intra-group subcontracting, regardless of the differences that may exist in the risks posed in both cases”;
- inserting a group policy consistency requirement by clarifying that when “belonging to a group, the parent undertaking of financial entities should ensure that the policy on the use of ICT subcontractors providing ICT services supporting critical or important functions or material part thereof by ICT third party providers is applied in a consistent and coherent way within the group”; and
- clarifying allocation of subcontractor monitoring responsibilities between ICT third-party service providers and financial entities and balancing of rights on the provision of information. The draft RTS required financial entities to assess risks along the entire ICT subcontracting chain. The revised document specifies that financial entities must focus on subcontractors that effectively underpin the provision of ICT services supporting critical or important functions. The revised text introduces a risk-based approach, allowing financial entities to focus on subcontractors providing critical or important functions or material parts thereof.
The now final version of the DORA Subcontracting RTS will enter into force on the twentieth day following publication in the Official Journal of the EU. Given the granularity of the rules and supervisory expectations set out in this RTS and others published to give effect to the DORA Oversight Framework as well as the anticipated operations of the JETS.
Key considerations and challenges for firms
The DORA Subcontracting RTS has a direct practical impact on financial entities. They must thoroughly assess risks associated with subcontracting during the pre-contractual phase, including due diligence processes. The size, risk profile, nature, scale, and complexity of their services and operations must be considered in this assessment.
Financial entities must be capable of monitoring the entire ICT subcontracting chain for critical or important functions. This covers the entire lifecycle of contractual arrangements with ICT third-party service providers, including planning, ongoing service delivery, monitoring, auditing and exit strategies.
Given the above, financial entities will want to ensure that they observe the following principles with respect to:
- Enhanced due diligence: firms need to thoroughly investigate ICT third-party service providers, evaluating any subcontracting agreements, arrangements and any associated risks. Financial entities must ensure sound governance arrangements, including risk management and internal controls, with regard to the use of ICT subcontractors to provide ICT services supporting critical or important functions and whether there is any feasibility to exercise a veto to changes in subcontracting arrangements and potential impact on ICT third-party service providers’ business models;
- Contractual obligations: to ensure compliance with regulations, firms must incorporate precise clauses pertaining to subcontracting conditions (including regulatory requirements beyond “just” DORA – including, audit rights, step-in rights and insourcing rights) in their contracts with ICT third-party service providers. As financial entities must be informed of any material changes to subcontracting arrangements with a notice period sufficient to assess the impact on risks. They should have the right to terminate contracts with ICT third-party service providers without incurring penalties if such changes exceed their risk tolerance and this may be a sticking point in negotiations throughout (sub-)contracting chains;
- Risk management framework: firms’ entire ICT risk management framework must incorporate the evaluation and management of ICT subcontracting risks;
- Monitoring and oversight: in order to ensure compliance and risk minimisation, firms need to set up systems to monitor and supervise the ICT (sub-)contracting chain for critical functions. Accordingly, in relation to the above, financial entities will need to centralise this information to be able to act upon it as part of counterparty and contractual lifecycle management; and
- Resource allocation: Financial entities must ensure that they and their ICT third-party service provider and, where appropriate, the ICT subcontractors have sufficient resources, including expertise and adequate financial, human, and technical resources, ICT security arrangements, and an appropriate organizational structure to effectively monitor the subcontracted ICT services.
The DORA Subcontracting RTS presents both challenges and opportunities for financial entities in the EU. By adhering to these standards, entities can not only comply with regulatory expectations but also strengthen their operational resilience against ICT-related disruptions. It is imperative for financial entities to thoroughly understand these requirements and integrate them into their operational practices to maintain robust digital operational resilience.
While the entry into force date remains the same, the final version of the DORA Subcontracting RTS, when compared to the preceding draft, has an added emphasis on the timely implementation and documentation of the planned timeline for compliance. That being said, a transition period is introduced, suggesting flexibility to enable market participants sufficient time to comply with the final requirements. It is proposed to define an additional time period, preferably one year after DORA enters into force, for existing arrangements to comply with the defined risk management requirements.
Outlook and next steps
The adoption of the DORA Subcontracting RTS represents a significant step towards enhancing and operationalising of digital operational resilience in the EU financial sector. By establishing clear guidelines for financial entities when subcontracting ICT services supporting critical or important functions, the RTS aim to mitigate risks associated with such arrangements and ensure that financial entities can effectively manage their third-party ICT risks.
The harmonised approach across Member States aims to contribute to a more resilient financial system capable of withstanding ICT-related disruptions and while the RTS are jurisdiction agnostic, jurisdiction and governing-law specifics through (sub-)contracting chains remain ever more important to address early on, in particular DORA’s fast approaching compliance deadline.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.
Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.