Legal development

DORA: ESAs lay out further detail on ICT subcontracting

20 December 2023

Share Share
Insight Hero Image
Share

    The ESAs have published the second set of consultations on RTS, ITS and guidelines under the EU Digital Operational Resilience Act (DORA). These relate to thread-led penetration testing; subcontracting of critical or important functions; and ICT-related incident reporting (among other things). The deadline for comments is 4 March 2024, with the legal instruments expected to be finalised and submitted to the European Commission in July 2024. One of the key RTS for firms' DORA projects is the RTS in relation to subcontracting - this will need to be taken into account in relation to DORA projects, and the provisions "uplifted" into firms' contracts with their ICT third party providers.

    Key takeways

    • The draft RTS on subcontracting cover the whole life cycle of contractual arrangements with ICT third-party service providers, covering: the planning phase of the use of subcontracted ICT services (including due diligence processes); ongoing service delivery; and monitoring and auditing. Intragroup subcontracting is treated the same as external subcontracting.
    • The draft RTS on TLPT seek to mirror the TIBER-EU framework as far as possible, but depart from it in some respects, setting out requirements for the control team at firms and requirements for other employees. The draft RTS include a proportionality principle under which only financial entities deemed systemically important and mature enough will be required a TLPT.
    • The draft RTS on incident reporting under DORA are influenced by existing guidelines, such as those under PSD2. They also seek to align as much as possible with requirements under NIS2. They cover: the content of the major incident reports for major ICT-related incidents; the time limits for filing an initial notification, intermediate report and final report for each major incident. They also cover the content of the notification for significant cyber threats.

    RTS on subcontracting of critical or important functions  

    The RTS provide further detail on determining when subcontracting ICT services supporting critical or important functions can be performed, focusing on ICT services supporting critical or important functions or material parts of them provided by ICT subcontractors. The RTS cover the whole life cycle of contractual arrangements with ICT third-party service providers.

    This is important as many firms in the market rely on subcontracting, either via their direct ICT third party service providers or via a group entity. 

    Any firm's DORA project that is:

    • currently looking at contractual term uplifts with its ICT service providers will have to take into account the provisions in this RTS in relation to the provisions with its ICT third party providers; and
    • updating policies and procedures, should establish a risk management/policy and procedures framework that takes into account the risk considerations in subcontracting to the ICT third party providers.

    Main points

    • Intragroup ICT subcontracting should not be treated differently from subcontracting outside of the group. This is important as many firms rely on a group entity to contract with ICT service providers on behalf of other group entities. The EU parent undertaking/the parent undertaking in a Member State charged with providing the consolidated/sub-consolidated financial statements for the group is to ensure consistent and adequate implementation in subsidiaries. 
    • A firm is to decide whether an ICT service supporting critical or important functions can be subcontracted by an ICT third-party service provider only after having assessed the elements set out in RTS. These elements include: adequacy of due diligence processes implemented by the ICT third party service provider for selecting  prospective ICT subcontractors to provide the ICT services; ability of the ICT third-party service provider to inform and involve the financial entity in the decision-making related to subcontracting when relevant and appropriate; replication of relevant contractual arrangements between the financial entity and the ICT third-party service provider in the subcontracting arrangements between the ICT third-party service provider and its subcontractor; resources of the firm for monitoring and oversight of the ICT service that has been subcontracted (i.e. abilities, expertise, financial, human and technical resources, appropriate information security standards, and appropriate organisational structure); ICT concentration risks at entity level; and obstacles to the exercise of audit, information and access rights.
    • For each ICT service eligible for subcontracting, the written contractual agreement is to contain: a requirement for the ICT third-party service provider to monitor all subcontracted ICT services supporting a critical or important function to ensure that its contractual obligations with the financial entity are continuously met; the monitoring and reporting obligations of the ICT third-party service provider towards the financial entity; location and ownership of data processed or stored by the subcontractor, where relevant; termination rights; and access rights.

    RTS on TLPT

    DORA requires certain financial entities to perform at advanced testing by means of TLPT every 3 years. DORA requires the relevant RTS for the TLPT to take account of the TIBER-EU framework, the European framework for threat intelligence-based ethical red-teaming. Only financial entities deemed systemically important, meeting a high level of ICT maturity will be required to perform a TLPT. The RTS take into account group structures and the systemic nature at the national or EU level when deciding whether an entity should be subject to a TLPT. The RTS provide details on the relevant stages and scope of the TLPT, as well as relevant documentation.

    Major incident reporting

    Many firms are already subject to a number of regulatory and legislative requirements in relation to incident reporting. The ESAs aim for the requirements of the RTS and ITS to be consistent with NIS2 as much as possible  in terms of timelines and to take account of other incident reporting frameworks (such as those issued by ENISA under NIS1, as well as the revised EBA Guidelines on major incident reporting under PSD2). The draft RTS cover: general reporting requirements and timelines; the content of major incident notifications and reports; notifications of significant cyber threats. The draft ITS cover: format and templates for reporting major incidents and significant cyber threats; and reporting requirements. 

    Other consultations

    The ESAs also issued consultation papers covering the following:  

    • RTS on harmonisation under DORA: These RTS seek to promote harmonisation of requirements and efficient oversight conditions over EU critical third party service providers, financial entities, and supervisory authorities, so as to prevent legislative fragmentation. Areas covered include: information to be provided by an ICT third–party service provider in the application for a voluntary request to be designated as critical;  and the information to be submitted by ICT third–party service providers that is necessary for the lead overseer to carry out its duties.
    • Guidelines on aggregated costs and losses from major ICT-related incidents: These provide further detail on the estimation of aggregated annual costs and losses caused by major ICT-related incidents.
    • Draft joint guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under DORA. These draft guidelines cover the cooperation and information exchanges between ESAs and competent authorities.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts