8 September 2023 | Statements and Position Papers
On 8 September 2023, ALFI responded to European Supervisory Authorities’ (ESAs) consultation paper on DORA draft regulatory technical standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554.
On Monday 19 June, the ESAs launched a public consultation on the first batch of policy products under the Digital Operational Resilience Act (DORA). This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). Article 28(2) of Regulation (EU) 2022/2554 requires from financial entities that they adopt and regularly review, as part of their ICT risk management framework, a strategy on ICT third-party risk. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. The ESAs are mandated to develop jointly draft regulatory technical standards to further specify the detailed content of this policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
The draft RTS sets out requirements for the policy of financial entities on their use of ICT third-party service providers, including ICT intragroup providers and concerns all ICT services provided by them that support critical or important function. The RTS applies to all such ICT services and is not limited to outsourcing arrangements.
View the ALFI response.