The European Commission has recently introduced a significant Delegated Regulation to supplement Regulation 2022/2554 (DORA), enhancing digital operational resilience within the financial sector. This Delegated Regulation creates a new framework for financial institutions to follow when subcontracting ICT services that support critical or important functions, reflecting growing recognition of cybersecurity risks in an increasingly digitized financial environment.
The Delegated Regulation establishes several key requirements. Articles 1 and 2 focus on proportionality and group application, underscoring that financial entities must adapt their compliance efforts based on size, complexity, and the specific nature of their respective ICT services. Article 3 mandates thorough due diligence, requiring institutions to conduct risk assessments before engaging any subcontractors. They must evaluate potential vulnerabilities, ensuring that subcontracting aligns with the financial institution’s broader resilience strategies.
Article 4 delves into the descriptions and necessary conditions under which ICT services supporting critical or important functions can be subcontracted. For instance, the regulation stipulates that such arrangements should not increase systemic risk or threaten the continuity of services crucial to financial stability. Furthermore, Articles 5 and 6 highlight protocols concerning significant changes to subcontracting arrangements and conditions for terminating contracts, ensuring that financial entities maintain control over disruptions to supply chain integrity.
This Regulation will enter into force 20 days after its publication in the Official Journal of the EU and marks a critical milestone in Europe’s cybersecurity governance. Legally, it aligns with the EU’s broader digital strategy, complementing various directives, particularly the EU Cybersecurity Act and the General Data Protection Regulation (GDPR), by ensuring accountability and resilience against potential ICT failures or data breaches. It holds financial institutions to strict auditing and operational standards, reducing risks stemming from subcontracted ICT services.
Ethically, the regulation embodies principles of transparency and responsibility. By requiring due diligence and risk assessments, the Delegated Regulation ensures that financial entities not only protect their clients but also maintain trust in the financial ecosystem. For example, if a financial institution outsources significant ICT functions to a third party without sufficient risk analysis and a data breach occurs, both the institution and its clients could face detrimental impacts.
Industry implications are far-reaching. Financial institutions will need to enhance their internal processes to adequately assess risks posed by subcontractors. This could drive demand for third-party auditing firms specialized in ICT resilience. Additionally, tech providers offering critical ICT services to financial entities will likely need to restructure their own compliance mechanisms to align with DORA’s standards. A major financial institution, for example, subcontracting cloud computing services, will need to document that the chosen provider complies with these new risk protocols.
Increased compliance costs are a foreseeable consequence, particularly for smaller financial entities or startups, but the long-term benefits—less disruption, greater trust in financial infrastructure, and mitigated systemic risks—arguably outweigh the short-term adjustments. Ultimately, the Delegated Regulation not only advances operational resilience but also acts as a safeguard amid the growing complexity of the financial sector’s ICT landscape.