What You Need to Know About ESAs’ Joint Final Report on DORA Subcontracting Standards

The Digital Operational Resilience Act (DORA) is a significant regulatory initiative aimed at enhancing the cyber and operational resilience of financial entities across the European Union (EU). The European Supervisory Authorities (ESAs), consisting of the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA), have jointly issued their final report on subcontracting standards under DORA. This blog will break down the key insights from the report, including its implications for financial institutions, the latest updates, and what stakeholders need to be aware of as DORA’s compliance deadlines approach. 

The Purpose and Scope of DORA 

DORA was introduced to establish a harmonized framework for managing ICT (Information and Communication Technology) risks across the financial sector. Given the increasing reliance on third-party service providers, including cloud service providers, DORA seeks to ensure that financial entities remain resilient even when outsourcing critical functions. 

The regulation applies to a broad range of financial entities, including banks, insurance companies, payment service providers, and investment firms. The joint ESAs’ report specifically focuses on subcontracting standards, which are crucial because many financial institutions rely on complex layers of subcontracting when outsourcing services. 

Key Elements of the ESAs’ Joint Final Report 

The final report provides detailed guidelines and standards on how financial entities should manage subcontracting risks under DORA. Here are some of the primary areas addressed: 

• Governance and Accountability: Financial entities are required to maintain clear governance structures, ensuring that subcontracting arrangements are well-documented and that responsibility for oversight is properly assigned. The report emphasizes the importance of board-level involvement in overseeing subcontracting practices and stresses that ultimate accountability should always remain with the outsourcing entity. 

• Due Diligence and Risk Management: The ESAs highlight the importance of thorough due diligence when selecting both primary service providers and their subcontractors. This includes assessing financial stability, operational capabilities, and the ability to meet regulatory requirements. Continuous monitoring of subcontracting arrangements is crucial, with specific attention to concentration risks and systemic dependencies. 

• Contractual Arrangements and Subcontracting Chains: The report outlines the expectations for contractual terms governing subcontracting arrangements. Financial entities are encouraged to negotiate clear terms regarding access, audit rights, and information-sharing provisions. A key focus is on the management of subcontracting chains, ensuring that entities have transparency and control over critical or important functions even when these are further subcontracted. 

• Exit Strategies and Continuity Planning: DORA mandates that financial institutions must have robust exit strategies and continuity plans in place for managing subcontracting disruptions. The ESAs stress that these strategies should be regularly tested and updated to reflect changing circumstances, such as the entry or exit of key subcontractors. 

• Incident Reporting and Management: Under DORA, financial institutions are required to have comprehensive processes for reporting incidents, including those originating from subcontractors. The ESAs’ report emphasizes the need for clear protocols and timelines for incident reporting, along with well-defined roles and responsibilities across all levels of the subcontracting chain. 

Latest Updates and Regulatory Timelines 

Since the initial publication of DORA, the ESAs have engaged in extensive consultations with stakeholders, including industry participants, regulatory bodies, and third-party service providers. The final report reflects the feedback received during these consultations, particularly regarding the practical challenges of managing complex subcontracting chains. 

As of the latest update, the European Commission has adopted DORA’s regulatory technical standards (RTS), including those related to subcontracting. Financial entities have until January 2025 to fully comply with these standards. However, given the intricacies involved in aligning with these requirements, financial institutions are advised to start preparations early, especially in areas like contractual renegotiations and enhancing their due diligence processes. 

Practical Implications for Financial Entities 

1. Enhanced Governance and Oversight: Firms will need to establish more rigorous oversight mechanisms for subcontracting arrangements. This includes not only monitoring direct relationships with service providers but also gaining visibility into subcontractors, which may require more sophisticated tools and processes. 
2. Contractual Revisions: With the ESAs’ emphasis on clear contractual terms, financial institutions may need to revisit and renegotiate existing contracts. Ensuring that contracts include robust provisions for audit rights, information sharing, and exit strategies will be critical. 
3. Operational Resilience: DORA’s focus on continuity planning and incident management will require financial entities to enhance their operational resilience frameworks. This may involve conducting scenario analyses, testing backup systems, and ensuring that subcontractors are integrated into incident response plans. 
4. Increased Compliance Costs: Compliance with DORA’s subcontracting standards is expected to increase operational costs, especially for smaller institutions. These costs will primarily stem from enhanced monitoring activities, the need for legal and consultancy support in revising contracts, and investments in technology to manage subcontracting risks effectively. 
5. Impact on Subcontractors: The ESAs’ report also indirectly impacts subcontractors, who will need to demonstrate that they can meet the enhanced standards expected by their financial clients. This could lead to higher demands for transparency, stricter compliance with service-level agreements (SLAs), and more frequent audits. 

Challenges and Industry Responses 

While the industry broadly supports the objectives of DORA, there are concerns about the practical implementation of subcontracting standards. The layered nature of subcontracting relationships in today’s financial ecosystem presents significant challenges in terms of transparency and control. Additionally, the need for constant updates and testing of continuity plans may place a substantial burden on resource-constrained institutions. 

In response, industry associations and financial entities are lobbying for more tailored guidance, especially for smaller firms that may struggle with the cost and complexity of compliance. Meanwhile, some larger institutions are investing in centralizing their third-party risk management functions to better align with DORA’s requirements. 

Conclusion

The ESAs’ joint final report on DORA subcontracting standards is a comprehensive guide to managing one of the most critical aspects of operational resilience in the financial sector. While the January 2025 deadline might seem distant, the complexity of aligning with these standards necessitates immediate action. Financial entities should focus on enhancing governance frameworks, revising contracts, and investing in technology solutions that provide end-to-end visibility over their subcontracting arrangements. 

By proactively addressing these areas, firms can not only ensure compliance but also strengthen their overall operational resilience in an increasingly interconnected financial ecosystem. With DORA setting the stage for a new era of digital resilience, the ESAs’ final report serves as an essential roadmap for navigating the challenges and opportunities ahead. 

Key Takeaways

• Start early: Preparation for DORA compliance should begin well ahead of the 2025 deadline. 

• Focus on transparency: Gaining visibility into subcontracting chains is essential for managing risks. 

• Invest in resilience: Robust continuity planning and incident management are central to complying with DORA’s subcontracting standards. 

• Review contracts: Ensure that all contractual arrangements align with the ESAs’ guidelines, particularly in terms of audit rights, information sharing, and exit strategies.