EU’s outsourcing, ICT security guidelines to ‘co-exist’ with DORA
The existing outsourcing and Information and Communications Technology (ICT) security guidelines created by the European Union (EU) will work with the Digital Operational Resilience Act (DORA).
According to a European Commission spokesperson, the guidelines would not be “repealed.” However, they need to amend or delete some parts to reflect DORA’s requirements.
The spokesperson added that DORA will set out “a number of mandates for the three ESAs to develop [regulatory technical standards (RTS) and implementing technical standards (ITS)] which would base the future delegated and implementing acts in the area of ICT risk in finance.”
Several legislation and guidelines reflect the operational resilience requirements in EU financial services. These requirements are set out by different European agencies around outsourcing, using cloud providers specifically, and ICT and security risk management.
DORA aims to set a single set of strengthened, overarching rules for financial entities around ICT risk management.
DORA also envisages direct regulation of significant technology providers to financial entities for the first time, under a framework that would allow ESAs to designate specific ICT third-party service providers as subject to regulation and oversee their compliance.
