RTS on ICT Third-Party Policy
Commission Delegated Regulation (EU) 2024/1773 supplementing Regulation (EU) 2022/2554 with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
Abstract
Regulatory Technical Standards under DORA specifying the detailed requirements for policies governing contractual arrangements with ICT third-party service providers supporting critical or important functions, including governance, risk assessment, due diligence, contractual clauses, monitoring, and exit strategies.
Key Takeaways
- Requires financial entities to establish and annually review a formal policy governing the use of ICT third-party service providers supporting critical or important functions.
- Defines lifecycle requirements for contractual arrangements, including planning, risk assessment, due diligence, implementation, monitoring, and exit strategies.
- Specifies governance expectations, including management body responsibility, reporting lines, and internal roles for oversight of outsourcing arrangements.
- Mandates detailed due diligence and risk assessment of ICT third-party providers, including operational, legal, ICT, concentration, and data-location risks.
- Requires contractual clauses ensuring audit rights, access to data, supervision by authorities, performance monitoring, and realistic exit plans.
Keywords
Need DORA-Aligned AI Architecture?
We build AI systems that satisfy DORA requirements from day one. Audit trails, governance, exit readiness - built in, not bolted on.
Schedule Architecture Reviewviktor@intellectumlab.com | Response within 24 hours