The Digital Operational Resilience Act (DORA) sets out detailed requirements for incident reporting, information and communication technology (ICT) risk management, subcontracting, and threat-led penetration testing, among other areas. Market participants continue making progress to achieve compliance with DORA, which will become applicable on 17 January 2025.
However, Level 2 work (technical standards) has yet to be finalised. Various pieces, including regulatory technical standards on subcontracting and implementing technical standards on the Register of Information, remain outstanding.
In this note, FIA shares its position with the European Commission and the European Supervisory Authorities on the requirements for subcontracting ICT services under DORA.
In particular, FIA emphasises the need for a proportionate and risk-based approach to supply chain risk management that should be based on materiality and not subcontractor rank. This would ensure financial entities are able to focus and continue to monitor material risk across the entire supply chain.
Read the position note here.