Global Trustee and Fiduciary Services Bite-Sized Issue 2 2025

4 QUICK LINKS BENCHMARKS REGULATION CRYPTOASSETS DORA EMIR FSB MIFID II/MIFIR MMF SUSTAINABLE FINANCE/ESG T+1 ASIA EUROPE INTERNATIONAL LUXEMBOURG NETHERLANDS NORTH AMERICA UNITED KINGDOM Global Trustee and Fiduciary Services Bite-Sized | Issue 2 | 2025 DORA EC Rejects Draft RTS for ICT Subcontracting Under DORA On 31 January 2025, the European Commission (EC) published a letter (dated 21 January 2025) to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs), rejecting the draft Regulatory Technical Standards (RTS), submitted to the EC by the ESAs on 17 July 2024, on subcontracting ICT services supporting critical or important functions under the Digital Operational Resilience Act (DORA). The EC notes that the draft RTS specifies the conditions and the criteria to be taken into account by financial entities when subcontracting ICT services supporting critical or important functions throughout the lifecycle of contractual arrangements between financial entities and ICT third- party service providers. In particular, financial entities are required to assess the risks associated with subcontracting during the precontractual phase, including the due diligence process. The EC also notes that the RTS includes requirements for the implementation and management of contractual arrangements on subcontracting, including conditions to ensure that financial entities monitor the subcontractors effectively underpinning the ICT services that support critical or important functions. The EC considers that the requirements introduced by Article 5 of the draft RTS on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” go beyond the empowerment given to the ESAs by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting. Against this background, the EC states it rejects the draft RTS on mainly one specific aspect, namely that the content of the provisions relating to the monitoring of the subcontracting chain is not within the scope of the mandate set out in Article 30(5) of DORA. The EC says in its letter that it therefore considers that Article 5 and the related recital 5 are to be removed from the draft RTS to ensure its compliance with the mandate. The ESAs have a six-week period to amend the draft RTS and resubmit to the EC. Finally, the EC says it will adopt the RTS submitted by the ESAs once the above-mentioned concerns are taken into account and the necessary modifications are made by the ESAs. Link to EC Letter here ESAs Publish Study on Feasibility of Further Centralisation of Major ICT-related Incident Reporting by Financial Entities On 17 January 2025, the three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published a report on the feasibility for further centralisation in the reporting of major ICT- related incidents by financial entities according to Article 21 of the DORA. In line with the DORA mandate, the ESAs’ joint report explores the potential for further centralisation regarding financial entities’ reporting of major ICT-related incidents to competent authorities. The ESA say that the report assesses the feasibility of three different models: the baseline model, a model with enhanced data sharing arrangements and a fully centralised model. It considers the potential burden and cost reductions, as well as the efficiency and effectiveness gains that each model would bring for cross-sector supervisory practices. The joint report has been submitted to the European Parliament, the European Council and the European Commission, which will consider its findings for potential future developments in relation to the further centralisation of major ICT-related incident reporting in the financial sector. Link to Report here