2023_6950 Request for Clarification on Article 28(3) of Regulation (EU) 2022/2554

Question ID

2023_6950

Legal act

Regulation (EU) No 2022/2554 (DORA)

Topic

ICT risk management

Article

Paragraph

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Not applicable

Article/Paragraph

28(3)

Type of submitter

Consultancy firm

Subject matter

Request for Clarification on Article 28(3) of Regulation (EU) 2022/2554

Question

I am reaching out for clarification regarding a specific provision in the Digital Operational Resilience Act (DORA) – particularly the third paragraph of Article 28.

The provision in question stipulates: "As part of their ICT risk management framework, financial entities shall maintain, and keep updated at entity level as well as at sub-consolidated and consolidated levels, a register of information related to all contractual arrangements on the use of ICT services provided by third-party ICT service providers."

Similarly, DORA provides in its article 28(2): "The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis".

Overall, how should we understand the phrases “where relevant” and “where applicable” in DORA and its policy products when addressing different levels of entities?

we seek your confirmation on whether our client is really obligated to maintain both for its specific entity and at the group level:

The register of information related to all contractual arrangements on the use of ICT services provided by third-party ICT service providers.
The strategy on ICT third-party risk and (or?) the policy on the use of ICT services supporting critical or important functions.

Could you also confirm that whenever the phrases "where relevant" and "where applicable" appear in the presence of corporate group, the latter must each time implement the requirement at the level of the entity, at the sub-consolidated level and at the consolidated level?

Background on the question

At Thot-IT Solutions, we are currently advising a client on DORA compliance, specifically focusing on “Chapter V - Managing of ICT third-party risk”. Our client is part of a corporate group comprising two regulated entities. Our consultancy services are engaged with one of these entities, but not with the overarching group entity.

Submission date

21/12/2023

Rejected publishing date

19/07/2024

Rationale for rejection

This question has been rejected because the objective of the Q&A tool is not to answer questions that put into doubt the correctness of the legal framework, seek a modification of the legal framework or would require such a modification in order to address the question.

The Single Rule Book Q&A tool has been established to provide explanations and non-binding interpretations on questions relating to the practical application or implementation of the provisions of legislative acts referred to in Article 1(2) of the EBA’s founding Regulation, as well as associated delegated and implementing acts, and guidelines and recommendations, adopted under these legislative acts.

For further information on the purpose of this tool and on how to submit questions, please see “Additional background and guidance for asking questions”.

Status

Rejected question

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre