- Question ID
-
2024_7098
- Legal act
- Regulation (EU) No 2022/2554 (DORA Reg)
- Topic
- ICT third-party risk management
- Article
-
28
- Paragraph
-
3
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
/
- Type of submitter
-
Credit institution
- Subject matter
-
Scope of Register of Information for Contractual Arrangements on the use of ICT Services Provided by ICT Third-party Service Providers
- Question
-
According to Article 28(3) of DORA, must an EU parent bank, which has subsidiaries both within and outside the EU, maintain the register of information regarding all contractual arrangements for the use of ICT services only for subsidiaries that are subject to DORA (financial entities established in the EU), or does this requirement extend to subsidiaries established outside the EU for which DORA does not apply?
- Background on the question
-
Article 28(3) of DORA requires financial entities, as part of their ICT risk management framework, to maintain and update a register of information regarding all contractual arrangements for the use of ICT services provided by ICT third-party service providers at the entity level, and at sub-consolidated and consolidated levels. The bank seeks clarification on whether the EU parent bank must maintain this register only for subsidiaries based in the EU that are subject to DORA, or also for subsidiaries based outside the EU for which DORA does not apply.
If the parent bank were required to maintain the register for subsidiaries based outside the EU, it would face several challenges. These include increased administrative burden and complexity in managing compliance across different regulatory regimes. In these non-EU countries, ICT service providers are not bound by DORA, which adds another layer of complexity.
- Submission date
- Status
-
Question under review
- Answer prepared by
-
Answer prepared by the Joint ESAs Q&A