Less than one week after the Digital Operations Resilience Act (DORA) came into full force in the EU, the Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA) issued a letter to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs) rejecting the draft regulatory technical standards (RTS) submitted earlier in July.
Collectively, the ESAs—European Banking Authority (ABA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA), are responsible for developing the RTS to ensure consistent application of DORA across EU member states. DG FISMA is the branch of the European Commission tasked with ensuring financial stability, market integrity, and the implementation of EU financial policies.
DG FISMA rejected the draft RTS, noting that certain sections, particularly Article 5, exceeded DORA’s legislative requirements. Article 5 mandates financial entities to identify and maintain an up-to-date record of the entire chain of subcontractor dependencies for Information and Communications Technology (ICT) vendors, a requirement deemed overly broad and burdensome. DG FISMA recommended the removal of Article 5 and related recitals to align the RTS with DORA’s mandate.
The rejection has created legal uncertainty across the EU. Financial entities and ICT service providers that have already implemented the draft RTS in their contractual arrangements are now in a difficult position, as amendments to these contracts may be required in the near future. Firms are now facing a longer wait before they can finalize their contracts to reflect DORA’s requirements, even though the legislation is already in effect, increasing the risk of non-compliance.
Next Steps:
The ESAs have a six-week period from the date of DG FISMA’s letter—January 21—to amend the draft Regulatory Technical Standards (RTS) in accordance with the feedback provided by the European Commission, particularly addressing concerns that certain provisions exceeded their mandate.
Upon completing the revisions, the ESAs are required to resubmit the amended draft RTS to the European Commission for approval. Should the Commission accept the revised RTS, it will then be forwarded to the European Parliament and the Council for scrutiny. Assuming no objections arise, the RTS will be published in the Official Journal of the European Union and will take effect 20 days thereafter.
In the event that the ESAs do not submit an amended draft within the six-week timeframe, or if the revisions fail to meet the Commission’s requirements, the Commission may either adopt the RTS with its own amendments or reject it entirely. The six-week revision period ending on March 4, and the subsequent procedural steps, could extend the finalization and adoption of the RTS into the second quarter of 2025. This timeline is subject to the ESAs’ timely revisions and the absence of further objections during the approval process.
Supply Chain Risk
Supply chain risk management is well advanced in other regulated industries. In the pharmaceutical sector for example, supply chain integrity is key to ensuring product safety and efficacy. Regulations mandate stringent controls over the sourcing, manufacturing, and distribution processes. For instance, the U.S. Drug Supply Chain Security Act (DSCSA) requires the establishment of electronic systems to trace prescription medications throughout the supply chain, aiming to prevent counterfeit drugs from entering the market.
Many RegTech vendors already cite global standards for their cloud-based software as a service (SaaS) solutions. Among the most frequently cited standards is SOC 2, which evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.
Similarly, ISO/IEC 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), providing a systematic approach to managing sensitive information securely.
ISO 28000:2022 is designed for the supply chain, applicable to organizations of all types and sizes, regardless of the industry, providing a comprehensive framework to improve security management systems.
It remains to be seen how supply chain risk will be regulated across the EU under DORA.
Subscribe to our newsletter
