Question ID: 3450 - DORA 272
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT risk management (DORA)
Article: Art. 6(10) REGULATION (EU) 2022/2554 [DORA] and Art. 28(3) Delegated Regulation EU 2024/1774 [RTS (S)RMF]
Status: Final
Date of submission: 03 Nov 2025
Question
Why are the outsourcing requirements of Article 28(3) RTS (S)RMF concerning the simplified ICT risk management framework (Art. 16 DORA) more stringent than those of the regular ICT risk management framework? Would an alignment of Art. 6(10) DORA and Art. 28(3) RTS (S)RMF concerning this point be feasible?
Background of the question
We were surprised to notice the difference between the wording in Art. 6(10) DORA vs. Art. 28(3) RTS (S)RMF. In particular, because the wording in the RTS for the simplified framework is more restrictive compared to the one in DORA for the regular framework (“outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers” [RTS (S)RMF] vs. “outsource the tasks of verifying compliance with ICT risk management requirements to intra-group or external undertakings” [DORA]).
EIOPA answer
The rationale of the simplified ICT risk management framework is to create lighter requirements that are proportionate to financial entities that are smaller and that offer less complex services (DORA Recital 42). There is no intention to create a specific regime for the entities subject to the simplified framework when it comes to potential use of third-party providers for the tasks of verifying compliance with DORA ICT risk management requirements.
Therefore, there is no practical difference between both provisions for the financial entities that use the simplified ICT risk management framework, they can apply DORA Art. 6(10) to comply with Art. 28(3) of the Commission Delegated Regulation (EU) 2024/1774.
In any case, the assessment of compliance with ICT risk management requirements necessitates a certain level of ICT expertise; therefore, it is expected that financial entities consider this when envisaging to contract with third parties, whether intra-group or external third-party providers.