Skip to main content
Logo
European Insurance and Occupational Pensions Authority
 

3450 - DORA 272

Q&A

Question ID: 3450 - DORA 272

Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)

Topic: ICT risk management (DORA)

Article: Art. 6(10) REGULATION (EU) 2022/2554 [DORA] and Art. 28(3) Delegated Regulation EU 2024/1774 [RTS (S)RMF]

Status: Final

Date of submission: 03 Nov 2025

Question

Why are the outsourcing requirements of Article 28(3) RTS (S)RMF concerning the simplified ICT risk management framework (Art. 16 DORA) more stringent than those of the regular ICT risk management framework? Would an alignment of Art. 6(10) DORA and Art. 28(3) RTS (S)RMF concerning this point be feasible?

Background of the question

We were surprised to notice the difference between the wording in Art. 6(10) DORA vs. Art. 28(3) RTS (S)RMF. In particular, because the wording in the RTS for the simplified framework is more restrictive compared to the one in DORA for the regular framework (“outsource the tasks of verifying compliance with ICT risk management requirements to ICT intra-group or ICT third-party service providers” [RTS (S)RMF] vs. “outsource the tasks of verifying compliance with ICT risk management requirements to intra-group or external undertakings” [DORA]).

EIOPA answer

The rationale of the simplified ICT risk management framework is to create lighter requirements that are proportionate to financial entities that are smaller and that offer less complex services (DORA Recital 42). There is no intention to create a specific regime for the entities subject to the simplified framework when it comes to potential use of third-party providers for the tasks of verifying compliance with DORA ICT risk management requirements.


Therefore, there is no practical difference between both provisions for the financial entities that use the simplified ICT risk management framework, they can apply DORA Art. 6(10) to comply with Art. 28(3) of the Commission Delegated Regulation (EU) 2024/1774.


In any case, the assessment of compliance with ICT risk management requirements necessitates a certain level of ICT expertise; therefore, it is expected that financial entities consider this when envisaging to contract with third parties, whether intra-group or external third-party providers.