Question ID: DORA 205 - 3279
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: 28(3)(5)
Status: Rejected
Date of submission: 04 Mar 2025
Question
Request for clarification regarding the scope of the term "any planned contractual arrangements related to the use of ICT services supporting critical or important functions", as referenced in Article 28(3) of Regulation (EU) 2022/2554 (DORA). In particular, I would appreciate clarification on the following points: 1. Does the obligation to report “any planned contractual arrangements” cover only new ICT service agreements, or does it also include changes to existing contracts and ICT serivces (e.g., contract amendments related to termination periods, exit plan, subcontractor changes, etc.)? 2. Must every contractual change be reported as a separate submission to the supervisory authority, or is it sufficient to record the change in the information register, which will be periodically submitted to the supervisory authority? I would greatly appreciate your interpretation of this requirement and any reference to additional guidance that clarifies the regulatory intent in this matter.
EIOPA answer
The question has been rejected because the issue it deals with is already addressed in the regulatory text. The following bilateral answer, not to be published, is proposed: The objective of DORA is to give competent authorities an accurate picture of the ICT risk landscape, especially regarding critical or important functions. The principle of proportionality and risk-based approach should be applied i.e. material contract changes that affect existing arrangements should be also considered and not only new contracts. Without prejudice to supervisory practices, it is ultimately for the competent authorities to provide clarity to their supervised entities on what they expect in terms of notification requirements. In this context, the principle of proportionality and a risk-based approach should guide such expectations. As a general principle, material planned arrangements (e.g., new contracts or changes that render a function critical or important) would typically warrant timely notification, while routine or minor changes could be reflected in the register of information and submitted annually. However, the concrete application of these expectations remains within the remit of the competent authorities.