Skip to main content
European Insurance and Occupational Pensions Authority

Search QAs

Filter by

Search QAs ()

RSS
Showing results 1 to 10

I have consulted the final version of the second batch of technical standards for DORA. I'm able to match mandate articles in each case, except for article 30.5. This one used to point to "JC 2023 67 - CP on draft RTS subcontracting" but I can't see a final version of this document in the release of July 17, nor any related info: https://www.eiopa.europa.eu/publications/second-batch-policy-products-u… Is its release postponed (for when in that case)? Or is it accepted as-is, without modification?

Could you please provide examples or specifications on authenticity concepts/methods under DORA?

Does the reference in Art. 30 para. 3 (c) DORA on “the provision of services by the financial entity in line with its regulatory framework” relate to the services the financial entity provides to its customers (e.g. the policy holders in case of an insurance undertaking)?

How is “on an ongoing basis“ defined (Article 3 No. 21 DORA)?

Art.8 III DORA: Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets. What does DORA understand by "major changes"? What are the criteria for major changes?

Is our understanding correct, that an ICT-service only “supports” a critical or important function if it is material and not only helpful for the critical or important function?

Is our understanding correct, that DORA does not apply to contracts with service providers who do not primarily contain ICT-services but rely themselves heavily on ICT services by subcontractors?

Does DORA apply to contracts that do not primarily contain ICT-services but include very limited ICT-Service-Elements as a minor part? Will the contractual agreement be treated as “supporting a critical or important function” in case the non ICT-part supports a critical or important function while the minor ICT part does not/is not relevant?

hen it comes to specific requirements concerning the ICT-Third-Party Riskmanagement under DORA, reference is regularly made to (core) business activities, e.g. Art. 28 I lit. a. The definition of ICT Services (Art. 3 No. 21) however, is broad, as emphasized in recitals 35 and 63. In the light of DORA objectives, is DORA to be interpreted to the effect that only those ICT Services are included that are related to the core business activities of the financial undertaking and can therefore have a significant impact on the operational business in the event of a failure?