The European Banking Authority (EBA) has said it will review whether it needs to update its guidelines on outsourcing arrangements to address new requirements set out in the EU’s Digital Operational Resilience Act (DORA).
A spokesperson for the EBA told Out-Law that the body is in the process of checking for gaps between the DORA requirements and the guidelines on outsourcing arrangements that it produced for credit institutions, investment firms and payment institutions back in 2019.
“Since the Digital Operational Resilience Act, which applies from Jan 2025, introduces requirements to financial entities in relation to ICT services provided by third party providers, the EBA has started performing a gap analysis between the existing guidelines and the requirements introduced by DORA and its related technical standards and will review the guidelines on outsourcing arrangements,” the EBA said.
Confirmation of the EBA’s activities comes after the EU’s two other supervisory authorities for financial services, the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA), told Out-Law that last week that they are actively reviewing how their existing cloud outsourcing guidance sits alongside the DORA requirements.
Out-Law asked EIOPA, ESMA and the EBA to articulate their positions after the European Central Bank (ECB) began consulting on proposed new cloud outsourcing guidelines of its own for banks in light of DORA.
DORA effectively codifies aspects of the existing guidelines and provides a single, harmonised EU rulebook for all financial entities pertaining to operational resilience and ICT-related risk. DORA was written into EU law in late 2022 but it does not apply until 17 January 2025.
The European Commission previously confirmed to Out-Law that the EBA, ESMA and EIOPA guidelines would “coexist” with DORA, despite the risk of duplication or inconsistency with DORA’s codified rules. It said at the time, however, that, “clearly, to ensure coherence with the new rules in DORA, some parts of the existing guidelines will have to be amended (or deleted)”. At that stage, there was nothing to indicate that the ECB would also deem it necessary to issue guidelines on cloud outsourcing related to DORA.