Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplements Regulation (EU) 2022/2554 (DORA) by establishing regulatory technical standards that specify the detailed content required in policies governing contractual arrangements for ICT services supporting critical or important functions provided by third-party service providers. The regulation mandates that financial entities develop comprehensive policies addressing the entire lifecycle of such contracts, including risk assessment, due diligence, governance arrangements, and management of conflicts of interest. It sets out requirements for clear contractual clauses to ensure data security, operational continuity, and regulatory compliance, as well as robust monitoring and annual reviews of ICT service providers. The regulation also requires the inclusion of exit strategies to manage potential disruptions or terminations of contracts, thereby strengthening operational resilience and cybersecurity across the EU financial sector.
Publication's URL
https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/engAdditional documents on this topic
- EU Commission Delegated Regulation 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
- EU Commission Delegated Regulation 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- EU Regulation 2022/2554 Digital Operational Resilience Act (DORA)
- EU Commission Implementing Regulation 2025/302 of 23 October 2024 laying down implementing technical standards for the application of Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat
- EU Commission Delegated Regulation 2025/301 of 23 October 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats