ESAs confirm no further changes to DORA RTS

The European Supervisory Authorities (ESAs) have agreed with the amendments made by the European Commission to the Digital Operational Resilience Act (DORA) regulatory technical standards (RTS). This means no further modifications will be made, providing regulatory certainty for financial institutions as they prepare for DORA’s implementation.
The originally proposed rules suggested that financial institutions and other financial services actors impacted by DORA would be responsible for monitoring operational resilience arrangements, not just of the IT service provider companies that they contract with, but throughout the entire supply chain of companies that, in turn, provide services to contracted vendors.
The European Commission (EC) rejected that part of the proposal, but the ESAs had to accept the revised (and simplified) rules that the EC had developed. The bottom line: somewhat less burden for regulated entities and their vendors. In practical terms, however, the impact on vendors is likely to be relatively minimal—since, if vendors are to ensure the resilient operation of the software and services they provide to their financial services clients, they must themselves seek to enhance the systems and controls in place within their own critical sub-contracted vendor ecosystem. And so on. The contract landscape is, to say the least, complicated!
Read the full announcement from the ESAs here.