Under the European Commission Delegated Regulation (EU) 2024/1773, suppliers of Information and Communication Technology (ICT) services to financial entities are subject to stringent obligations, particularly in relation tocertifications, which are deemed a cornerstone in mitigating the risks associated with outsourcing key technological functions. This regulatory framework, part of the broader Digital Operational Resilience Act(DORA), underscores the critical importance of ensuring that financial institutions can maintain uninterrupted services, manage risks effectively, and adhere to regulatory requirements, even when they depend on external ICT providers.
The role of certifications in ensuring operational resilience
The regulation mandates that all ICT service providers engaged by financial institutions demonstrate comprehensive compliance with operational resilience frameworks and adherence to best practices. Certifications, in this context, are not merely administrative markers but are integral to verifying that these providers meet internationally recognized standards in areas such as information security, risk management, and business continuity. These certifications provide independent, third-party validation that an ICT provider's internal controls and procedures are robust, up-to-date, and capable of mitigating the broad spectrum of risks faced by financial entities, particularly in an increasingly digitalized and interconnected environment.
Why are certification essential?
The necessity for such certifications derives from the overarching responsibility placed on financial institutions to maintain continuous service delivery, adequate risk management, and regulatory compliance — even when key services are outsourced to third parties. By outsourcing critical ICT functions, financial entities expose themselves to risks that are often outside their immediate control, such as cyberattacks, data breaches, or service disruptions. As such, the regulation insists on the need for certified ICT suppliers, whose ability to manage these risks has been rigorously assessed by independent certifying bodies.
The certification process itself serves as a safeguard, offering assurance thatICT providers have implemented the necessary risk controlsto manage both internal vulnerabilities and external threats. This is particularly important given the increasing sophistication of cyber threats targeting the financial sector, where disruptions can lead to severe operational, reputational, and financial consequences.
Detailed obligations under the Regulation
Article 6 of the regulation establishes a comprehensive due diligence process that financial institutions must undertake before entering into agreements with ICT service providers. This process includes an in-depth assessment of the provider's certifications. Certifications must be issued by reputable third-party certifying bodies, and they must cover all aspects critical to the resilience of the services being provided, including data protection, incident response, and operational continuity.
The due diligence process evaluates whether the provider's certification portfolio adequately covers the financial institution's specific needs, ensuring that the certification scope matches the risks associated with the outsourced services. For example, a provider managing cloud storage for a bank must have certifications that validate its ability to protect sensitive financial data and ensure continuity of service even during a cyberattack or system failure.
In addition to the initial certification review, the regulation obligates financial institutions tocontinuously monitorthe compliance and performance of ICT providers. This is whereArticle 9plays a pivotal role, as it requires institutions to ensure that certifications remain valid, comprehensive, and aligned with the evolving risk landscape. Regular audits, independent assessments, and updated certifications must be integrated into ongoing risk management processes to safeguard against emerging threats.
Beyond certification: the need for continuous vigilance
While certifications provide an essential baseline of trust, the regulation explicitly states that they must not be relied upon as the sole measure of a provider's adequacy. Article 8 reinforces this by requiring financial institutions to supplement certifications with regular audits, inspections, and performance reviews. These additional steps are crucial because certifications, although essential, represent a snapshot in time. The dynamic nature of cyber risks and operational challenges means that a provider's security posture can evolve rapidly, making ongoing scrutiny imperative.
To this end, financial institutions must have the contractual right to conduct their own audits or employ third-party auditors to assess the ICT provider's compliance with key performance indicators (KPIs) and service level agreements (SLAs). Moreover, the regulation encourages the use of joint testing and penetration testing, particularly for critical ICT functions, to simulate and assess the provider's resilience under real-world conditions.
Certifications are therefore considered as part of a multi-layered risk management strategy, where proactive auditing, continuous monitoring, and contractual oversight are equally vital. Financial institutions are expected to be active participants in the risk management process, leveraging certifications as one of several tools to ensure that ICT providers meet the regulatory requirements for digital operational resilience.
Contractual and audit rights
A key aspect of ensuring compliance with certification requirements lies in the contractual obligations that financial institutions must include in their agreements with ICT providers. These contracts, governed b yArticle 8, must explicitly state the financial entity's right to request updated certifications and conduct independent audits to verify ongoing compliance. The regulation also emphasizes the right of financial institutions to terminate contracts or impose penalties if an ICT provider fails to maintain its certifications or comply with audit findings.
Moreover, the regulation allows for contractual flexibility in demanding ad-hoc audits whenever necessary, particularly when emerging risks or material changes in the ICT provider's operations are identified. This flexibility ensures that financial institutions can adapt their oversight mechanisms in response to the changing risk environment, ensuring that the certifications held by their ICT providers remain relevant and sufficient.
Deep dive on article 6 and 8: Due Diligence and Audits
Article 6 of the European Commission Delegated Regulation (EU) 2024/1773 provides a detailed framework for the due diligence process that financial institutions must implement prior to entering into any contractual arrangements with third-party ICT service providers. This due diligence is a critical safeguard designed to ensure that all risks related to outsourcing essential or important functions to ICT providers are thoroughly assessed and mitigated.
A central element of this process is the requirement for financial entities to evaluate the provider's possession of relevant third-party certifications. These certifications, issued by recognized independent bodies, serve as an essential external validation that the provider's internal controls, risk management practices, and cybersecurity measures meet or exceed the rigorous standards necessary for safeguarding the financial institution's operational resilience. Such certifications must be aligned with international or European standards, such as ISO 27001 for information security management or SOC 2 for service organization controls, ensuring a global benchmark of compliance.
This certification process provides objective assurance that the ICT provider's systems and processes are robust enough to manage the complex requirements of financial institutions, particularly in high-risk areas such as data protection, incident response, and operational continuity. Given the interconnected nature of financial services and the reliance on third-party providers, it is imperative that the ICT provider can support essential or important financial functions without jeopardizing the financial institution's integrity or exposing it to undue risks.
Certifications as part of a broader Governance Framework
However, Article 8 of the regulation makes it explicitly clear that certifications, while crucial, must not be the sole basis for determining the adequacy of a provider's controls and risk management systems. Financial institutions are required to supplement these certifications with additional layers of oversight. The regulation mandates that institutions conduct their own independent audits, inspections, and risk assessments to verify that the provider's controls are not only certified but are also effective in practice and reflect the actual operational conditions in which the provider operates.
This requirement addresses a key limitation of certifications: while they provide valuable insight into the provider's capacity to manage risks, they are often based on a point-in-time assessment and may not reflect changes in the operational environment or evolving cyber threats. Therefore, to ensure ongoing resilience, financial institutions must actively monitor and test the provider's systems, regularly updating their risk assessments in light of both certification reports and in-house audit findings. This multi-faceted approach ensures that certifications remain relevant and are complemented by a dynamic process of oversight, which is responsive to the ever-changing threat landscape.
Scope of certifications and key areas of focus
The scope of certifications required by the regulation covers all critical areas necessary for the effective provision of ICT services that support financial institutions' operations. Data protection is a key area of concern, particularly under the General Data Protection Regulation (GDPR), which mandates stringent safeguards for personal data. Any ICT provider that handles sensitive financial or customer data must hold certifications that verify its ability to protect such data from unauthorized access, breaches, or misuse.
Another critical area is incident response. Certifications must validate that the ICT provider has implemented robust incident detection, response, and recovery protocols. This includes the capacity to handle cyber incidents such as data breaches, denial-of-service attacks, and other disruptions that could impact the financial institution's services. Incident response certifications typically demonstrate the provider's ability to mitigate damage, recover from incidents swiftly, and ensure minimal impact on the financial institution's operations.
Equally important is continuity planning. Financial institutions must be assured that their ICT providers are prepared for operational disruptions, whether caused by cyberattacks, natural disasters, or internal system failures. Certifications in this domain assess the provider's disaster recovery plans, business continuity strategies, and the adequacy of redundancies within their infrastructure. These elements are crucial for ensuring that even in the event of a significant incident, the financial institution can maintain critical functions without unacceptable downtime.
Supplementing certifications with audits and inspections
Article 8 emphasizes the need for active oversight through regular audits, which go beyond certification assessments. Financial institutions are required to conduct thorough, hands-on audits and inspections of the ICT provider's systems, either independently or by utilizing external auditors. The purpose of these audits is to ensure that the certifications held by the provider are not only valid but also comprehensive enough to address any emerging risks or changes in the operational environment.
To maintain up-to-date validation, financial institutions are encouraged to conduct these audits at regular intervals and to cross-reference audit findings with certification reports. This dual approach helps in identifying gaps in compliance and in ensuring that the provider's controls remain fit for purpose over time. The regulation also permits financial institutions to include contractual clauses that guarantee the right to audit the provider's systems, request updates to certifications, and inspect facilities or operations, thereby giving the institution greater control over risk management.
Certifications must cover all key performance areas, including service availability, security controls, and compliance with legal and regulatory requirements. Financial institutions are expected to use the findings from these audits to inform their risk management strategies and update internal policies where necessary.
In conclusion, the due diligence process outlined in Articles 6 and 8 of the regulation is designed to mitigate risks associated with outsourcing ICT services by ensuring that certifications form only part of a broader, more dynamic governance framework. By combining the external validation of certifications with ongoing internal audits and contractual rights of inspection, financial institutions are better equipped to manage the complex and evolving risks that come with outsourcing critical ICT functions. This holistic approach ensures that ICT providers not only meet initial compliance standards but are also continuously evaluated to safeguard the financial institution's operational resilience andregulatory compliance in a fast-changing digital landscape.
Deep dive on articol 9: continuos monitoring
In the context of continuous monitoring, Article 9 of the European Commission Delegated Regulation (EU) 2024/1773places ongoing obligations on financial institutions to ensure that their ICT providers consistently maintain compliance with the agreed-upon service levels and the certifications that form the basis of their service delivery. Continuous monitoring is not merely an operational requirement but a critical aspect of risk management, ensuring that the ICT providers not only achieve initial compliance but also sustain it throughout the lifecycle of their contracts.
Non-compliance, whether through failure to meet service levels, breaches of security, or lapses in certification, must be addressed promptly. The regulation mandates that financial institutions take immediate corrective measures, which are often predefined in the contractual agreements. These measures can include penalties, termination clauses, or demands for remediation plans. It is essential that financial institutions build penalties and corrective mechanisms into their contracts, thus ensuring that consequences are clear, enforceable, andproportional to the risksposed by non-compliance. For instance, if an ICT provider fails to renew a key certification or if an audit uncovers significant vulnerabilities, the financial institution must be able to swiftly demand corrective actions, such as improved controls, additional audits, or, in severe cases, contract termination.
The role of Independent Audits and enhanced scrutiny
Independent audits play a pivotal role in the regulation's continuous monitoring requirements. While certifications offer an external validation of an ICT provider's controls, these certifications must be supplemented by periodic independent audits to ensure ongoing compliance and to address any specific areas of concern that may arise during the provider's operation. Article 9 reinforces the financial institution's right to demand such audits, either through internal resources or third-party audit firms, which can provide an additional layer of scrutiny and objectivity. These audits are particularly vital in verifying that certification updates are comprehensive and aligned with the institution's operational and cybersecurity needs.
For ICT providers operating in high-risk environments, such as jurisdictions outside the European Union or in industries with elevated cybersecurity threats, the regulation stipulates that financial entities must go beyond standard certifications. Providers working in these environments may face greater exposure to cyber risks, data protection issues, and legal complexities. Therefore, financial institutions are obliged to ensure that the certifications held by such providers are robust enough to account for these elevated risks. This may involve additional certification requirements, more frequent audits, and a higher level of due diligence compared to providers operating within lower-risk environments. For instance, a cloud service provider hosting data in a non-EU country with differing legal frameworks may require certifications that specifically address cross-border data transfers, jurisdictional risks, and regulatory compliance under both EU and local laws.
Moreover, continuous evaluation of these certifications is necessary to confirm their adequacy in light of changing risk landscapes. The regulation explicitly calls for dynamic risk management, where financial institutions must adjust their oversight of ICT providers based on new risks, such as emerging cybersecurity threats, geopolitical changes, or shifts in regulatory frameworks. This ensures that certifications remain fit for purpose and that providers are held accountable for adapting their controls to reflect the most up-to-date security practices and resilience strategies.
A broader Governance Framework for operational resilience
The requirement for third-party certifications, as stipulated in Regulation (EU) 2024/1773, is not an isolated obligation but forms part of a comprehensive governance framework designed to ensure that ICT providers not only comply with the< strong>minimum regulatory standards but also play an active role in enhancing the operational resilience and cybersecurity posture of the financial sector. This governance framework encompasses rigorous oversight mechanisms, contractual obligations, and continuous monitoring, reinforcing the mutual accountability of both ICT providers and financial institutions in managing digital risks in an era of rapid technological change.
The dual reliance on certifications and proactive audits highlights a fundamental principle of the regulation: compliance is a continuous process, not a one-time achievement. Certifications provide the foundation, but ongoing oversight through independent audits ensures that providers remain aligned with the institution's evolving risk profile and the regulatory expectations. By requiring financial institutions to actively engage with their ICT providers, the regulation promotes a culture of accountability, where risks are shared and monitored collaboratively. This culture is essential in a sector where cyber risks are fluid, constantly evolving, and capable of disrupting not just individual institutions but the entire financial system.
Reinforcing Accountability in a rapidly evolving digital landscape
The combination of third-party certifications and strict oversight mechanisms ensures that both ICT providers and financial institutions remain accountable for managing digital risks. In a world where cyber threats are becoming more sophisticated and persistent, the regulation aims to instill a resilient operational framework that can withstand digital disruptions, cyberattacks, and systemic failures. The financial institution's right to demand audits, ensure certification compliance, and hold providers to high standards of performance and security reflects the regulation's focus on prevention and preparedness.
In this regard, the regulation does more than impose obligations on ICT providers; it actively encourages financial institutions to develop a proactive risk management approach. Rather than simply reacting to incidents after they occur, institutions are urged to maintain constant vigilance, anticipate potential vulnerabilities, and engage in ongoing dialogue with their ICT providers to ensure resilience and security at every level of the service delivery chain.
Ultimately, the requirement for continuous monitoring under Article 9 ensures that financial institutions are not passive recipients of ICT services but active participants in safeguarding their operational environment. By embedding continuous monitoring and independent audits into their governance framework, institutions can maintain control over outsourced functions while fostering a culture of risk management and accountability. This not only protects individual institutions but also contributes to the overall stability and security of the financial sector in an increasingly complex and interconnected digital landscape.
Conclusion
The European Commission Delegated Regulation (EU) 2024/1773 presents a comprehensive framework that enforces strict obligations on financial institutions and their ICT service providers to ensure operational resilience, cybersecurity, and compliance with evolving digital risks. By placing certifications at the core of the governance structure, the regulation offers a foundation for third-party validation, ensuring that ICT providers meet international and European standards for managing crucial technological functions. However, the regulation goes further by mandating continuous oversight, independent audits, and dynamic risk management, acknowledging that certifications alone are insufficient in an era where cyber threats are constantly evolving.
The regulation requires financial institutions to take an active role in monitoring their ICT providers, demanding up-to-date certifications, conducting frequent audits, and ensuring contractual rights to perform inspections and scrutiny. This proactive approach ensures that risks are managed collaboratively between financial institutions and their ICT partners, promoting accountability on both sides.
By combining rigorous due diligence, ongoing monitoring, and strong contractual enforcement, the regulation seeks to foster a culture where financial institutions are not just reliant on third-party services but are partners in managing digital resilience. This dual responsibility ensures that both financial entities and their ICT providers contribute to the long-term stability and security of the financial sector, helping safeguard against the growing sophistication and frequency of cyber threats.
In conclusion, Regulation (EU) 2024/1773 sets a clear pathway for financial institutions to secure their digital operations through a robust mix of certifications, independent verification, and dynamic governance, providing them with the tools to navigate an increasingly interconnected and high-risk digital environment with confidence. This integrated approach not only strengthens individual institutions but also enhances the overall resilience of the European financial system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.