ICT services: comparison of the ESMA and EBA outsourcing guidelines and DORA

The requirements set out in the outsourcing rules (such as the EBA and ESMA (cloud) outsourcing guidelines) and in DORA show many similarities, but there are key differences.

Both the outsourcing rules and DORA set out requirements for arrangements with third-party service providers, and those in DORA take inspiration from the outsourcing. However, the obligations in DORA focus on all digital and data services provided on an ongoing (i.e. not one-off) basis via ICT systems and are not limited to ICT services that qualify as outsourcing. The outsourcing rules pertain to all outsourcing arrangements, whether or not these are ICT-related. Furthermore, the requirements to implement in respect of third-party service providers are more detailed than those currently found in outsourcing rules.

Our DORA team has compiled a comparison of the EBA and ESMA (cloud) outsourcing guidelines and the DORA provisions in the context of the relationship with third-party service providers that can be used for the implementation of the DORA provisions in respect of third-party service providers. It has been updated to reflect the latest RTS/ITS developments.

Would you like to receive the full ‘Comparison – ESMA outsourcing guidelines, EBA outsourcing guidelines & DORA’ overview? Please contact Max Mohrmann.

Related articles

AIFMD II enters into force - the implementation period has started

Counting down to DORA – governance of ICT risks and board member responsibility

NautaDutilh intensifies AI collaboration with Fledger

DMA countdown - Perhaps the most important milestone: gatekeepers must ensure compliance

NautaDutilh assists Buckaroo on partnership with ABN AMRO

NautaDutilh IP team maintains strong standing in WTR 1000 2024

Counting down to DORA – Mapping and classification of ICT services

Privacy & data in the Benelux: five things you need to know in 2024

NautaDutilh advises the Bellon family on the spin-off of Pluxee from Sodexo and its listing on Euronext Paris

NautaDutilh advises a.s.r. on its sale of Knab to BAWAG

EU Listing Act: simplified rules for stock exchange listings, especially for SMEs

Benelux Competition Law in 2024: five things you need to know

Technology and the law in 2024: five things you need to know

Counting down to DORA – three key aspects

Strict liability regime in case of enforcement of invalid IP rights can be 'appropriate'

NautaDutilh assists Woningborg into partnership with French mutual insurer SMABTP

NautaDutilh assists ABN AMRO with launch of EU Emission Allowances trading service

EU AI Act: three key insights on the world's first comprehensive AI law

Comparison - ESMA outsourcing guidelines, EBA outsourcing guidelines & DORA

The Chambers Technology & Outsourcing guide 2023

Q&AI: What financial institutions need to consider when using AI

NautaDutilh assists ING with setting-up a new insurance distribution partnership with Allianz-Direct

The Foreign Direct Investment Regimes Guide 2024

NautaDutilh assists TCS in expanding its partnership with Athora

Life Sciences challenges and opportunities in Europe and the USA: key insights

Luxembourg FDI screening mechanism enters into force

A new era in patent litigation: five things to know about the start of the UPC

Update Luxembourg law on business licenses: three key insights

NautaDutilh contributes to The Legal 500 AI Comparative Guide

Third parties can intervene in BDPA proceedings and appeal its decisions

The twin transition of the financial sector: eight key insights

The law on the use of digital tools and processes in company law in force in Luxembourg

The competition dynamics in relation to cloud services

NautaDutilh assists founding shareholders of Route Mobile in selling majority stake to Proximus

Green light for EU-US Data Privacy Framework: a new era for transatlantic data flows

NautaDutilh writes Netherlands chapter of the Global Legal Insights on AI, Machine Learning and Big Data 2023

NautaDutilh named Benelux Trademark Firm of the Year at the 2023 Managing IP Awards

The law on the use of digital tools and processes in company law

Luxembourg: introduction of national FDI screening mechanism

Upcoming EU legislation on artificial intelligence

NautaDutilh Luxembourg ranked in Chambers FinTech 2023

NautaDutilh advises on Achmea Bank joining MUNT Hypotheken platform

Sara Gerling in the Paperjam on the Double Luxco

Best practices for drafting and updating data protection notices

NautaDutilh assists Bluestar Alliance in Scotch & Soda acquisition

EU Foreign Subsidies Regulation (FSR): five things you need to know

Using ChatGPT and other generative AI tools: risks and challenges

The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR

Benelux Competition Law in 2023: five things you need to know

Data Protection in Belgium: the 2023 focus of the BDPA

The data vault - How to securely exchange personal data between end-users, platforms, and device manufacturers in the metaverse - Part two

The end-user and its avatar - data integrity risks and ethical challenges in the metaverse - Part one

Basic banking service for businesses in Belgium: (almost) operational

NautaDutilh contributes to IAPP's Global Legislative Predictions 2023

NautaDutilh advises ABN AMRO on tokenised securities

Online platforms and search engines to publish average monthly active recipients (AMARs) in EU by 17 February 2023

Benelux Technology Law in 2023: five things you need to know

CJEU decision extending the scope of article 5(1) of the Damages Directive

UPC update: extension Sunrise Period, judicial appointments and more

GDPR & AML: no longer public access to UBO data without legitimate interest

A low degree of similarity?

No longer public access to UBO data without legitimate interest

Digital Markets Regulation: now a reality in the EU

DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector

Vincent Wellens on FATCA in the Paperjam

DORA the EU Regulation

NautaDutilh contributes to Technology Disputes Guide by Lexology

The Unified Patent Court: five things you need to know

Privacy and security concerns in the metaverse

Paying a tribute is not dishonest

Luxembourg first member state to launch a certification mechanism under the GDPR

European Data Protection Board harmonises EU fining guidelines

New GDPR guidelines on fines on the way

Sara Gerling in the Luxembourg Times on securitisation

Data protection impact assessments new EDPS recommendations

Heavy fines for Belgian airports for using thermal imaging cameras – what are the lessons for the other controllers?

Revamped CSSF outsourcing guidance for the financial sector

IFLR1000 recognises eight NautaDutilh partners as Women Leaders for 2022

20 years of NautaDutilh Luxembourg