Article 44

International cooperation


TL;DR The Digital Operations Resilience Act from the EU outlines an agreement to cooperate with third-country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk. This agreement also seeks to develop best practices for the review of risk management practices and controls and mitigation measures in the financial sector. Every five years, the ESAs shall submit a joint confidential report to the European Parliament, Council and Commission, summarising the findings of their relevant discussions with the third countries, focusing on the evolution of ICT third-party risk and its implications to the financial sector.
  1. Without prejudice to Article 36, EBA, ESMA and EIOPA may, in accordance with Article 33 of Regulations (EU) No 1093/2010, (EU) No 1095/2010 and (EU) No 1094/2010, respectively, conclude administrative arrangements with third-country regulatory and supervisory authorities to foster international cooperation on ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements across different financial sectors, in particular by developing best practices for the review of ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management practices and controls, mitigation measures and incident responses.

  2. The ESAsEuropean Supervisory Authority shall, through the Joint Committeethe committee referred to in Article 54 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010, submit every five years a joint confidential report to the European Parliament, to the Council and to the Commission, summarising the findings of relevant discussions held with the third countries’ authorities referred to in paragraph 1, focusing on the evolution of ICT third-party riskan ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements and the implications for financial stability, market integrity, investor protection and the functioning of the internal market.