knowledge 10 March 2025 |

ESAs Opinion paves the way for the European Commission’s adoption of the Subcontracting RTS

On 21 January, the European Commission notified the Chair of the Joint Committee of the the ESAs of its rejection of the draft Subcontracting Regulatory Technical Standards (RTS) which was submitted to the European Commission last summer. The draft Subcontracting RTS set out further details on the specific requirements relating to the subcontracting of ICT services supporting a financial entity’s critical or important functions. Article 5 proposed various subcontracting conditions to be included in the contract between the financial entity and the ICT service provider. The European Commission, however, rejected the draft RTS on the basis that the provisions in Article 5 relating to the monitoring of the subcontracting chain were not within the scope of the ESAs mandate, as set out in Article 30(5) of DORA, as they introduce requirements that are not specifically linked to the conditions for subcontracting. In the rejection letter, the Commission stated that Article 5 (and the related recital 5) would need to be removed in order for the Commission to adopt the RTS.

In an Opinion published by the ESAs on 7 March, the ESAs have taken on board the European Commission’s suggested amendments and state that the ESAs do not propose any amendments to the suggested changes. The Opinion notes that the amendments proposed ensure that the draft RTS is in line with the ESAs mandate set out under DORA. The Opinion adds, for further background, that financial entities are expected to adhere to the provisions on subcontractors provided for in the fourth paragraph of Article 29(2) of DORA and Article 3(6) of the ITS on the Register of Information:

• Article 29(2) (fourth paragraph) of DORA - This provision requires financial entities to assess whether and how potentially long or complex subcontracting chains of subcontracting may impact on their ability to fully monitor the contracted functions that support their critical or important functions and the ability of the competent authority to effectively supervise the financial entity in that respect.
• Article 3(6) of the ITS on the Register of Information – Through the direct ICT third-party service provider, financial entities are to ensure that all of the subcontractors, who are engaged by the direct ICT third-party service provider to underpin its provision of ICT services supporting CIFs  and are included in the financial entity’s Register of Information, use a valid and active LEI or provide their EUID (or both, if available) (with the exception of subcontractors who are sole traders).

In the ESAs press release for the Opinion, the ESAs encourage the European Commission to finalise its adoption of the RTS without further delay. As a result of the Opinion, financial entities and ICT service providers who updated their ICT services contracts to reflect the draft RTS that was submitted last Summer may wish to revisit any monitoring and oversight provisions related to the subcontracting chain.

How can we help?

For more information or assistance with DORA, please contact one of the key contacts below or your usual contact in McCann FitzGerald LLP.