DORA: Subcontracting RTS Adopted
DORA: The European Commission has adopted the Subcontracting RTS on 24 March, however, financial entities should note that they will still need to assess the subcontracting chain.
On 24 March 2025, the European Commission adopted the DORA Subcontracting Regulatory Technical Standards (“Subcontracting RTS”). The draft Subcontracting RTS, which was submitted by the European Supervisory Authorities (ESAs) to the European Commission for adoption in July 2024, proposed various subcontracting provisions that in-scope financial entities would need to include in their contracts with ICT third-party providers supporting their critical or important functions (“CIFs”). Responses to the ESAs public consultation on the draft Subcontracting RTS showed that there were concerns about the practicality of the subcontracting provisions and that many considered that monitoring the entire ICT subcontracting chain by financial entities imposed an unreasonable and disproportionate burden on financial entities and ICT third-party providers. The draft Subcontracting RTS was ultimately rejected by the European Commission.
Subcontracting RTS’ Journey
As discussed in our briefing, the European Commission rejected the draft Subcontracting RTS on the basis that the provisions relating to the monitoring of the subcontracting chain were not within the scope of the ESAs’ mandate set out in Article 30(5) of DORA. In particular, the European Commission stated that Article 5 of the draft RTS “go[es] beyond the empowerment given to the ESAs by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting”. The Commission stated that it would adopt the draft RTS if Article 5 (and its related recital 5) were removed.
On 7 March, the ESAs issued an Opinion in which it acknowledged that the European Commission’s suggested amendments would bring the RTS in line with its mandate set out in Article 30(5) and it did not propose any further changes. The ESAs urged the Commission to adopt the Subcontracting RTS without further delay.
Adoption of the Subcontracting RTS
The Subcontracting RTS, as adopted by the European Commission, has removed Article 5. As a result, certain subcontracting provisions envisaged by the draft RTS are not mandatory to include in a financial entity’s contract with an ICT third-party service provider supporting its CIFs, including the following:
- Identifying the subcontracting chain - The written contract does not need to include obligations on the ICT third-party service provider to: (i) identify the chain of ICT service providers supporting CIFs; or (ii) require that the subcontracting chain, as identified in the contract, remains up to date to enable the financial entity to maintain and update its Register of Information.
- Monitoring - The written contract is not required to include obligations on the ICT third-party service provider to ensure that the financial entity has effective monitoring rights of the contracted ICT services (although there are other requirements regarding monitoring that are set out in Article 4).
- Documentation - The contract is not required to include elements to enable the financial entity to obtain information from the ICT third-party service provider on the contractual documentation in place between the ICT third-party service provider and its subcontractors supporting CIFs and on relevant key performance indicators.
While it is positive that the RTS, as adopted, pares back some of the subcontracting provisions to be included as mandatory provisions in a contract between the financial entity and ICT third-party service provider and distances the financial entity somewhat from direct involvement with the subcontractor, it is important to note that the financial entity’s contract with the ICT third-party service provider must still specify various subcontracting conditions including those set out in Article 4 of the RTS. Also, the financial entity has not been entirely distanced from the subcontractor, which is evident from the extensive pre-contract due diligence that must be carried out on the subcontracting chain under Article 3 of the Subcontracting RTS. Additionally, paragraph 4 of Article 29(2) of DORA requires the financial entity to assess if a potentially long or complex subcontracting chain impacts on its ability to monitor the ICT services or for the competent authority to effectively supervise the financial entity.
How can we help?
For more information or assistance with DORA, please contact one of the key contacts below or your usual contact in McCann FitzGerald LLP.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below