The European Commission rejects the RTS on subcontracting under DORA

On 21 January 2025, the European Commission sent a letter to the Chair of the Joint Committee of the European Supervisory Authorities (ESAs) rejecting the draft Regulatory Technical Standards (RTS) on subcontracting ICT services supporting critical or important ICT functions (RTS on Subcontracting)[1].

The draft RTS on Subcontracting sets out the specific requirements relating to the subcontracting of ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers.  These requirements include: (i) the requirement for financial entities to assess the risks associated with subcontracting during the precontractual phase and to carry out the due diligence process;  (ii) the requirements regarding the implementation, monitoring and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof; and (iii) the requirements to be addressed in contractual arrangements with ICT third-party service providers regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereto.

Article 5 of the draft RTS requires financial entities to monitor the ICT risk that may arise in relation to its use of ICT services provided by subcontractors providing ICT services supporting critical or important functions, “in particular those that effectively underpin the provision of ICT services supporting critical or important functions or material parts thereof”.  Further, the draft RTS expressly permits financial entities to, “where appropriate, rely on information provided by the ICT third-party service provider” in conducting the monitoring of the sub contractual chain.

The European Commission outlined that it has decided to reject the draft RTs on Subcontracting outright on the basis that Article 5 of the draft RTS contains requirements which “go beyond the empowerment given to the ESAs by Article 30(5) of DORA”. In the letter the Commission sates that it rejects the draft RTS “on mainly one specific aspect, namely that the content of the provisions relating to the monitoring of the subcontracting chain is not within the scope of the mandate set out in Article 30(5) of DORA. The Commission therefore considers that Article 5 and the related recital 5 are to be removed from the draft RTS to ensure its compliance with the mandate”.

The ESAs have been afforded a six week period in which they can elect to address the concerns raised by the European Commission and to resubmit a revised draft of the RTs on Subcontracting to the Commission.

Footnotes:
[1] Final report on Draft Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554 (JC 2024 53) of 26 July 2024