ARTICLE
21 April 2025

EC Publishes Draft Delegated Regulation On Subcontracting RTS Under DORA

AO
A&O Shearman

Contributor

A&O Shearman logo
A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
Explore Firm Details
On March 24 2025, the European Commission (EC) adopted the final draft Delegated Regulation setting out Regulatory Technical Standards (RTS) for subcontracting ICT services...
European Union Technology
Nicole Wolters Ruckert,Anna van der Leeuw-Veiksha, and Marie Barani
Your Author LinkedIn Connections

On March 24 2025, the European Commission (EC) adopted the final draft Delegated Regulation setting out Regulatory Technical Standards (RTS) for subcontracting ICT services supporting critical or important functions under the Digital Operational Resilience Act (DORA). This follows an opinion issued by the European Supervisory Authorities (ESAs), as previously reported in our DP update of March 20 2025, and if the European Parliament or the Council of the EU raise no objections, the draft RTS will come into effect on the 20th day following its publication in the Official Journal of the European Union.

The RTS is a delegated regulation intended to supplement DORA. The provision of ICT services to financial entities often depends on a complex chain of ICT subcontractors and ICT third-party service providers may enter into one or more subcontracting arrangements with other ICT third-party service providers. Indirect reliance on ICT subcontractors may have an impact on risk. Therefore, the RTS specifies the conditions and the criteria to be taken into account by financial entities in relation to the subcontracting of ICT services supporting critical or important functions by the financial entity's ICT third-party service providers.

Key provisions of the RTS include:

  • Overall risk profile and complexity: financial entities must consider their own size, overall risk profile and the nature, scale and elements of increased or reduced complexity of their services, activities and operations when subcontracting the ICT services. A non-exhaustive list of elements to consider is specified including, amongst others, location of subcontractor, nature of data shared, concentration of services with a single subcontractor and potential impact of disruption.
  • Group application: in a group context, the parent undertaking providing the consolidated or sub-consolidated financial statements for the group, is responsible for ensuring that the conditions for subcontracting the use of the ICT services are consistently and adequately applied across all financial entities within the group.
  • Due diligence and risk assessment: before entering into a contractual arrangement with an ICT third-party service provider the financial entity must decide whether it may subcontract an ICT service that supports critical or important functions (or a material part of the same). The financial entity may only enter into a contractual arrangement with the ICT third-party service provider if the financial entity has carried out an assessment to determine whether certain conditions are met. For example regarding: subcontractor diligence and identification by the ICT third party service provider; access, inspection and audit rights (for financial entity and regulators); contractual support to meet financial entity regulatory requirements; monitoring of ICT risks at subcontractor level by financial entity and ICT third party service provider and implementing risk mitigation; assessment of impact of subcontractor failure on financial entity; and assessment of location and ICT concentration risk by financial entity. Additionally, financial entities are required to periodically carry out risk assessments to account for changes in the business environment and ICT threats. Subcontracting ICT services supporting critical or important functions does not limit the financial entity's final responsibility to comply with its DORA obligations.
  • Conditions for subcontracting and contractual requirements: the contractual arrangement between the financial entity and ICT third-party provider must specify which ICT services that support critical or important functions (or material part of the same) are capable of being subcontracted and under what conditions. For example, regarding ICT third-party service provider responsibility for subcontractor service provision and continuity of service throughout the subcontracting chain; monitoring; location risk assessment; data storage location; obligation to flow down business contingency and security requirements; access, inspection and audit rights; material change in subcontracting arrangements; and termination.
  • Material changes to subcontracting: ICT third-party service providers are required to inform financial entities of any intended material changes well in advance to allow the financial entity to assess the impact on risks and contractual obligations. Financial entities have the right to approve or object to the changes within a reasonable notice period.
  • Termination rights: financial entities have the right to terminate the contract with the ICT third-party service provider under specific circumstances. These include unapproved material changes to subcontracting arrangements or unauthorized subcontracting of critical or important functions (or material part of the same).

The draft RTS is available here and the ESAs opinion is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Nicole Wolters Ruckert
Nicole Wolters Ruckert
Photo of Anna van der Leeuw-Veiksha
Anna van der Leeuw-Veiksha
Photo of Marie Barani
Marie Barani
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More