Draft RTS on subcontracting ICT services supporting critical or important functions

As described in our previous article (see here) regulatory technical standards (RTS) are issued by European Supervisory Authorities (ESAs) and are intended to set out in more detail and/or expand upon some of DORA’s requirements.  

Recently, the ESAs have published a final report on the draft RTS on subcontracting ICT services supporting critical or important functions dated 26 July 2024 (Final Draft RTS) which provides further clarity on the requirements that certain EU-regulated financial entities as listed in Article 2(1) of DORA (“financial entities”) need to comply with in order to satisfy Article 30(2)(a) of DORA.  

Article 30(2)(a) of DORA states that financial entities:

• must set out a clear description of the ICT services; and
  
• this should indicate whether subcontracting of an ICT service supporting a critical or important function (or material parts) is permitted and, if so, the conditions relating to subcontracting.

The Final Draft RTS covers requirements on financial entities to consider at the pre-contract phase to assess the risks associated with subcontracting (see Article 3 of the Final Draft RTS) and covers requirements relating to what the financial entity needs to consider in its agreement with the ICT third party service provider (see Articles 4-7 of the Final Draft RTS).  
The Final Draft RTS needs to go to the European Commission for adoption, but its text is unlikely to materially change.  

In light of this, clients are already updating their contracts to take account of the Final Draft RTS (in particular, Articles 4-7) so it’s important that in-house lawyers of financial entities and ICT third party service providers are aware of its content.

It should be noted that of the 7 RTS published, the Final Draft RTS and the RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third party service providers (which we discuss here) are  the most important ones for financial entities to consider in respect of what they need to include in their written agreement with ICT third party service providers.

Key takeaways on the Final Draft RTS

• The Final Draft RTS was drafted having taken into account the EBA Guidelines on outsourcing arrangements (see here) (the EBA Guidelines).
  
• This is helpful as some of the requirements set out in the Final Draft RTS are similar to the EBA Guidelines requirements and so should not come as a surprise to many financial entities (to the extent they also need to take into account the EBA Guidelines).
  
• Intragroup ICT subcontracting (when a financial entity subcontracts its obligations pursuant to Article 30(2)(a) to another group company) should not be treated differently from subcontracting outside of the group.  This means intragroup subcontracting arrangements need to be carefully managed.
  
• Financial entities should focus on those subcontractors that that effectively underpin the ICT service supporting critical or important functions, including all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision.
  
• Regulatory requirements imposed on financial entities in respect of subcontracting ICT services supporting critical or important functions need to be applied in a proportionate manner.  This reinforces the proportionality principle we discussed in a previous article.
  
• When a financial entity permits the use of subcontracted ICT services supporting critical or important functions by ICT third party service providers, financial entities cannot do this in a way that results in a reduction in their ultimate responsibility to manage their risks and to comply with legislation and regulatory obligations.  This is consistent with the position under, for example, the EBA Outsourcing Guidelines: you cannot outsource your regulatory compliance obligations.  
  
• When subcontracting ICT services supporting critical or important functions is permitted, financial entities must undertake a pre-contractual due diligence and risk assessments of the risks associated with subcontracting and be able to properly monitor and manage the risks.
  
• Financial entities must also set out in their contract with ICT third party service providers certain provisions relating to the conditions under which ICT third party service providers can use subcontractors including in relation to the approval process for new subcontracting arrangements or material changes to existing ones.  This is elaborated in the Final Draft RTS including in Articles 4-7.  See further below.

Final Draft RTS (Articles 1-8)

The core part of the Final Draft RTS are Articles 1-8.

Article 1 provides further information on the factors that financial entities need to consider when deciding the overall risk profile of the financial entity and the nature, scale and elements of its services, activities and operations. The objective of this assessment is to decide how far to apply the requirements under the Final Draft RTS. 

Article 2 imposes an obligation on financial entities to ensure that within its consolidated group, the parent undertaking ensures that the conditions for subcontracting the use of ICT services is implemented consistently across all financial entities in that group. 

Article 3

Article 3 relates to pre-contractual due diligence.

Article 3 requires the financial entity to have, at the pre-contract stage, risk assessed the use by the relevant ICT third party service provider of subcontractors to support the provision of ICT services supporting critical or important functions.  The risk assessment includes a combination of activities the financial entity must ensure the ICT third party service provider has undertaken as well as obligations on the financial entity itself. The financial entity should consider what requirements should be included in its agreement with the relevant ICT third party service provider to ensure such risk assessments are adequate. For example obligations relating to monitoring of subcontractors.  For example: 

• Robust due diligence regime: the ICT third party service provider must have sufficiently robust due diligence processes to be able to assess the financial and operational abilities of relevant subcontractors to provide the ICT services supporting the critical or important function including by participating in digital operational resilience testing. Financial entities need to consider whether there are any information rights or measures it requires from the ICT third party service provider to assist in carrying out this due diligence (e.g. rights of audit).  
  
• Visibility of all subcontractors in the subcontracting chain: the ICT third party service provider needs to be able to identify and notify the financial entity of any subcontractors in the chain of subcontracting providing ICT services supporting critical or important functions or material parts thereof. 
  
• Monitoring: the ICT third party service provider needs to have adequate abilities etc. to properly monitor its subcontractors and the financial entity must also have adequate abilities etc. to monitor the ICT service supporting critical or important functions or material parts thereof that has been subcontracted or (where possible and appropriate) the relevant subcontractor.

Article 4

Financial entities must (in the written agreement) identify which ICT services supporting critical or important functions are eligible for subcontracting and under which conditions.  Where subcontracting is permissible the written agreement must include various provisions as set out in Article 4(1)(a)-(k).  

Some of these requirements are best practice and should be included in all well drafted contracts.  Some of the requirements align with the EBA Guidelines.  For example:

• Article 4(1)(a): the ICT third party service provider is responsible for the provision of the services provided by the subcontractor.  This is the type of provision that we’d expect to see in a well drafting agreement.
  
• Article 4(1)(b): the ICT third party service provider is required to monitor all subcontracted ICT services supporting a critical or important function or material parts thereof to ensure that its contractual obligations with the financial entity are continuously met.  This is an example of a provision that closely aligns with EBA Guideline requirements.  

However, some requirements are likely to cause issues for ICT third party service providers.  For example:

• Article 4(1)(e): the ICT third party service provider is required to specify the location of data processed or stored by the subcontractor (where relevant).  Whilst this provision is similar to a provision contained in the EBA Guidelines, many ICT third party service providers will be unable to provide details of all possible processing locations (especially if they use global cloud service providers as subcontractors who may not always agree to provide commitments to the ICT third party service provider that processing will be confined to a particular region).  Instead financial entities should consider whether – taking a risk-based and proportionate approach – the level of detail provided by the ICT third party service provider (which, for example, could be limited to server locations of the subprocessors) is sufficient.
  
• Article 4(1)(i): this requires the ICT third party service provider to ensure its subcontractors grant to the financial entity (and relevant competent and resolution authorities) the same rights of access, inspection and audit as referred to in Article 30(3)(3) of DORA as granted to the financial entity (and relevant competent and resolution authorities) by the ICT third party service provider.  This is similar to the EBA Guidelines but is problematic for ICT third party service providers to comply with (especially in respect of, for example, the use of subcontractors that they use to host data relating to a cloud service on a “one-to-many” basis).  Often ICT third party service providers push back on this or agree to use “reasonable endeavours” to procure that such subcontractors grant the same rights of access etc. as the ICT third party service provider grants the financial entity.

Article 5

When permitting subcontracting of ICT services supporting a critical or important function, financial entities must ensure that the written agreement with the ICT third party service provider covers the points set out in Article 5(1) such as details of the chain of ICT subcontractors supporting critical or important functions. 

Article 5 also includes various other requirements to be included in the written agreement relating to assisting the financial entity to monitor the use of subcontractors.

Article 6

Article 6 sets out requirements to include in the written agreement with the ICT third party service provider where there is a material change to subcontracting arrangements relating to ICT services supporting a critical or important function.  The requirements are set out in Article 6(1)-(3) and are similar to the requirements set out in the EBA Guidelines relating to sub-outsourcing.

Article 7 

Article 7 sets out the requirement for the financial entity to have a right to terminate the written agreement with the ICT third party service provider in the scenarios described in Article 7(1)(a)-(c):

• When the ICT third party service provider implements a material change to subcontracting arrangements despite an objection and request for modification by the financial entity
  
• When the ICT third party service provider implements material changes to subcontracting arrangements before the expiry of the notice period (set out in Article 6) that the ICT third party service provider must give to the financial entity to allow it the time to assess the impact of such change, without explicitly approval from the financial entity
  
• When the ICT third party service provider subcontracts an ICT service supporting a critical or important function not explicitly permitted to be subcontracted by the agreement.

Next steps

We expect many financial entities to be reviewing the Final Draft RTS closely to ensure that any DORA addenda they create to amend existing contracts with ICT third party service providers takes account of the requirements in Articles 4-7 which augment the requirements of Article 30(2)(a) of DORA. 

ICT third-party service providers, on the other hand, should prepare to provide their financial institution clients with the information and documentation necessary to carry out due diligence and to enable effective monitoring of the subcontracting chain, as required by the Final Draft RTS. This may require not only the identification of such subcontractors, the collection of relevant information and access to relevant documentation, but also the introduction of possible changes to existing contractual arrangements with subcontractors.