Final RTS on Subcontracting under DORA has been published

Background

The draft of the Delegated Regulation with regard to regulatory technical standards on subcontracting ICT services supporting critical or important functions (“RTS”) was submitted to the European Commission (“EC”) on 17 July 2024 (we covered it here).

The EC rejected the adoption of the RTS, giving reason that the provisions in Article 5 of the draft concerning the monitoring of subcontractors went beyond the empowerment given to the ESAs by Article 30(5) DORA. The EC recommended removing Article 5 and the related recital 5 to ensure its compliance with the mandate. Following this, the European Supervisory Authorities (EBA, EIOPA and ESMA – the “ESAs”) on 7 March 2025 issued an opinion on the EC’s rejection of the draft RTS, acknowledging the assessment performed by the EC and confirming that the amendments proposed ensure that the draft RTS is in line with the mandate set out under DORA. For this reason, the ESAs did not recommend further amendments to the RTS in addition to the ones proposed by the EC. and encouraged the EC to finalize the adoption of the RTS without further delay as submitted to the ESAs. Following this, on 24 March 2025 the EC adopted a respective draft RTS.

On 2 July 2025 the RTS was published in the Official Journal under the title Delegated Regulation (EU) 2025/532 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions, following its adoption by the European Commission on 24 March 2025. 

Key aspects of the RTS

In general, the RTS sets out the elements to be assessed by financial entities when subcontracting services that support critical or important functions or material parts thereof. The key aspects are: 

• the proportionality of the application of the rules: financial entities including those within the group, when specifying which elements a financial entity should determine and assess when subcontracting ICT services, shall take into account its size, overall risk profile and nature, scale, elements of increased or reduced complexity of the services, activities and operations including certain elements listed in article 1;
• due diligence and risk assessment: the RTS details the procedure for due diligence and risk assessment when entering into a contractual arrangement with an ICT TPSP; 
• conditions for subcontracting: the RTS sets out conditions under which ICT services supporting critical or important function can be subcontracted;
• conditions for material changes to subcontracting: the RTS addresses the conditions for handling of the subcontracting arrangements;
• termination of the contractual arrangements: the RTS sets out in which cases a financial entity may terminate the contractual arrangement. 

In the adopted version of the RTS the article 5 has been removed in essence meaning that certain subcontracting provisions are no longer mandatory to include in a financial entity’s contractual arrangement with an ICT third-party service provider (“ICT TPSP”) supporting the financial entity’s critical or important functions. In particular, it is not mandatory to

• identify the subcontractor supply chain in the contractual arrangement and include obligations requiring that the supply chain remains up-to-date over time to enable the financial entity to maintain and update its Register of Information,  
• include obligations on the ICT TPSP to ensure the financial entity’s monitoring rights (however, certain monitoring obligation are still in place, see article 4),  
• include obligations allowing the financial entity to obtain information from the ICT TPSP on contractual documentation between the ICT TPSP and its subcontractors providing ICT services supporting critical or important functions.  

The above allows financial entities to distance themselves to a certain extent from the supply chain, however, a number of obligations is still in place. 

Next Steps

The RTS enters into force on 22 July 2025.