DORA: An Overview of the Final Draft Regulatory Technical Standards (RTS) on Subcontracting

On July 26, 2024, the European Supervisory Authorities (ESAs) issued the final draft Regulatory Technical Standards (RTS) concerning subcontracting under the Digital Operational Resilience Act (DORA).

This represents one of the most crucial RTS connected to DORA and should be carefully analyzed by both financial entities and ICT service providers.

The provisions of DORA on subcontracting

DORA mandates specific contractual provisions for financial entities engaging ICT third-party service providers (ICT TPPs). These include the obligation for financial entities to specify whether subcontracting of ICT services supporting critical functions is permitted and under what conditions. The RTS further clarifies the conditions under which subcontracting should be authorized and provides several additional requirements that should be duly taken into account.

Initially published in December 2023, the draft RTS underwent substantial feedback during the consultation period and some key changes were made in response to industry concerns.

Key highlights of the Final Draft of the DORA RTS regarding subcontracting

The key changes made by the ESAs following the public consultations are the following:

• supply chain: more focus has been given to the supply chain as a whole and to the conditions that should apply to all subcontractors throughout the chain.
• contractual agreements: provisions and elements that should be included in the contractual agreements between the financial entities and the ICT service provider have been defined with more details and can be identified through the entire RTS. In this regard, a new article clarifies that “Changes relative to contractual agreements […] made necessary to comply with this Regulation, shall be implemented in a timely manner and as soon as it is possible”.
• timely remediation: the ESAs emphasized that there will be no transitional period for compliance with the RTS. Financial entities are expected to implement necessary changes to their contractual agreements by the enforcement date of DORA (January 17, 2025).

An overview of the RTS structure

The final draft RTS is structured to cover three main subcontracting phases: (i) pre-contractual (involving risk assessments and due diligence); (ii) contractual; and (iii) termination.

(i)  pre-contractual phase

The RTS requires the financial entities to duly evaluate and identify the overall risk profile and complexities of the ICT services before authorizing subcontracting. Factors that financial entities should consider include the type and location of ICT services, length of subcontractor chains, data handling, regulatory oversight, and the impact of disruptions on service continuity.

Additionally, financial entities are also required to evaluate the single subcontractor through a due diligence process whose elements are listed by article 3. This aims to ensure that the final responsibility remains vested in the financial entity.

Focus is also given to the group application of the Regulation. Particularly, parent companies must ensure consistent implementation of subcontracting conditions across all group entities regarding ICT services supporting critical functions.

(ii) contractual phase

When the pre-contractual assessments have been completed, the financial entity can authorize the subcontract, provided that the conditions listed by article 4, 5 and 6 of the RTS are met.

Particularly, if the ICT service provider is not willing to accept the conditions set out by the RTS and include the mandated elements in its agreement with the financial entity, the latter should not authorize subcontracting. These elements include clear responsibilities, monitoring obligations, risk assessments of subcontractors, continuity planning, security standards, and audit rights.

Notably, the RTS also requires the financial entity to obtain from the ICT service provider the rights to review and propose changes to the terms and conditions of subcontracting (particularly when major changes in these terms occur). Also, the right to audit the subcontractor directly should be obtained.

These elements are expected to be highly debated and negotiated between the financial entities and ICT service providers, also considering that subcontracting chains may be significantly long and complex. Careful and accurate clause drafting is, therefore, essential.

(iii) termination phase

Article 7 sets out three additional rights to termination that the financial entity should obtain for its agreements with ICT service providers.

Particularly, the financial entity should be able to terminate the agreement with the ICT service provider in material changes to the subcontracting agreements have been implemented despite the objection of the financial entity (or before the relevant notice period has expired). Also, and in line with DORA, a termination right should be granted to the financial entity for unauthorized subcontracting by the ICT service provider.

Addressing feedback and future considerations

While the aim of the RTS is understandable, stakeholders have raised concerns over the practicality of monitoring and controlling entire subcontracting chains as well as the feasibility of obtaining all rights mandated by the RTS when negotiating with ICT service providers.

All these concerns are now under the lens of the European Commission which has received this RTS for its review and adoption.

While waiting for the final version, financial entities are urged to promptly familiarize themselves with the RTS and integrate its provisions in their DORA implementation process.

On the same topic, you can read the article “DORA Regulation into force: new cybersecurity obligations for banks, insurance companies and financial institutions“.

Authors: Edoardo Bardelli, Alessandra Faranda