Following extensive consultations, a rejection, and amendments, the European Commission has finally published the long-awaited Regulatory Technical Standards (“RTS”) on ICT subcontracting under the Digital Operational Resilience Act ("DORA"). This final adoption marks a significant milestone in the winding journey towards regulatory clarity for financial entities and their respective ICT third-party service providers.
As previously discussed in our earlier articles, the original draft RTS encountered substantial scrutiny, particularly regarding provisions on monitoring ICT subcontracting chains, ultimately leading to their rejection by the Commission (previously explored here). Subsequently, the European Supervisory Authorities issued an opinion endorsing amendments proposed by the Commission, confirming alignment with the original DORA mandate (further discussed here).
Those entities affected by DORA must now carefully examine these final provisions to ensure their contractual and operational compliance strategies are robust and aligned with the adopted standards.
The primary change involves the removal of Article 5 concerning direct monitoring of subcontracting chains by financial entities, coupled with some semantic clarifications to further enhance clarity. No significant alterations to key compliance timeframes or core responsibilities appear to have been made.
In line with Article 7 of the RTS, it will enter into force on 22 July 2025, twenty days following its publication in the Official Journal of the European Union on 2 July 2025.
For more information and assistance with regards to DORA, please contact us at info@gtg.com.mt.
Authors: Dr Terence Cassar and Dr JJ Galea.