DORA Subcontracting RTS

As from the 17th January 2025, the Digital Operational Resilience Act (“DORA”) will become effective and will introduce various technology risk related obligations on financial entities and pursuant thereto, on the 26th June 2026, the European Supervisory Authorities (the “ESAs”) published the “Final Report on Draft Regulatory Technical Standards, to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of Regulation (EU) 2022/2554” (the Subcontracting RTS).

The Subcontracting RTS, issued by the ESAs pursuant to article 30(5) of DORA, sets out several critical requirements, including:

  1. Risk assessment and due diligence. A process which includes thorough due diligence procedures and continuous monitoring of subcontracting arrangements is needed;
  2. Requirements on contractual arrangements to include specific provisions to ensure transparency and the ability to monitor and control subcontractors, including certain correlated termination rights;
  3. Monitoring and management, namely financial entities must ensure that subcontractors adhere to the same standards and requirements as their direct third-party ICT service providers.

However, it would seem to us that a particularly major challenge will be posed to many ICT service providers, in view of the contractual content which financial entities will be expected to insist upon in their contracts with their third-party ICT service providers.

Why is the Subcontracting RTS so Important?

DORA’s Article 30(2)(a) sets out that the contractual arrangements on the use of ICT services by financial entities with their third-party ICT service providers are to include at least a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting.

However, DORA itself is absent of any specifics relating to the required “conditions applying to such subcontracting” despite that in practice, outsourcing/subcontracting has become engrained within the ICT industries to enable or augment service delivery, be it through the use of subcontractors for the supply of skills, or services, infrastructure or licensing, which albeit needed for an ICT service provider’s service delivery, are outside the core competency/capability of the ICT contractor.

Insight as to the required subcontracting conditions by DORA can now be gained through the content of the (currently draft) Subcontracting RTS.

While some of the contractual content requirements which the Subcontracting RTS imposes upon financial entities to include in their contracts with third-part ICT service providers are somewhat standard and probably in any case envisaged by ICT service providers, there are various elements which are probably out of the norm for most ICT providers, and which will probably be particularly challenging to be able to commit to with financial entities.

Indeed, in our view, the content of the Subcontracting RTS poses one of the major challenges for ICT service providers who wish to continue servicing financial entity customers.

For example, financial entities are expected to impose a condition on third-party ICT service providers to ensure the continuity of the ICT services supporting critical or important functions throughout the chain of subcontractors in case of failure by an ICT subcontractor to meet its contractual obligations.

Contingency plans are also expected and further, the ICT third-party service provider will be required to specify in its written contractual agreement with the subcontractor the ICT security standards and any additional security requirements, where relevant, that shall be met by the subcontractors further to the contract with the financial entity. Identification and monitoring of the subcontracting chain is also required.

An ICT service provider’s B2B subcontracting to certain entities, especially larger ones, which insist on having a right to unilaterally amend their contracts (or sometimes do not even allow any level of negotiations/amendments) will also be impacted through DORA. 

Financial entities will need to be able to bind their third-party ICT service providers in being provided with a notification on material changes to subcontracting agreements.

In turn, the financial entity will need to assess the impact on the risks it is or might be exposed to, as well as whether such changes might affect the ability of the ICT third-party service provider to meet its obligations, and the ICT third-party service provider will be expected to accept in its contract with the financial entity that it can implement the material changes to its contract with the subcontractor only after the financial entity has either approved or not objected to the changes by the end of the respective notice period.

What Does this Mean for ICT Service Providers?

The Subcontracting RTS will be a pivotal component of DORA, seeking to ensure that financial entities manage their ICT risks effectively. Effectively, the Subcontracting RTS aims to facilitate better risk management and compliance across the financial sector by standardising the requirements and providing a clear framework for subcontracting by the financial entity’s third-party ICT service providers.

As a result, ICT service providers that wish to be able to continue servicing financial entity customers will need to embark on a DORA related compliance exercise, mainly to be able to commit to the respective contractual requirements towards their financial entity customers, and also to cater for the necessary risk assessments, processes and procedures that would in turn be needed to service financial entities subject to DORA.

In line with the proportionality principle that is ever-present throughout DORA, the ultimate requirements to be needed by a financial entity are ultimately dependent on the size and overall risk profile of the financial entity and the nature, scale and elements of increased or reduced complexity of its services, activities and operations.

Naturally, the legal situation which will materialise through DORA may prove to be a difficult endeavour for ICT providers, given that a level of individualization in contracts with financial entities is now somewhat inevitable, which aspect tends to be diametrically opposed to the business models of ICT providers as typically such aim towards standardization.

Inevitably, such exercise will not only include revision of contracts with customers to align with DORA content requirements towards, but also, a renegotiation of contracts entered with subcontractors will also be needed for the ICT provider to be able to commit in back-to-back manner to the contractual conditions it will now need to commit with its financial entity customers.

Article by Dr Terence Cassar.

Do you require any help complying with the imminent coming into force of DORA?

GTG is here to assist! For more information, assistance or clarification kindly contact Dr Ian Gauci or Dr Terence Cassar.

Looking for more information regarding DORA? Feel free to continue reading on:

The Digital Operations Resilience Act

What is the new Oversight Framework introduced pursuant to the Digital Operational Resilience Act (DORA) ?

ESAs Release Second Set of Policy Products under DORA

Get Ready: DORA Impact Looms for ICT Service Providers

Navigating the Urgent and Significant New Regulatory Landscape of Digital Operational Resilience (DORA) and AI Governance

DORA Legal Notice, MALTA

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content