Opinion of the European Supervisory Authorities
On the Draft Regulatory Technical Standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions under Article 30(5) of Regulation (EU) 2022/2054.
Introduction and legal basis
Article 30(2)(a) of EU) 2022/2554 on digital operational resilience for the financial sector (DORA)1 stipulates that the contractual arrangements on the use of ICT services between financial entities and third party service providers “shall include at least the following elements: (a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting”.
Article 30(5) of DORA requires the European Supervisory Authorities (ESAs) to develop draft regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. On 17 July 2024, the ESAs submitted the above-mentioned draft regulatory technical standards (RTS) to the European Commission2.
The draft RTS submitted to the European Commission outlines the conditions and the criteria to be considered by financial entities when subcontracting ICT services supporting critical or important functions throughout the lifecycle of contractual arrangements between financial entities and ICT third-party service providers. In particular, financial entities are required to evaluate the risks associated with subcontracting during the precontractual phase, including the due diligence process. Moreover, the RTS includes requirements for the implementation and management of contractual arrangements on subcontracting, including conditions to ensure that financial entities effectively monitor the subcontractors providing the ICT services that support critical or important functions.
On 21 January 2025, the European Commission, in accordance with the procedure outlined in the fourth subparagraph of Article 15(1) of the ESAs Regulations, informed the ESAs that it rejects the draft RTS3. The reason for this rejection is that the requirements introduced by Article 5 of the draft RTS on the “Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity” exceed the authority granted to the ESAs by Article 30(5) of DORA by introducing requirements not specifically connected to the conditions for subcontracting. In particular, the Commission deemed that a specific aspect, namely the content of the provisions regarding the monitoring of the subcontracting chain, falls outside the scope of the mandate set out in Article 30(5) of DORA and that Article 5 and the related recital 5 should therefore be removed from the draft RTS to ensure its compliance with the mandate.
In accordance with Article 10(1) of the ESAs Regulations, the ESAs have prepared this Opinion on the proposed amendments to the draft RTS by the European Commission.
This opinion has been jointly prepared by the ESAs and adopted by the three Board of Supervisors on 03 March 2025. The Opinion will be published on the websites of the ESAs.
General comments
The ESAs recognize that the amendments suggested by the EC will ensure that the draft RTS is fully in line with the mandate set out under Article 30(5) of Regulation (EU) 2022/2554 to “further specify the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions”. The ESAs take note and do not recommend any amendments to the EC proposed amendments.
For further context, financial entities are expected to comply with the provisions on subcontractors as per DORA Article 29(2) fourth subparagraph and Article 3(6) of the ITS on the Register of Information.
Other editorial comments
The European Commission has made several drafting amendments aimed at improving the readability of the draft RTS or making the link of some provisions to the legal mandate more explicit. The ESAs consider that these changes do not involve a policy change and represent non-substantive modifications.
First, please LoginComment After ~