The European Supervisory Authorities (ESAs) have finalised their much-anticipated technical standard on subcontracting ICT services supporting critical or important functions. This completes the second batch of policy papers under the EU’s Digital Operational Resilience Act (DORA). The other papers in this batch were published on 17 July 2024.
The latest regulatory technical standards (RTS) specify rules relating to the subcontracting of ICT services, including:
- the conditions to be met when EU financial entities permit their ICT third party service providers to subcontract ICT services,
- requiring EU financial entities to assess the risks associated with subcontracting before they enter into contractual arrangements with ICT third party service providers, and
- rules relating to the implementation, monitoring and management of contractual arrangements for the use of ICT services supporting critical or important functions.
What has changed from the consultation version of the RTS?
The finalised RTS is not substantially different to the draft the ESAs published in December 2023. However, the following changes are important to note.
Scope
The ESAs clarify that the intended scope of the RTS is to capture the subcontracting of ICT services that support critical or important functions (or material parts thereof) only. The final report also notes that a particular focus is to be put on subcontractors that effectively underpin the provision of an in-scope service.
Proportionality
The RTS has been updated to allow for greater proportionality in its application. Article 1 has been amended to include additional criteria and elements of risk that can be considered by EU financial entities when they implement the requirements in the RTS.
Risk assessment
The latest version of the RTS also includes clarification of the matters which EU financial entities should have regard to when conducting a risk assessment before entering into an arrangement with an ICT third party service provider.
For example, in response to feedback that it would be challenging for ICT third party service providers to involve EU financial entities in decisions related to subcontracting, the ESAs have replaced this requirement. The updated requirement requires that, before permitting subcontracting, EU financial entities must consider the extent to which an ICT service provider is able to identify, notify and inform them of all subcontractors in the subcontracting chain.
EU financial entities will also need to consider whether agreements with subcontractors permit them to remain in compliance with DORA and all other legal and regulatory requirements, and specifically whether they will provide the EU financial entity and regulators audit/access rights to the subcontracting chain.
Contractual terms
Several of the contractual requirements in the RTS have been altered, including new requirements for the contract to specify that the ICT service provider is responsible for the provision of services by subcontractors and that the ICT service provider is responsible for notifying material changes to subcontracting arrangements.
In addition, Article 4 of the RTS has been modified to be express that ICT service providers should include terms in their own agreements with subcontractors, notably on monitoring/reporting, business contingency plans and ICT security standards.
Conditions for subcontracting
The conditions for subcontracting in Article 5 of the RTS have been updated.
The revised Article 5 now specifies that the written agreement between an EU financial entity and an ICT third party service provider must (i) provide that the full chain of subcontractors supporting critical or important functions will be identified and kept up to date in order to allow the EU financial entity to comply with its ICT register obligations; and (ii) include elements allowing the financial entity to obtain information from the ICT third party service provider to facilitate its monitoring of service performance, including with respect to subcontractors.
Overall impact
Confirmation of the scope of the RTS and a greater allowance for a proportionate application of its requirements will be welcomed by EU financial entities and their service providers. However, the amendments will impact the content of contracts between financial entities and their ICT third party service providers, triggering a further review of these agreements in light of the latest changes.