Commission rejects DORA subcontracting rules

The European Commission has formally rejected draft rules on monitoring ICT supply chains under the Digital Operational Resilience Act. These rules impact the contractual arrangements between EU financial entities and their tech service providers. This means firms face a longer wait before they can close out their contract negotiations to reflect DORA, even though the legislation is already in effect.

The European Supervisory Authorities finalised their draft regulatory technical standards on subcontracting under DORA last summer. The rules come from a mandate under DORA for the ESAs to specify what financial entities should consider when allowing ICT services supporting their critical or important functions (CIFs) to be subcontracted. After months of uncertainty, the Commission has now officially rejected the draft RTS.

In its letter to the ESAs, the Commission takes issue with the inclusion of Article 5. This provision sets additional conditions for the subcontracting of ICT services which support the financial entity’s CIFs. These conditions include a requirement for contracts to enable the financial entity to monitor the ICT supply chain and to have access to contractual documentation between the ICT service provider and its subcontractors. According to the Commission, these requirements go beyond the scope of the ESAs’ mandate.

The Commission proposes:

1. deleting Article 5 and a related recital, and
2. other targeted amendments aimed at improving the legal drafting of the draft RTS

The ESAs have six weeks to decide if they want to amend the draft RTS on the basis of the Commission’s proposed amendments.