Even though the Digital Operational Resilience Act started to apply in January, some parts of the DORA regulatory framework have not yet been finalised. Of most interest to financial entities implementing DORA are the rules on subcontracting ICT services. Now, the European Supervisory Authorities have agreed to change their draft rules, paving the way for the final piece of the DORA puzzle to be put in place.
Responding to rejection
DORA requires the ESAs to specify what financial entities must do when subcontracting ICT services that support their critical or important functions. Last year the ESAs put forward regulatory technical standards with these rules. The European Commission rejected the subcontracting RTS because one article went beyond the ESAs’ mandate.
Removing some contract conditions
Now in a short opinion the ESAs acknowledge that removing Article 5 will mean that the RTS is fully in line with their mandate. The draft article required contracts between financial entities and their ICT third party service providers to meet certain conditions, e.g. to enable the financial entity to monitor the entire ICT supply chain. Firms’ ICT contracts will no longer need to meet these conditions.
Revising the drafting
The Commission also proposed other targeted amendments to improve the legal drafting of the RTS. The ESAs agree that these changes are meant to ease the reading of the draft RTS or make more explicit the link of some provisions with their mandate. The changes have not yet been published but the ESAs say that they are non-substantive.
Remember related requirements
When it comes, having the final text of the RTS should help financial firms close out talks with their ICT providers on DORA compliance. The deletion of Article 5 may help unlock some of these talks but firms should also keep in mind other DORA rules which relate to subcontracting of ICT services supporting critical or important functions. For example, firms must:
- Monitor ICT third party risks generally
- Assess whether and how potentially long or complex supply chains could impact monitoring
- Input information about relevant subcontractors in their DORA registers of information
Firms should consider the extent to which their contractual arrangements help them meet these requirements.
Visit our operational resilience webpage to explore our DORA Level 2 Measures Tracker.
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2024-12-09-23-00-09-357-67577679e511c26e4b720f5c.jpg)
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2025-03-06-12-46-54-585-67c9993e394f2a81420bf2fc.jpg)
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2025-03-06-11-09-54-938-67c98282394f2a81420bb28d.jpg)
/Passle/60746e77e5416b13f482811b/MediaLibrary/Images/60915bfe5354840460b17131/2023-02-23-15-45-24-785-63f78a14f636ea14fc952b23.jpg)
/Passle/60746e77e5416b13f482811b/SearchServiceImages/2025-02-26-13-38-44-548-67bf196443777c46006c0bd2.jpg)