European Commission rejects DORA RTS on Subcontracting

Background

Europe’s Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554 - “DORA”) entered into force on 16 January 2023 and applies to financial entities since 17 January 2025. DORA assigns the task of drafting several level-2 acts (regulatory technical standards and implementing technical standards) to the European Supervisory Authorities (“ESAs”). On 17 July 2024, the ESAs submitted a draft Delegated Regulation with regard to regulatory technical standards on subcontracting ICT services supporting critical or important functions (“RTS on Subcontracting”) to the European Commission. The draft RTS on Subcontracting were intended to specify the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.

Rejection by the European Commission

After long discussions, the European Commission rejected the RTS on Subcontracting draft in a letter dated 21 January 2025, four days after all financial entities were required to comply with DORA. The main reason the European Commission stated for the rejection is that the provisions in Article 5 of the RTS on Subcontracting draft concerning the monitoring of subcontractors go beyond the empowerment given to the ESAs by Article 30(5) DORA as introducing requirements not specifically linked to the conditions for subcontracting. The European Commission therefore considers that Article 5 and the related recital 5 are to be removed from the draft RTS on Subcontracting to ensure its compliance with the mandate. Finally, the draft RTS on Subcontracting contains targeted drafting amendments that do not affect the substance of the act and are aimed at improving the quality of the legal act.

Key Criticisms from the Commission:

• The draft RTS on Subcontracting exceeds the mandate given in Article 30(5) DORA.
• Specifically, the provisions on monitoring the subcontracting chain are not within the scope of the mandate.

Next Steps

The ESAs now have six weeks to revise the draft in accordance with the European Commission’s requirements and resubmit it. If the ESAs do not submit an amended draft RTS, on Subcontracting or submit a draft RTS on Subcontracting that is not amended in a way consistent with the European Commission’s proposed amendments, the European Commission may adopt the RTS with the amendments it considers relevant or reject it. Affected ICT TPSPs which have already entered into agreements based on the published draft RTS on Subcontracting including the provision of Article 5 now will have to find a way to rewind respective obligations based on the updated RTS on Subcontracting.
For those who have not taken any action yet, it should be safe to comply with the RTS on Subcontracting in the form as proposed by the European Commission and disregard Article 5, as it is highly likely that the amended draft will be adjusted in line with the comments, leading to the removal of Article 5 and its corresponding recital 5.

With the kind support of Anna Maria Volz (research assistant, Frankfurt).