Open search form Open menu
Search for a lawyer
Search
Financial Services
  • 05 Feb 2025
  • 9 min read

Back to the drawing board? European Commission rejects DORA subcontracting RTS

Written by

Dr. Michael Huertas

RegCORE – Client Alert | Banking Union | Capital Markets Union | Insurance Union | Digital Single Market

QuickTake

The EU’s Regulation, known as the Digital Operational Resilience Act (DORA) came into effect on 17 January 2025. DORA sets out a comprehensive legislative, regulatory and supervisory framework for financial entities as well as information and communication technology (ICT) service providers in the EU and beyond. As explored in an earlier Client Alert as part of our dedicated series on DORA, the Joint Committee of the European Supervisory Authorities (ESAs) finalised joint regulatory technical standards (RTS) on subcontracting arrangements during the summer of 2024.

The Subcontracting RTS, as published in July 2024, specified requirements to be included throughout the lifecycle of contractual arrangements between financial entities (in-scope of DORA) and ICT third-party service providers (where subject to DORA). Financial entities are required to assess the risks associated with subcontracting during the pre-contractual phase, including the due diligence process. The draft Delegated Regulation setting out the Subcontracting RTS was sent to the European Commission’s Directorate General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA) for its review.

On 31 January 2025, DG FISMA published a letter it had sent on 21 January 2025 to the Chair of the Joint Committee of the ESAs. DG FISMA’s letter formally rejected the entirety of the draft Subcontracting RTS, highlighting that some sections exceeded DORA’s legislative requirements.Available here.Show Footnote

As explored in this Client Alert, while the ESAs have six weeks from 21 January 2025 (i.e., until Tuesday 4 March 2025) to amend and resubmit the draft Subcontracting RTS in the form of a formal opinion to the European Commission, the present situation may (but does not need to) contribute to uncertainty. DG FISMA’s letter raised specifically that if the ESAs do not submit an amended draft RTS within six weeks, or if the amendments are not consistent with the Commission’s proposals, the Commission may adopt the RTS with its own amendments or (again) reject it.

While this discussion should not be seen as a pause in DORA’s compliance priorities, it means that entities must remain flexible. They should be ready to adapt their DORA compliance and contractual documentation efforts quickly to close any gaps once the Subcontracting RTS are adopted.

Key takeaways from DG FISMA’s letter

It is probable that DG FISMA’s decision to reject the entirety of the Subcontracting RTS was influenced by the specific debate regarding the overreach in scope of draft Article 5 (Conditions for subcontracting relating to the chain of ICT subcontractors providing a service supporting a critical or important function by the financial entity) of the Subcontracting RTS.

The drafting as proposed for Article 5 had required financial entities to identify and maintain an up-to-date record of the “entire chain of subcontractors”. In contrast to other parts of the proposed Subcontracting RTS, which restricted this obligation to those subcontractors responsible for material parts of the relevant ICT services, the requirements in Article 5 were viewed as broad. Commentators had raised concerns that Article 5 could subject even minor subcontractors to the same requirements. Such an approach was called out by many stakeholders as being disproportionate and excessively burdensome for financial entities but equally for ICT service providers seeking to comply with DORA.

DG FISMA’s letter also explains the basis of its rejection. DG FISMA expresses that it views the requirements, introduced specifically by Article 5 in the draft RTS, as going beyond the scope of empowerment given to the ESAs as set out in Article 30(5) DORA. This is due to the requirements that were proposed in draft Article 5 would introduce requirements that are not specifically linked to the conditions for subcontracting as set out in DORA.

DG FISMA in its letter proposes that in addition to (i) other targeted amendments aimed at improving the legal drafting of the draft RTS, (ii) both Article 5 and the related Recital 5 of the draft Subcontracting RTS should be removed so as to ensure compliance with the legislative mandate as granted in DORA to the ESAs. Such removal does not necessarily exclude a replacement, albeit drafted in a form that complies with DG FISMA’s views.

In terms of the next steps in the adoption process of the Subcontracting RTS, it should be noted that:

  1. The ESAs have the option to take the draft Subcontracting RTS back to the drawing board as a result of DG FISMA’s letter. DG FISMA has indicated that after the issues it had raised have been resolved, it plans to accept the revised Subcontracting RTS;
  2. should the ESAs fail to respond with the revised RTS within the six-week time period (i.e., by 4 March 2025), DG FISMA has reminded the ESAs that the European Commission has the discretion to either adopt the RTS with its own amendments or (again) reject it outright;
  3. if the European Commission decides to adopt the Subcontracting RTS as revised by the ESAs, without amendments, the European Parliament and the Council have one month from the date of notification may raise objections. At the request of the Council or the Parliament, this objection may be prolonged by one further month; and
  4. in the event that the Council nor the Parliament raise any objections within the allotted time the revised Subcontracting RTS will be approved and published in the Official Journal. However, if the Council and Parliament both expressly state that they do not plan to oppose to the RTS, the publication procedure can go more quickly. The draft RTS will be sent back to the ESAs for additional examination and revision if it is rejected.

While the DG FISMA letter sets out clear expectations and establishes a path and timeline to final adoption of a revised form of the Subcontracting RTS, it is perhaps rather regrettable that all of this comes at a time where this crucial component of the legislative, regulatory and supervisory framework of DORA remains still in flux. As a result, some financial entities and/or ICT providers may find it difficult to fully execute subcontracting clauses and contractual monitoring frameworks in particular the length and depth of auditing/monitoring along the subcontracting chain, if such documentation does not cater for respective flexibility and agility to accommodate the evolution of supervisory expectations.

This current situation raises questions about how (national) competent authorities will supervise DORA compliance before the final RTS on Subcontracting is adopted and what will satisfy supervisory expectations. In the interim, DORA-relevant entities may need to ensure they can evidence “best efforts” on meeting DORA standards and ensure that they:

a.    Comply with DORA overall: Financial entities and ICT providers must ensure they can evidence that they already are (or are applying best efforts so as to) comply with the existing provisions of DORA while awaiting the finalisation of the Subcontracting RTS. The rejection of the draft Subcontracting RTS indicates that while firms should not yet implement the specific requirements related to the monitoring of the subcontracting chain as proposed in the draft, they should take measures to ensure they are agile to meet the final standards and implement these in a timely manner;

b.    Conduct due diligence and risk assessments across subcontracting chains: Financial entities should, despite the rejection, continue to conduct thorough due diligence and risk assessments when subcontracting ICT services. The principles of assessing risks during the precontractual phase and managing contractual arrangements remain critical for (digital) operational resilience; and

c.    Monitor subcontractors: While the specific provisions in Article 5 of the Subcontracting RTS for monitoring the subcontracting chain may have been rejected, relevant firms should still maintain robust oversight of their subcontractors. Effective monitoring is, as set out in DORA generally, in the view of the ESAs and competent authorities at the core of what DORA aims to achieve. The overarching supervisory expectation is therefore clear that it is essential to ensure that subcontractors meet the required standards set by DORA and that subcontractors do not pose risks to critical or important functions carried out by financial entities.

In summary, the rejection of the draft Subcontracting RTS means that regulatory requirements will not remain static. The question will thus be what degree of revisions will be set out in the next (hopefully truly final) version of the Subcontracting RTS as presented to DG FISMA and what this means for the further adoption process.

The current situation, while generating some uncertainty, may however perhaps also offer a bit more breathing room for some financial entities and ICT providers. Some stakeholders might welcome this additional time to (i) (further) step-up efforts to meet DORA compliance overall as well as (ii) to work in the requisite agility and flexibility into contractual as well as policy and procedure documentation so that the requirements and supervisory expectations as will be set out in the final form of the to be adopted Subcontracting RTS are capable of being met more fully.

As set out in our earlier Client Alert, (national) competent authorities will continue to look at how in-scope financial entities and ICT providers are proceeding in terms of the pace and implementation of DORA compliance as this newest chapter to the EU’s Single Rulebook becomes fully operational. Failure to (evidence sufficient levels) prepare and meet compliance may raise the risk of becoming subject to unwanted and/or adverse supervisory engagement.

Outlook and next steps

The DG FISMA letter and the rejection of the draft Subcontracting RTS by the European Commission underscores the dynamic and evolving nature of the regulatory landscape under DORA. Financial entities and ICT service providers must remain vigilant and adaptable as the Joint Committee ESAs works to amend and resubmit the draft RTS within the stipulated six-week period. This period, ending on 4 March 2025, is critical for ensuring that the revised standards align with the legislative mandate of DORA and address the Commission’s concerns, particularly those related to the overreach identified in Article 5.

In the interim, it is imperative for DORA-relevant entities to continue demonstrating “best efforts” in meeting existing DORA requirements. Entities should equally prepare in implementing potential adjustments in their compliance strategies and contractual frameworks to swiftly integrate the finalised standards of the Subcontracting RTS once adopted. The evolving regulatory environment necessitates a high degree of agility and readiness to implement changes promptly, ensuring that operational resilience and regulatory compliance are maintained at all times.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

In order to assist firms in staying ahead of their compliance obligations we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.

Contact us

Dr. Michael Huertas

Partner Frankfurt am Main
Financial Services

Tel.  +49 160 97375760

Email  E-Mail

Show profile

Other Expert Articles and Blogs

Financial Services
European Commission and ESMA publish Guidance on non-MiCAR compliant ARTs and EMTs
  • 24 Jan 2025
  • 7 min read
Financial Services
MiCAR – Final guidelines on systems maintenance and security access protocols for crypto-assets other than ARTs and EMTs
  • 22 Jan 2025
  • 11 min read
Financial Services
MiCAR – Final RTS published on information of a proposed acquisition of qualifying holdings in issuers of ARTs
  • 22 Jan 2025
  • 15 min read
All Expert Articles and Blogs