DORA: regulatory rethink required as subcontractor monitoring plans fall

Last month, the European Commission wrote to the European supervisory authorities (ESAs) – the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority – to notify its rejection of the ESAs’ draft RTS on ICT subcontracting (52-page / 759KB PDF) issued under DORA. The Commission, in particular, took issue with article 5 and its related Recital 5, which provide for subcontractor monitoring across entire ICT supply chains.

The decision has generally been welcomed as a practical one. However, if, as expected, the ESAs now revise the RTS by removing article 5 and Recital 5, the ESAs will need to consider the impact on other provisions in the RTS, including the extent to which financial entities should be expected to obtain contractual rights of access, inspection and audit over the operations of ICT subcontractors.

Broader monitoring requirements

The removal of article 5 impacts the operational framework for monitoring subcontracting chains for ICT services provided for critical or important functions. The now-rejected article 5 would have required financial entities to ensure that their contracts with ICT third-party service providers included requirements on the provider to identify the entire chain of ICT subcontractors used and to keep that identified list up-to-date.

The provider would also have needed to contractually agree to provide the financial entity with information on its contractual documentation with its ICT subcontractors, including information on relevant performance indicators used to monitor the performance of those subcontractors. The extent of contractual documentation to be provided was not specified.

With the removal of article 5, financial entities will no longer be expected to require their ICT third-party service providers to contractually agree to identify each of their ICT subcontractors. This does not mean, however, that the financial entity should have no knowledge of the subcontractors used.

To meet the due diligence and risk assessment requirements set out in article 3 of the RTS, before contracting, the financial entity will still need to be notified and informed of “any subcontractors in the chain of subcontracting providing ICT services supporting critical or important functions”. Financial entities will therefore need to ensure that their due diligence and risk assessment processes continue to account for this, assuming that the ESAs do not choose to align this requirement with the removal of the identification requirement in article 5.

As part of their revision of the subcontracting RTS, the ESAs could consider aligning this pre-contractual requirement with the post-contractual risk monitoring expectations set by the Commission. The ESAs could, for example, revise article 3 by limiting its application to ICT subcontractors that effectively underpin the ICT services provided to the financial entity.

Rather than require financial entities to obtain information on all subcontractors, the provider would only be required to obtain information on the subcontractors that could have a real impact on service delivery if the ESAs chose to take this approach. This would be more consistent, not only with the post-contractual risk monitoring requirements but also the parallel requirements on financial entities to obtain information on subcontractors for the purpose of developing and maintaining a register of information on third party contracts.

The separate implementing technical standards (ITS) on the register of information under DORA sets out the information which financial entities are required to maintain in their registers about subcontracting arrangements. It provides that financial entities should be required to keep information only about subcontractors that effectively underpin ICT services supporting critical or important functions, including those whose disruption would impair the security or the continuity of the service provision.

Access and audit rights

Similarly, the ESAs may also choose to look more closely at the relationship between article 5 and the requirement for the provider in article 3 of the RTS to grant the financial entity and competent and resolution authorities the same contractual rights of access, inspection and audit along the chain of subcontractors providing ICT services supporting critical or important functions as those granted by the ICT third-party service provider to the financial entity. It seems more consistent with the general approach to risk monitoring set out in DORA for this requirement to be limited to ICT subcontractors which effectively underpin the ICT service and not all ICT subcontractors regardless of their relevance to the service, materiality or risk.

This more targeted approach seems reasonable and practical, especially given the complexity of modern ICT service provision and subcontracting chains. It is also consistent with the risk-based proportionate approach that is embedded in the text of DORA. 

As the ESAs work on their revision, they will need to carefully consider how article 3 can operate effectively without article 5. We expect to see the updated draft RTS in the coming weeks.