DORA subcontracting standards near set as regulators relent

The Digital Operational Resilience Act (DORA) began to apply in January. Among other things, it specifies requirements for subcontracting in EU financial services, including that financial entities include a “clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting” within their contractual arrangements.

Under DORA, the European supervisory authorities (ESAs) – the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority – were obliged to draw up regulatory technical standards (RTS) to help financial entities “determine and assess when subcontracting ICT services supporting critical or important functions”.

Last summer, the ESAs submitted the draft RTS to the European Commission for adoption. However, the Commission wrote back in January to notify its rejection of the draft. The Commission, in particular, took issue with article 5 and its related Recital 5, which provide for subcontractor monitoring across entire ICT supply chains, determining that what was proposed went beyond what the ESAs were empowered to deliver under DORA.

The ESAs have now issued a short opinion in which they said they have accepted the changes the Commission applied to its draft.

Luke Scanlon of Pinsent Masons said last month that the Commission’s changes would be welcomed by financial institutions, but he called on the ESAs to consider how the removal of the subcontractor monitoring obligations could impact on other requirements included in the draft RTS.

Andreas Carney, also of Pinsent Masons, said financial entities will now need to consider how they can meet due diligence and risk assessment requirements under narrower statutory monitoring mechanisms, as well as the scope of contractual rights of access, inspection and audit they will need to provide for in their ICT supplier contracts.