Overview
DORA is an EU regulation designed to ensure that financial entities can withstand and recover from technology issues such as cyber events and technical failures—an overview on DORA is available in our previous Engage article here.
DORA is supplemented by important detail in secondary legislative measures (i.e. Regulatory Technical Standards and Implementing Technical Standards) which are due to be finalised and put in place before the requirements under DORA become applicable, on 17 January 2024.
The Subcontracting RTS sets out further detail on the specific requirements relating to the subcontracting of ICT services supporting critical or important functions (or material parts thereof) under DORA. It is worth noting that the final draft has been highly anticipated by both financial services entities subject to DORA and IT suppliers—the subcontracting rules under DORA are difficult to interpret as well as to implement in practice, and subcontracting provisions are often some of the most heavily negotiated sections of in vendor contracts. Moreover, the final report on the draft subcontracting RTS was originally expected to be published on 17 July 2024 alongside the publication of the final reports of a number of other level 2 measures under DORA, but was not published until 26 July 2024.
Accordingly, following on from our recent Engage Article covering the batch of level 2 rules under DORA published on 17 July 2024 (which also sets out further background on the level 2 measures more generally), we now summarise below some key takeaways in the final report of the draft Subcontracting RTS.
Notable changes in the draft Subcontracting RTS
The subcontracting chain
The initial draft Subcontracting RTS that was issued for consultation required financial entities to monitor the conditions to subcontracting and key performance indicators “along the entire ICT subcontracting chain”. Industry had concerns about whether this requirement was practical or proportionate.
The final report of the draft Subcontracting RTS reiterates that there is no hard limit on the number of levels in a subcontracting chain to which the monitoring requirement under DORA applies, and sets out specific obligations on financial entities to ensure the written contractual agreement between the financial entity and the ICT service provider allows the financial entity to be able to “identify” the full chain of ICT subcontractors providing ICT services supporting critical or important functions (or material parts thereof).
Nevertheless, in response to industry concerns around proportionality, the updated draft helpfully removes the reference to “the entire ICT subcontracting chain” from Article 5 of the Subcontracting RTS and clarifies that financial entities are expected to focus on subcontractors that “effectively underpin” the ICT service supporting critical or important functions—this should be reflected in the written contractual agreement between the financial entity and the ICT third-party service provider. The Subcontracting RTS further states in Recital (6) that the meaning of subcontractors which “effectively underpin” the ICT service supporting critical or important functions includes those whose disruption would impair the security or continuity of the service provision, in accordance with the Implementing Technical Standards on standard templates for the register of information (the “Register ITS”)—we note that this alignment with the Register ITS helpfully clarifies a point of ambiguity that we raised in our previous Engage Article.
Moreover, there are drafting changes made throughout the Subcontracting RTS, such that the text refers more consistently to the subcontracting of “ICT services supporting critical or important functions or material parts thereof”—this is useful to confirm the scope of subcontracting arrangements which the requirements under the Subcontracting RTS are applicable to.
Furthermore, the updated Subcontracting RTS expressly permits financial entities to, “where appropriate, rely on information provided by the ICT third-party service provider” in the context of its monitoring requirements, which may make complying with such obligations more practically achievable.
Due diligence and risk assessments
In light of responses received in the consultation period of the draft Subcontracting RTS, a number of adjustments have been made to Article 3, which sets out the list of factors that a financial entity must have assessed prior to deciding whether or not the subcontracting of the ICT services supporting critical or important functions (or material parts thereof) should be permitted.
For example, the amended Subcontracting RTS no longer requires financial entities to have assessed that the relevant clauses of the contract between the financial entity and the ICT service provider are “replicated as appropriate in the subcontracting arrangements”, which would suggest that subcontracting arrangements need to mirror the contract with the financial entity – this would have been problematic as the financial entity would not be party to the contracts between the ICT service provider and its subcontractors (e.g. issues around confidentiality and professional secrecy). Instead, the updated requirement is to have assessed that the ICT service provider ensures that its contractual arrangements with subcontractors allow the financial entity to comply with its obligations under DORA, and grant the financial entity (and competent and resolution authorities) “the same contractual rights of access, inspection and audit along the chain of subcontractors” as those granted by the ICT third-party service provider.
Another notable amendment is the removal of the reference to involving financial entities in “the decision-making related to subcontracting”—instead, the requirement is for the financial entity to have assessed that the ICT service provider is “able to identify, notify and inform” the financial entity of the subcontractors along the chain.
Additionally, the updated RTS explicitly states that financial entities should not be exclusively relying on the results of the risk assessment carried out by their ICT third-party service providers on their subcontractors.
Timeline for compliance
The final report suggests that there is no scope for postponing the deadline for the application of the requirements under DORA relating to the written contracts between financial entities and ICT service providers. In particular, the ESAs state that "DORA does not foresee transitional periods and therefore the requirements under DORA will apply at its date of application" (in Section 6 of the final report), in response to concerns raised around the challenges of remediating existing contractual arrangements for compliance with DORA by the time DORA becomes applicable.
The updated Subcontracting RTS introduces a new Article 4(2) which states: “Changes relative to contractual agreements…made necessary to comply with this Regulation, shall be implemented in a timely manner and as soon as it is possible. The financial entity shall document the planned timeline for the implementation.” On the one hand, the language appears to acknowledge the practical difficulties of implementing changes made to written agreements as a result of DORA coming into effect—however, this does not postpone the 17 January 2025 deadline for financial entities to ensure compliance with DORA. It is worth noting that, in the context of a future point in time (i.e. once DORA is already fully applicable), this obligation to ensure that contractual changes are implemented in a timely manner and as soon as possible will apply each time changes are made to written contracts with relevant ICT third-party service providers providing services supporting a critical or important function (or material parts thereof).
(We note that similar wording can be found in the Regulatory Technical Standards regarding a financial entity’s policy on contractual arrangements with ICT third party service providers (“TPSP Policy RTS”): “The management body shall review the policy at least once a year and update it where necessary. Changes made to the policy shall be implemented in a timely manner and as soon as it is possible within the relevant contractual arrangements. The financial entity shall document the planned timeline for the implementation.”)
Next steps
The Subcontracting RTS may still be subject to change before it comes into effect, although we do not expect significant changes to be introduced at this stage. The draft Subcontracting RTS will now need to be adopted by the European Commission, and the European Parliament and the Council of the European Union will also have an opportunity to scrutinise the text. After the text has been adopted by the co-legislators, the Subcontracting RTS will then enter into force on the twentieth day after publication in the Official Journal.
We will continue to monitor developments to the draft. In the meantime, financial entities are encouraged to take steps to comply with the requirements under the updated Subcontracting RTS ahead of the 17 January 2025 deadline, including by identifying the chain of subcontracting of ICT services supporting critical or important functions (or material parts of them), and remediating contracts with existing service providers where necessary.
Authored by John Salmon, Christina Wu, and Alex Nicol.
