European Commission adopts revised DORA Subcontracting RTS – a partial retreat on monitoring sub-contractors?

On 24 March 2025, the European Commission ("Commission") adopted the long-awaited regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions ("Subcontracting RTS"). The most significant change from the previous draft of 17 July 2024 ("July 2024 Draft") is the deletion of Recital 5 and Article 5, which would have included mandatory contract content requirements relating to on-going monitoring of the chain of ICT subcontractors providing ICT services supporting "critical or important" functions ("CIF services").

However, in-scope financial entities will still have to monitor their sub-contracting supply chain:

• as clarified by the European Supervisory Authorities ("ESAs") earlier this month, financial entities' obligations under DORA in relation to supply chain monitoring, such as maintaining an adequate Register of Information, remain. These in turn may trigger indirect supply chain monitoring obligations (including contractual obligations) on ICT third-party provider ("ICT Providers"); and
• the Subcontracting RTS still includes certain flow down requirements in relation to ICT Providers' subcontracts (which were not rejected by the Commission).

The adopted version of the Subcontracting RTS will come into effect 20 days after its publication in the Official Journal.

Background

To recap, the Subcontracting RTS sets out a number of mandatory contractual provisions on sub-contracting which must be contained in contracts between an in-scope financial entity and ICT Providers of CIF services (i.e., as part of the conditions under which sub-contracting is allowed).

In the July 2024 Draft, these obligations included requirements aimed at giving the in-scope financial entity greater visibility down the supply chain, along with requirements on ICT Providers to flow down certain obligations to subcontractors.

As mentioned in our previous blog, at the time of DORA going live, the July 2024 Draft Subcontracting RTS had not yet been formally adopted by the Commission. On 21 January 2025, the Commission published a letter confirming its decision to reject the July 2024 Draft Subcontracting RTS. This was not the first time the Commission has rejected an RTS under DORA - it previously rejected the implementing technical standards on registers of information in October 2024 (see press release here), although this has since been adopted by the Commission (see here).

The Commission's core reasons for the rejection was that in its view mandatory contractual provisions relating to monitoring went beyond the scope of the legal power (under Article 30(5) of the DORA Regulation) to make the RTS – which was limited to requirements "specifically linked to the conditions for subcontracting" and not monitoring. Accordingly, the Commission wanted Article 5 and Recital 5 removed from the July 2024 Draft Subcontracting RTS.

On 7 March 2025, the ESAs responded in an opinion ("ESA Opinion") confirming that they would action the amendments proposed by the Commission. The version adopted by the Commission this week reflects those changes, along with clarificatory drafting changes (which generally appear to be non-material).

Effect of the removal of Article 5

With Article 5 deleted, the following sub-contracting conditions are not mandatory in written contracts between financial entities and their ICT Providers – provisions that:

• identify the supply chain of subcontractors providing the service (former Article 5(1) as set out in the ESA's previous final report of the Subcontracting RTS);
• ensure that the financial entity has effective monitoring rights over the provision of services (former Article 5(2));
• enable the financial entity to assess "whether and how the potentially long or complex chain of subcontractors… may impact their ability to fully monitor the contracted functions" (former Article 5(3)); and
• allow the financial entity to obtain information on the contractual documentation between the service provider and its subcontractors (former Article 5(4)).

This 'step-back' by the ESAs potentially reduces the contractual burdens on ICT Providers in relation to the monitoring of their supply chain, especially given the broad way in which former Article 5 was drafted. However, key obligations under the Subcontracting RTS in relation to (i) flow down requirements, and (ii) Registers of Information, are retained. Ultimate responsibility to comply with these obligations is with financial entities, who are likely to need ICT Providers to provide information to ensure their compliance (and ICT Providers may well be contractually required to provide such information, depending on the terms and conditions of their arrangements with the relevant financial entity).

(i) Flow downs to fourth party contracts

As mentioned in our previous blog, Article 4 of the Subcontracting RTS includes certain contractual requirements to ensure that ICT Providers of CIF services have certain rights (e.g. in relation to audit, monitoring, business continuity and security) over their subcontractors (known as 'fourth parties'). This is a material uplift from the pre-existing requirements under the EBA Outsourcing Guidelines. Some ICT Providers have already started remediation projects to reflect such flow downs into their vendor contracts.

(ii) Registers of Information

As clarified by the ESA Opinion on 7 March 2025, the ESAs noted that "financial entities are [still] expected to adhere to the provision on subcontractors as per DORA Article 29(2) fourth subparagraph, and Article 3(6) of the ITS on the Register of Information" which state the following:

• DORA Article 29(2) fourth paragraph: "Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect."
• Article 3(6) of the ITS on the Register of Information: "Where an ICT service provided by a direct ICT third-party service provider is supporting a critical or important function of the financial entities, financial entities shall ensure through the direct ICT third-party service provider [which includes intra-group service providers], that all the subcontractors of the direct ICT third-party service provider included in the register of information in accordance with paragraph 2, point (b), which effectively underpin/support ICT services supporting critical or important functions, use a valid and active LEI or provide their EUID, and where available both of these identifiers, except if those subcontractors are individuals acting in a business capacity."

This means that despite the deletion of Article 5(1) (which largely dealt with the requirement to update Registers of Information), financial entities may still require considerable information from their ICT Providers.

Financial entities may have started to gather information (including from their ICT Providers) in preparation for the first submission deadline for Registers of Information to the ESAs on 30 April 2025. The parties to contractual arrangements should review the agreed terms to consider how the responsibility for this compliance burden has been allocated between them.

ICT Providers may also wish to consider whether they fall within the criteria for critical ICT third-party service providers ("CTPPs"), given the ESA guidance that their review of the Registers of Information later this year will be the first step in the CTPP designation process (see roadmap released by the ESAs in February here). Once designated, CTPPs will be subject to the direct oversight of the ESAs under DORA.