On 2 July 2025 the regulatory technical standards (RTS) under article 30(5) of DORA (EU/2025/532) were published. These RTS will enter into force on 22 July 2025. As a result, ICT service providers supporting critical or important functions of financial entities subject to DORA must also comply with the detailed requirements of these RTS when subcontracting. The RTS apply in addition to the general requirements under article 30 of DORA and may require further action by financial entities and their ICT service provider.
Article 30 DORA – contract requirements for subcontracting
Article 30 of DORA contains a list of contractual provisions that must be included in ICT services contracts, both for non-critical functions (subsection 2) and critical or important functions (subsections 2 and 3). Subsection 5 requires the EBA, ESMA and EIOPA to set further regulatory standards for subcontracting.
Many financial entities and their ICT service providers have updated their contracts to comply with article 30, for example by agreeing on DORA annexes. In the Netherlands these are often based on (industry wide) standards such as the ones prepares by Dutch industry associations in close cooperation with the Dutch regulators DNB and AFM.
RTS on subcontracting
The RTS introduce additional requirements for financial entities subject to DORA for subcontracting ICT services supporting critical or important functions by their ICT services providers. These requirements do not apply in case no subcontracting is authorised under the ICT services contract or in case subcontracting relates to non-critical or unimportant functions. Financial entities must make sure that the RTS are met by the appropriate actions and contractual provisions with their ICT service providers.
These detailed requirements arising from the RTS are fairly clear and straightforward. The proportionaility principle applies allowing financial entities to take into account relevant personal facts and circumstances, such as the type of ICT services, the subconbtracting chain, and whether the subcontracting is intragroup. This is consistent with DORA itself as DORA includes proportionality as core principle.
The RTS also include group application making the parent undertaking (also) responsible for compliance with the RTS, even it is not a financial entity itself. This raises the question whether the regulator may directly address the parent undertaking, also because under DORA the parent undertaking is not subject to DORA. In practice, this means that the parent undertaking must take sufficient measures to ensure that the financial entities in the group comply with (DORA and) the RTS, for examply by issuing the necessary instructions in that respect.
The core requirements are included in articles 3 – 6 of the RTS. Article 3 relates to due diligence and risk assessment and requires that prior to contracting with ICT service providers, the financial entity meets ten (10) conditions, including verifying sufficient operational and financial capabilities of the ICT service provider, transparency on the subcontracting chain, and equal access and information rights granted by ICT subcontractors. An obligation to do a periodical risk assessment on ICT subcontractors is also included.
Article 4 lists twelve (12) subcontracting-related topics that must be addressed in the ICT services contracts with the ICT service providers, including obligations for the ICT service provider to monitor ICT subcontractors, to report to the financial entity and on specific elements to be included in the contracts between ICT service providers and ICT subcontractors.
Article 5 includes notification duties for the ICT service provider of any intended material changes to its ICT subcontracting arrangements and the restriction for the ICT service provider to implement such changes without approval or non-objection by the financial entity, as well as the obligation for the financial entity to object prior to the end of the notice period.
Finally, article 6 lists mandatory termination rights for the financial entity to be included in ICT services contracts to cover material changes objected to or without approval by the financial entity, and unauthorised subcontracting by the ICT service provider.
Relationship between DORA and RTS
It is important to note that the RTS solely relate to subcontracting. They apply next to (and not instead of) the respective requirements under articles 28 – 30 of DORA. For example, article 28(7) of DORA includes general termination rights, while article 6 of the RTS includes additional termination rights for subcontracting with respect to critical or important functions. Both shall be laid down in the relevant contracts with ICT service providers. Similarly, article 28(4) provides for general due diligence and risk assesment, and article 3 of the RTS includes additional requirements in case of ICT subcontracting with respect to critical or important functions.
Action required?
Financial entities subject to DORA need to ensure compliance with the RTS on subcontracting. Existing arrangements agreed in respect of DORA between the financial entity and the relevant ICT service providers, may not (yet) reflect RTS requirements, or may only do so in (too) general terms. If this is the case, ICT services contract will need amendment.
