The European Commission rejects draft Regulatory Technical Standards on subcontracting under the Digital Operational Resilience Act

What has happened:

On 21 January 2025, the European Commission sent a letter to the Chair of the Joint Committee of the ESAs with its decision to reject the draft Regulatory Technical Standards (“RTS”) on subcontracting under the Digital Operational Resilience Act (“DORA”). The decision comes after months of speculation and after DORA officially came into effect on 17 January 2025. The draft RTS, which was submitted by the ESAs for approval, outlines specific technical requirements related to the management and oversight of subcontracting arrangements, a critical aspect of ensuring robust digital infrastructure and minimising systemic risks. In its rejection, the Commission considers that the ESAs have exceeded their legal mandate set out in DORA. In particular, the Commission is of the view that the provisions relating to the monitoring of the subcontracting chain are not within the scope of the mandate set out in Article 30(5) of DORA. As such, the Commission has requested the removal of Article 5 and the related recital 5 from the draft RTS to ensure its compliance with the mandate.

What is the Subcontracting RTS?

The main text of DORA is supplemented by technical detail in a body of secondary legislation, known as the “Level 2” legislation which have been drafted by the three European Supervisory Authorities (“ESAs”): the European Banking Authority (“EBA”), the European Insurance and Occupational Pensions Authority (“EIOPA”) and the European Securities and Markets Authority (“ESMA”). The Subcontracting RTS, which forms part of DORA Level 2, establishes the requirements and conditions for using subcontracted ICT services that support critical or important functions (or material parts thereof) under DORA. The Subcontracting RTS requires financial entities to evaluate the risks associated with subcontracting during the precontractual phase, including the due diligence process. There are also requirements for implementing, monitoring, and managing contractual arrangements related to the subcontracting of ICT services to ensure that financial entities can oversee the entire ICT subcontracting chain. The controversy surrounding the Subcontracting RTS stems from the challenges these standards pose for financial entities, particularly in navigating obligations that are passed down throughout the chain. Subcontracting arrangements are inherently complex, as they often involve multiple parties and layers of services, each with their own vulnerabilities and risk factors. For financial entities (and their customers and stakeholders), passing down obligations and maintaining oversight of subcontractors throughout the chain is critical. The Subcontracting RTS is pivotal in clarifying how financial entities should allocate responsibility, monitor compliance, and ensure resilience throughout the subcontracting chain. More information is available in our previous Engage article here.

Why did the European Commission reject the draft Subcontracting RTS?

The Commission has decided to reject the draft Subcontracting RTS outright, stating that it “go[es] beyond the empowerment given to the ESAs by Article 30(5) of DORA as introducing requirements not specifically linked to the conditions for subcontracting”. At the core of the issue is Article 5, which requires financial entities to identify and maintain an up-to-date record of the entire chain of subcontractors. This blanket requirement contrasted with other sections of the draft Subcontracting RTS, which limited this obligation only to subcontractors responsible for material parts of the relevant ICT services. For those involved in remediating contracts to comply with DORA, Article 5 has given rise to concerns that even subcontractors providing minor parts of the services could be subject to this requirement. This approach was regarded by many as disproportionate and excessively burdensome, creating practical challenges for financial entities seeking to comply. It is likely that the controversy surrounding Article 5 and scope overreach will have played a part in the Commission coming to its decision to reject the Subcontracting RTS.

Next Steps

The ESAs now have a period of six weeks to resubmit the draft Subcontracting RTS in line with the Commission’s proposed amendments. The Commission has clarified that it intends to adopt the RTS submitted by the ESAs once these concerns are addressed, and the necessary modifications are made.  If the ESAs fail to respond within this timeframe, the European Commission has the discretion to either adopt the RTS with its own amendments or (again) reject it outright.

Should the Commission decide to adopt the RTS as drafted by the ESAs without amendments, the European Parliament and the Council have one month from the date of notification to raise objections. This objection period may be extended by an additional month at the initiative of either the Parliament or the Council. If neither the Parliament nor the Council objects within the specified timeframe, the draft RTS will be adopted and published in the Official Journal. However, the publication process can be expedited if both the Parliament and the Council explicitly confirm that they do not intend to object to the RTS. In the event that the draft RTS is rejected, it will be returned to the ESAs for further review and revision.

The rejection of the draft RTS has created significant uncertainty for financial entities and vendors, even major entities are struggling to fully implement subcontracting requirements whilst the text has not been approved. Until the RTS is finalised, the ambiguity surrounding auditing requirements and the extent of the subcontracting chain persist. This means that contracts cannot be drafted with certainty, leaving both financial entities and their service providers in limbo. This predicament raises critical questions about how the regulators will approach compliance enforcement in the interim. Industry discussions suggest that regulators may adopt a gradual or “best efforts” approach to contractual arrangements during this transition period, potentially taking a more lenient stance. However, the scope of such leniency and its implications for the industry remains unclear. With DORA now in force, the lack of a finalised Subcontracting RTS leaves a significant gap in the regulatory framework which will likely hinder the industry’s efforts in fully implementing DORA therefore it is hoped that the RTS will be finalised and published promptly.

Authored by Lavan Thasarathakumar and Vera Mayzel.