Industries /

New rules for cooperation with ICT providers – what changes with the European Commission’s decision?

DORA and ICT subcontracting – what do financial institutions need to know?

Among its many requirements, DORA mandates that financial institutions manage risks arising from information and communication technology (ICT) and their third-party ICT service providers. For example, according to Article 30(2)(a) DORA, each contract with an external ICT provider must clearly indicate whether – and under what conditions – that provider is allowed to subcontract critical services.

In simple terms, a bank or company outsourcing a critical IT function must know if its vendor can hire subcontractors (sub-providers) and must set rules for that arrangement.

RTS proposal and the ESAs’ approach

To flesh out DORA’s provisions, the European Supervisory Authorities (EBA, ESMA, and EIOPA – collectively known as the ESAs) were tasked with drafting detailed Regulatory Technical Standards (RTS) on specific topics.

One such RTS focuses on the use of subcontractors in critical ICT services. On 17 July 2024, the ESAs jointly submitted a draft RTS on ICT subcontracting to the European Commission. This draft aimed to specify the elements a financial entity should determine and assess when an ICT third-party service provider subcontracts parts of a critical function.

The draft proposed, among other things, that financial institutions should:

  • assess the risks associated with subcontracting services already at the stage before concluding a contract (due diligence towards the supplier)
  • and to monitor the situation of subcontractors on an ongoing basis during the contract term.

The draft proposed, among other things, that financial institutions should: -assess the risks associated with subcontracting services already at the stage before concluding a contract (due diligence towards the supplier) -and to monitor the situation of subcontractors on an ongoing basis during the contract term.

The regulation aimed to ensure that a bank or other financial entity retains control over the security of the entire ICT service supply chain, even if its main IT contractor uses further subcontractors.

European Commission’s reaction

After reviewing the draft, the European Commission raised concerns that the ESAs’ proposal overstepped what was envisaged by DORA. On 21 January 2025 – just a few days after DORA became fully applicable – the Commission sent a letter rejecting the draft RTS on Subcontracting.

The main reason? One of the ESAs’ key proposals went beyond the scope of the legislators’ mandate. In particular, the Commission found that the provisions in Article 5 go beyond the empowerment given to the ESAs by Article 30(5) of DORA and introduce requirements not explicitly linked to subcontracting conditions.

In the Commission’s view, the empowerment in DORA did not cover the obligation to monitor the entire chain of ICT subcontractors, which is limited to setting conditions for subcontracting.

Therefore, the Commission concluded that Article 5 and its related recital must be removed from the RTS to ensure compliance with the mandate. In short, the Commission objected to the extra layer of oversight proposed by the ESAs, arguing it exceeded what DORA authorised.

The ESAs’ position

Under the EU’s procedural rules, the ESAs had a six-week window to respond to the Commission’s objections and adjust the draft.

On 7 March 2025, the ESAs published a joint opinion in which they:

  • confirmed the Commission’s assessment,
  • and accepted the proposed amendments.

In this opinion, the ESAs agreed with the Commission’s assessment and did not oppose removing the contentious provisions. They acknowledged that the Commission’s amendments would ensure the RTS remains within the boundaries of the original DORA mandate. They said they do not recommend amendments to the EC proposed amendments.

In other words, the regulators accepted deleting Article 5 from the final standard. The ESAs also noted that financial entities are expected to abide by other DORA provisions and related rules regarding subcontractors.

For instance, DORA’s Article 29(2) and an upcoming Implementing Technical Standard on the register of ICT third-party arrangements will still require companies to gather information about significant subcontractors and manage related risks. The ESAs concluded by urging the Commission to finalise and adopt the amended RTS without undue delay so that the sector can have clarity on the rules in the future.

What does this mean for the financial sector?

The immediate consequence of this development is that the forthcoming binding standard on ICT subcontracting will be narrower than initially proposed. Financial institutions will not have a specific regulatory obligation to monitor every ICT outsourcing supply chain link continuously.

What does this mean for the financial sector? The immediate consequence of this development is that the forthcoming binding standard on ICT subcontracting will be narrower than initially proposed. Financial institutions will not have a specific regulatory obligation to monitor every ICT outsourcing supply chain link continuously.

Many in the industry are likely relieved at this outcome, as during consultations, some stakeholders warned that such a requirement would be extremely onerous to implement.

However, this does not mean that subcontractors can be ignored. Companies must still conduct thorough due diligence on key ICT providers and ensure that any permitted subcontracting is subject to appropriate conditions and risk controls, per DORA’s core requirements.

What has changed is that the extra prescriptive layer (mandating active ongoing monitoring of all sub-providers) will not be explicitly imposed by the RTS.

What’s next? Implementation under the revised RTS

With the ESAs’ consent to the revisions, the European Commission is expected to swiftly adopt the RTS in its modified form as a Delegated Regulation.

As a result, financial institutions that have postponed implementation can now follow the final version of the standard.

The new rules focus on:

  • assessing subcontracting risks before entering into agreements,
  • including appropriate contractual terms,
  • and no formal obligation to monitor every subcontractor in the supply chain during the contract term.

Are you ready for the new DORA rules?

In summary, the Commission’s intervention has kept the new rules consistent with DORA’s vision, preventing regulatory overreach. The financial sector will not receive a formal obligation to monitor every subcontractor in the supply chain during the contract term, upholding DORA’s resilience objectives while avoiding undue complexity in compliance.

This outcome underscores the balance between ensuring robust operational resilience and recognising practical limits in overseeing complex ICT supply chains.

Do you have questions about DORA, ICT subcontracting, or implementing the RTS requirements? Contact our team! We’ll advise you on aligning your contracts and internal procedures with the current regulatory framework.

Author team leader DKP Legal Jacek Szczytko
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Jacek Szczytko

Contact us

Flaga Polski.POZNANPOLAND
pl. W. Andersa 3
61-894 Poznań
+48 61 853 56 48[email protected]
Flaga Polski.WARSAWPOLAND
Rondo ONZ 1
00-124 Warsaw
+48 22 300 16 74[email protected]
Flaga Polski.KRAKOWPOLAND
Opolska 110
31-355 Kraków
+48 61 853 56 48[email protected]
Flaga Polski.ZIELONA GÓRAPOLAND
Jana Sobieskiego 2/3
65-071 Zielona Góra
+48 61 853 56 48[email protected]
Flaga Włoch.MILANITALY
Via F. Sforza 15
20122 Milan
+48 61 853 56 48[email protected]
See all local services