.svg)
The European Commission has rejected significant provisions for subcontracting ICT services, arguing that certain requirements exceed the mandate provided under the Digital Operational Resilience Act (DORA).
The draft regulatory technical standards (RTS), submitted by the European supervisory authorities (ESAs) in July 2024, were designed to establish rules for financial entities when outsourcing ICT services that support critical or important functions.
The proposals outlined risk assessment obligations during the pre-contractual phase, including due diligence procedures, and set conditions for managing ongoing contractual arrangements with ICT service providers.
However, the commission has objected to a specific provision, Article 5 of the draft RTS, which sets out requirements for monitoring subcontracting chains.
According to the commission, these requirements go beyond the legal scope of DORA’s Article 30(5) and introduce obligations that were not explicitly mandated.
As a result, the commission has requested the removal of Article 5 and its related recital before the RTS can proceed.
“Financial institutions that have been closely following DORA’s regulatory developments might be caught off guard by the Commission’s decision,” said Povilas Randis, a partner at Adamano Consulting.
“After months of preparing for compliance, the sudden rejection of the RTS, specifically the provisions on monitoring subcontractors, raises questions about the stability of regulatory expectations.”
This point was echoed by Kamil Prokopowicz, financial regulation lawyer at OIRP: “To avoid supervisory sanctions, many institutions preparing for DORA implementation have based their implementation processes on the RTS/ITS version published by the ESAs [European Supervisory Authorities], rather than waiting for the European Commission's long silence to end.”
Randis added that firms that took a proactive approach by integrating Article 5’s requirements into their contracts are now left in an awkward position.
“These financial institutions, trying to do the right thing and ensure compliance, may need to backtrack on agreements or renegotiate with tech providers, adding unnecessary complexity and costs.”
Ready by March?
Under the EU’s legislative process, the ESAs now have six weeks to amend the draft in line with the commission’s recommendations.
If the ESAs fail to make the necessary changes, the commission may either adopt the RTS with its own modifications or reject it entirely.
“I would genuinely say that this should be resolved in the coming six weeks max; however, it does have an immediate effect, particularly for timelines and planning,” said Ian Gauci, managing partner at GTG law firm.
The Malta-based lawyer explained that those firms that are in the process of doing the necessary assessments, making internal template modifications and planning to renegotiate existing agreements will need to be vigilant and plan carefully.
“On the other hand, those licensed entities and ICT providers who were following the draft RTS and pegging contractual templates, as well as negotiating existing and prospective agreements on the draft RTS, might need to also amend or re-negotiate based on the approved ones when in place,” he added.
Gauci suggested that the interpretation by the commission also pivots the dimensions of the actual Article 5 and Recital 5 and hones back on provisions focused on monitoring ICT supply chains which were going beyond the scope of the ESAs’ mandate under Article 30(5).
“There will be significant uncertainty regarding the elements of Article 5 of the RTS that are not explicitly stated elsewhere, particularly those concerning the provision of subcontractors’ performance indicators and contractual documentation to financial institutions,” warned Prokopowicz.
The Warsaw-based lawyer warned that if these requirements are removed, negotiating such terms may become much more difficult.
“More knowledgeable providers closely follow DORA and its second-tier regulations and are cautious about committing to obligations not explicitly required by law, especially regarding contractual documentation, where trade secrets are often cited as a reason for withholding information.”
He did say, however, that contracts that already incorporate Article 5 will not require special amendments if it is removed, as they will simply contain provisions that go beyond what the RTS formally requires.
“However, pressure for renegotiation may come from providers. The situation will be different if additional provisions are added to the RTS, catching financial institutions off guard. Hopefully, this will not be the case.”
Uncomfortable grey zone
According to Randis, this decision leaves financial institutions in an uncomfortable grey zone.
“Should they wait and see how the ESAs revise the RTS, or continue updating contracts based on a framework that might change again? It may also send the wrong signal, that staying ahead of compliance can be a wasted effort.”
“One could raise a question how the regulators expect businesses to be 100 percent compliant on time, yet they themselves struggle to provide clear, stable guidance,” he said.
Randis warned that this back-and-forth, especially as DORA is technically in force, creates unnecessary uncertainty and financial burdens, particularly for tech vendors that are stuck adapting to shifting requirements, which is something that Gauci agreed with.
“If the impasse is not resolved in the forthcoming weeks, there will be extended uncertainty even on timelines and I would dare say that delays risk cascading compliance bottlenecks,” Gauci cautioned.
