EU Supervisory Authorities Give Nod to Commission’s Revisions on Subcontracting Standards Under DORA

Key Takeaways

• Commission’s Rejection of RTS: The European Commission rejected the original draft RTS on subcontracting under DORA, citing concerns over the scope of monitoring subcontractors.
• Endorsement of Amendments: The ESAs (EBA, EIOPA, and ESMA) have endorsed the Commission’s proposed amendments, confirming alignment with DORA’s legal framework.
• Focus on Subcontracting Risk Management: The revised RTS will help financial entities assess and manage risks related to subcontracting critical ICT services.
• Ongoing Monitoring of Subcontractors: The updated RTS emphasizes the need for financial entities to conduct thorough due diligence and maintain continuous oversight of subcontractors to ensure resilience.

Deep Dive

The European Supervisory Authorities (ESAs)— namely the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — have weighed in on the European Commission’s recent changes to the regulatory framework surrounding subcontracting under the Digital Operational Resilience Act (DORA). And in short, they’re on board.

DORA, which aims to fortify the digital backbone of the financial sector, has a rather important stipulation: when financial entities rely on third parties to handle ICT services that keep their most critical functions running, there are certain rules they must follow. In particular, subcontracting these services comes with a set of standards that need to be met — the crux of which has been encapsulated in the draft Regulatory Technical Standard (RTS) put forward by the ESAs.

But, as often happens when it comes to regulation, things didn’t go as smoothly as expected. The European Commission, in January 2025, rejected the original draft RTS. Why? They felt the proposed conditions, especially those concerning the monitoring of subcontractors, stepped outside the authority given to the ESAs by DORA. In their view, the provisions outlined in Article 5 of the RTS reached a bit too far and would require trimming.

Cue the ESAs' latest Opinion, released today. The Authorities took a careful look at the proposed changes and decided that the Commission’s adjustments were spot-on. They confirmed that the new draft RTS now fully aligns with the legal framework of DORA, meaning that the rules governing subcontracting under this regulation are now back on track. And, as if to reassure everyone that no more tweaks were needed, the ESAs have said they do not recommend any further amendments. Instead, they’re pushing for a swift conclusion — and ideally, a final stamp of approval from the Commission.

So what exactly is the fuss about subcontracting and why should anyone care? Well, when a financial institution relies on a third party to provide crucial digital services, there’s a lot at stake. Data protection, operational continuity, security—these are not just buzzwords but essential elements for protecting financial systems from operational hiccups. The RTS outlines the critical checks that financial entities must run through when deciding whether to subcontract services, particularly when those services underpin vital functions. It goes beyond just picking a vendor. It’s about understanding the risks and making sure the entire contractual arrangement is as bulletproof as possible.

And it’s not just about checking boxes during the contract phase either. The RTS calls for continuous monitoring of subcontractors throughout the duration of the relationship, ensuring that they meet all the required standards. Financial entities are tasked with assessing these risks during the due diligence phase, ensuring that everything is in place before any services go live. The final version of the RTS will guide financial institutions in managing these subcontracting relationships, ensuring that critical operations remain secure and resilient.

At the end of the day, the ESAs’ opinion underscores a fundamental truth in regulatory work, which is that standards evolve. What started as a disagreement over the scope of subcontractor oversight has now been resolved with a version that more accurately reflects the legal intent of DORA. The ESAs have given the green light, signaling a near-final step toward ensuring that subcontracting in the financial sector is both safe and secure.

Now, it’s just a matter of time before these revised rules are officially adopted. And once they are, financial institutions can move forward with greater clarity on how to manage their subcontracting relationships, ultimately strengthening the resilience of the entire sector.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.