DORA - One Year On - What organisations need to know about subcontracting

The three European Supervisory Authorities (ESAs) have published a draft regulatory technical standard (‘RTS’) to provide guidance on the subcontracting conditions under DORA (the EU’s Digital Operational Resilience Act).

With less than a year remaining until the deadline for compliance with DORA[1], all in-scope organisations – financial entities and their external ICT providers – need to carefully review DORA and the draft RTS on subcontracting and consider what actions must be taken in the coming months to ensure readiness. In this blog, I’ll share an overview of some of the key requirements in the newly released RTS on subcontracting and a brief summary of key issues to consider. These have been carefully pulled together by our DORA team at PwC.

DORA: a recap

Increasing levels of regulation are being introduced to control the risks arising from procurement of ICT services in the financial services sector. DORA is another example of this trend. DORA sets out a wide range of requirements for financial entities engaging ICT service providers, including requirements for specific contractual terms to be included in contracts with ICT service providers. One of the key issues concerns the conditions under which the ICT service provider can further subcontract services to another provider (a very common occurrence for ICT services). The RTS on subcontracting sets out how the financial entity should assess and control the risks when this occurs.?

The requirements of the RTS on subcontracting apply to ICT services supporting critical or important functions. These are functions that, if disrupted, could have a material impact on the financial soundness, business continuity and/or regulatory compliance of a financial entity.

Financial entities impacted by DORA[2] will need to conduct risk assessments on all proposed subcontractors, set out clear contractual arrangements in respect of the proposed subcontracting arrangements,? and continuously monitor the performance of their ICT service providers (and the subcontractors they rely on).

?

Risk assessments: key factors

Before subcontracting, ICT service providers will have to seek consent from the financial entity; the financial entity will need to carry out a risk assessment before it can approve the arrangement. This assessment should encompass factors including:?

• Due diligence processes used by the ICT service provider to select and assess subcontractors’ operational and financial resilience;
• ?How effectively the ICT service provider involves the financial entity in its decision-making on subcontracting;
• ?The ICT service provider’s abilities, expertise and financial/human/technical resources for monitoring subcontractors;
• ?The impact of a subcontractor’s possible failure on the provision of ICT services, including step-in rights for the financial entity;
• ?The risks associated with subcontractors’ geographical location/s, as well as any ICT concentration risks; and?
• ?Any obstacles to the exercise of audit, information and access rights by the regulators, the financial entity, or their auditors.

Financial entities must also periodically carry out an assessment of any potential changes to the business environment of their ICT service providers and subcontractors.

?

Contractual requirements for financial entities

Where subcontracting is permitted, a financial entity must include additional provisions in its contracts with ICT service providers. These include:

• The ICT service provider’s obligation to monitor all subcontracted ICT services;
• The ICT service provider’s obligation to assess all risks, including ICT risks, associated with the subcontractor’s location;
• The location and ownership of data processed or stored by the subcontractor;
• The subcontractor’s monitoring and reporting obligations;
• The incident response and business continuity plans and service levels to be met by the subcontractors;
• The ICT security standards and any additional security features;
• Provisions allowing the financial entity to approve or object to any proposed change in subcontracting arrangements;
• The granting of at least the same audit, information and access rights by the subcontractor to the financial entity and the regulators as granted by the ICT service provider[3]; and
• Additional termination rights of the financial entity.

?

Continuous monitoring

The financial entity will need to closely monitor (and document) the entire ICT subcontracting chain. It will also have to review contractual documentation between the ICT service provider and its subcontractors to ensure end-to-end compliance. Difficulties may arise if ICT service providers are reluctant to share full details of their subcontracting arrangements.?

This RTS, together with the main text of DORA, imposes a wide range of requirements for specific contractual terms that financial entities will need to include in their contracts for ICT services. It is therefore advisable that financial entities start reviewing contracts with ICT service providers (and any related subcontracting arrangements) as soon as possible.

A final word: this draft RTS has been published by the ESAs for public consultation. They will consider comments received by 4 March 2024. Comments can be submitted online at www.esma.europa.eu. The ESAs will finalise the draft RTS following the public consultation and they aim to submit the final text in July 2024 to the European Commission for adoption.

?

PwC’s multidisciplinary team has the expertise and experience to support? clients in achieving DORA contractual compliance. Contact us if you would like to discuss how the DORA team at PwC can help.

Rajesh Chavda Fiona Marschollek Samantha Trama Philipp Schulz Georgina D. Rizwan Nazir David O'Sullivan Andrew Schembri Jennifer Chambers Neil Redmond Danny Chamings Ian Fife Rahul Maharaj Job van Ommen

[1] 17 January 2025

[2] DORA will impact an estimated 22,000 financial entities?

[3] DORA sets out additional requirements on audit rights