On 24 March 2025, the European Commission adopted Delegated Regulation supplementing Regulation (EU) 2022/2554 (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions.
European Commission adopts RTS on sub-contracting ICT services supporting functions under DORA
On 24 March 2025, the European Commission adopted Delegated Regulation (C(2025) 1682 final) supplementing Regulation (EU) 2022/2554 (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. It aims to enhance digital operational resilience in the financial sector by ensuring a comprehensive approach to managing subcontracting risks.
The Regulation emphasises the need for financial entities to identify and manage the risks associated with ICT subcontractors, ensuring that subcontracting does not compromise their responsibility to manage risks and comply with regulatory obligations. The Regulation outlines detailed conditions for due diligence, risk assessment, and the management of subcontracting arrangements. Specifically, the Regulation:
- Establishes the rules on proportionality and group application (Articles 1 and 2).
- Sets out the rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions (Article 3).
- Establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted (Article 4).
- Contains the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions, the provisions on the termination of the contractual arrangement, as well as the final provisions on entry into force (Articles 5 to 7).
The Delegated Regulation entered into force on 13 April 2025 (20 days after its publication in the OJEU).
Next steps
If you would like to discuss anything raised in this article, feel free to contact our Financial Regulation team.
Related insights
Don't miss out
Join our mailing list and receive the Top 3-5 UK-EU Banking and Investment Regulation updates you need to know about
SubscribeKey contacts
Related Specialisms
Want more insight?
Receive UK-EU Banking and Investment Regulation updates to your inbox
Join our mailing list