EU: New rules for financial entities subcontracting ICT services


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview Antitrust and Competition Litigation Dawn Raids Foreign Investment and National Security Law International Sanctions and Export Controls International Trade Law Merger Control Procurement and State Aid Construction and Engineering Construction and Engineering overview Construction Disputes Contracts and Procurement EPC Project Advisory Corporate and M&A Corporate and M&A overview Business Development Companies Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Small Business Investment Companies (SBICs) Venture Capital Corporate Crime Corporate Crime overview Anti-Bribery and Corruption Anti-Money Laundering International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Congressional Investigations Cybersecurity Data Privacy Disruptive Technology Electronic and Mobile Commerce Information Law Product Counseling Regulatory Defense and Litigation Technology Transactions and Sourcing Telecom Services Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Cross-Border Employment and Pensions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Employment Litigation Global Mobility and Immigration Labor and Industrial Relations Pensions and Retirement Plans Pensions Risk Transfer and Management Environment and Natural Resources Financial Services Regulation Financial Services Regulation overview Asset Management Business Development Companies Crypto Assets Derivatives Financial Services Disputes and Investigations Funds Small Business Investment Companies (SBICs) Insurance Insurance overview Captives Insurance and Reinsurance Disputes Insurance and Retirement Products, Insurance Distribution Insurance Financing and Capital Markets Insurance M&A, Reinsurance and Restructuring Insurance Regulation and Compliance Insurance Regulatory Investigations and Enforcement Insurance Taxation Insurtech Pensions Risk Transfer and Management Intellectual Property Intellectual Property overview IP Audits and Assessments IP Litigation IP Transactional Patents Trademarks, Trade Dress and Copyrights Trade Secrets Investigations Investigations overview Antitrust and Competition Investigations Congressional Investigations Employment Investigations Internal Investigations National Security Investigations Konexo Konexo overview Legal Services Interim Resourcing Data and Cyber Consulting Legal Team Consulting Litigation and Dispute Resolution Litigation and Dispute Resolution overview Antitrust and Competition Investigations Appellate Class Actions Commercial Litigation Construction Disputes Energy Disputes Environmental, Health and Safety Financial Services Disputes and Investigations Fraud Insurance and Reinsurance Disputes International Arbitration Procurement Disputes Professional Liability Real Estate Disputes Regulatory Investigations and Enforcement Securities Enforcement and Litigation Tax Controversy and Litigation Unclaimed Property Real Estate and Planning Real Estate and Planning overview Commercial Development and Leasing Corporate Real Estate Investment Management and Fund Formation Planning and Environmental Real Estate Disputes Real Estate Finance Living Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Tax overview Acquisitions and Restructuring Business Taxation Employee Benefits and Executive Compensation Federal Tax Real Estate Tax Taxation of Financial Transactions and Institutions Tax Controversy and Litigation Transfer Pricing US State and Local Tax VAT/Indirect Taxes Industries Agribusiness, Forestry and Climate Solutions Consumer Consumer overview Food and Beverage Hospitality Luxury Retail and Wholesale Education Energy Energy overview Clean Energy Electric Cooperatives Energy and Commodities Trading Energy Regulatory Hydrogen Nuclear Oil and Gas Power State Energy Regulatory Group Financial Services Financial Services overview Corporate and Investment Banking Payments and Fintech Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Governments and Infrastructure overview Governments and Strategic Projects Infrastructure Public-private Partnerships Transportation Industrials Industrials overview Aerospace, Defense and Security Automotive Chemicals Manufacturing and Industrial Engineering Life Sciences and Healthcare Life Sciences and Healthcare overview Agriculture and Medicinal Cannabis and CBD Healthcare Industrial Biotechnology Medical Devices Pharmaceuticals and Biotechnology Research and Development Vaccines Real Estate Real Estate overview Alternative Assets Multi and Single Family Residential Office and Industrial Real Estate Investment Retail and Mixed Use Sports Sports overview College Athletics Technology & Digital Technology & Digital overview Digital Content Digital Infrastructure Technology Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity, equity and inclusion Environment Pro bono Reports Alumni News Mason Howell Sponsorship Careers US careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Summer Program LLM Extern Program New attorneys Professional Development Offices United States Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English EU: New rules for financial entities subcontracting ICT services \| Eversheds Sutherland Home Resources Insights Home Resources Insights EU: New rules for financial entities subcontracting ICT services EU: New rules for financial entities subcontracting ICT services September 10, 2024 Global Global Global Draft Subcontracting Regulatory Technical Standards (“Subcontracting RTS”) as mandated by Article 30(5) of the Digital Operational Resilience Act (“DORA”) have been published Why should I read this? The Subcontracting RTS was published by the Joint Committee of the European Supervisory Authorities (“ESAs”) on 26 July 2024. It is the last of several policy documents mandated by DORA, which are essential for implementing its requirements and also arguably the most controversial. A wide range of financial entities within scope of DORA (“financial entities”) have until 17 January 2025 to ensure that they comply with DORA and the final form policy documents, so the timeframe for understanding and implementing these new rules is incredibly tight. The Subcontracting RTS specifies further the elements referred to in Article 30(2)(a) of DORA that financial entities must determine and assess when subcontracting ICT services supporting critical or important functions (or material parts thereof). Article 30(2)(a) of DORA requires of financial entities that: “the contractual arrangements on the use of ICT services shall include at least the following elements […] a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating where subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting.” Financial entities must ensure that they comply with Article 30(2)(a) and the Subcontracting RTS in respect of both their new contracts for ICT services and their existing contracts for ICT services. Any changes required to those contracts must be implemented in a timely manner and as soon as it is possible and the financial entity must document the planned timeline for the implementation (Article 4(2) of the Subcontracting RTS). Service providers providing ICT services (‘ICT third-party service providers’) should expect their financial entity customers to request changes to their contracts for ICT services in the coming months, as the deadline for DORA compliance rapidly approaches. What should I do? Financial entities must review their contracts for ICT services, assess their compliance with the Subcontracting RTS and make amendments to the existing contracts and template documentation where required. The same requirements apply to intra-group arrangements for ICT services. The Subcontracting RTS places no direct obligations on service providers (it is the regulated financial entity’s obligation to ensure compliance). Nevertheless, we recommend that service providers who provide ICT services to financial entities familiarise themselves with the requirements of the Subcontracting RTS so that they are prepared to respond to customer change requests driven by DORA. What are the key provisions in the Subcontracting RTS? The obligations under the Subcontracting RTS for financial entities within scope of DORA fall within two categories. First, financial entities must decide before entering into an arrangement with an ICT third-party service provider whether an ICT service supporting critical or important functions (or material parts thereof) may be subcontracted, having assessed at least the elements in Article 3 of the Subcontracting RTS. These elements fall broadly under the headings of due diligence and risk assessment: Due diligence assessing the due diligence processes implemented by the ICT third-party service provider to assess the operational and financial abilities of potential ICT subcontractors; assessing the ability of the ICT third-party service provider to identify, notify and inform the financial entity of any subcontracting in the chain of subcontracting providing ICT services supporting critical or important functions or material parts thereof; that the subcontracting arrangements will allow the financial entity to comply with its own obligations; the ICT third-party service provider’s ability to monitor its subcontractors; the abilities of the financial entity to monitor and oversee the subcontracted services; Risk Assessment the impact of possible failure of a subcontractor on the financial entity’s digital operational resilience and financial soundness; risks associated with the potential location of potential subcontractors; ICT concentration risk;any obstacles to the exercise of audit, inspection and access rights. any obstacles to the exercise of audit, inspection and access rights. Secondly, if sub-contracting of ICT services supporting critical or important functions is permitted, the financial entity must identify the conditions under which such subcontracting is permitted. In particular, the written contractual agreement between the financial entity and the ICT third-party service provider must specify the elements in Articles 4, 5, 6 and 7 of the Subcontracting RTS. At a high level these include, in relation to the subcontracting of ICT services supporting critical or important functions (or material part thereof): responsibility, monitoring and reporting obligations of the ICT third-party service provider; contractual requirements on the subcontractor on business contingency plans and service levels in relation to those plans; security, rights of access, inspection and audit; identification of the chain of ICT subcontractors, on an ongoing basis; provisions enabling the financial entity’s effective monitoring of the contracted ICT services; information rights on contractual documentation between ICT third-party service providers and its subcontractors; requirements in relation to material changes to those subcontracting arrangements (as specified in Article 6); termination rights in the scenarios specified in Article 7 (e.g. if the ICT third-party service provider implements material changes to its subcontracting arrangements despite an objection to the changes from the financial entity). What else do I need to know about the Subcontracting RTS? The first draft of the Subcontracting RTS was published by the ESAs in Consultation Paper ESA/CP/2024. The deadline for responding to that consultation was 4 March 2024. In response to consultation, the ESAs made a number of changes. The key changes include: Scope - clarification that these requirements apply to subcontracting of ICT services supporting critical or important functions (or material part thereof). While financial entities must identify the overall chain of subcontractors performing those ICT services as part of their risk assessment, monitoring and other obligations relate to the chain of subcontractors providing ICT services supporting critical or important functions (and not the supply chain in its entirety). Proportionality – helpful clarity on the elements relevant to applying the proportionality principle to the Subcontracting RTS. Financial entities must take into account the size and the overall risk profile of the financial entity and the nature, scale and elements of increased or reduce complexity of its services, activities and operations, including the elements in Article 1 of the Subcontracting RTS. In reply to feedback given in consultation, the ESAs have stated that these are further criteria that can be taken into consideration by financial entities for the application of the requirements under the Subcontracting RTS in a proportional manner. This supplements the proportionality principle in Article 4 of DORA. The ESAs have stressed that proportionality does not mean waiving the requirements. Conditions for subcontracting relation to the chain of ICT subcontractors providing a service supporting critical or important functions by the financial entity – Article 5 has been largely written to make the requirements more specific and to clarify that the requirements do not apply to the full ICT subcontracting chain but rather the ICT subcontractors supporting critical or important functions. The obligation on financial entities to review contractual documentation between ICT third-party service providers and subcontractors has been softened such that the contractual arrangement must permit the financial entity to obtain information on such contractual documentation but does not mandate review of that documentation. Material changes to subcontracting arrangements of ICT service supporting critical or important functions – the new Article 6 on this topic is useful clarification. Next steps The Subcontracting RTS is still marked as draft and is awaiting adoption by the European Commission. Any further changes are likely to be minimal but interested parties will need to check the final form remains as currently published. For more information on the Subcontracting RTS Please contact Joanne Veitch, Simon Lightman, Simon Gamlin, Craig Rogers, Stephanie Shepherd, Isabella Norbu, Nils Muller, Eve England or Richard Hill. Further reading on DORA The EU’s Digital Operational Resilience Act (DORA) \| Eversheds Sutherland (eversheds-sutherland.com) The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Services Cybersecurity Data Privacy, Security and Technology Financial Services Regulation Industries Financial Services Technology & Digital Business Topics Technology in Financial Services Key contacts Joanne Veitch Partner United Kingdom Simon Lightman Partner United Kingdom Simon Gamlin Partner United Kingdom Craig Rogers Partner United Kingdom Isabella Norbu Senior Associate Munich, Germany Eve England Partner United Kingdom Richard Hill Partner United Kingdom Latest Insights legal updates Illinois tax increases part two: Digital asset privilege tax, prediction markets, NOL carryover limitations, and more legal updates Georgia’s corporate governance reform: Key changes under HB 1185 legal updates Illinois tax increases part one: Digital services taxes legal updates Consumer Lens - Session 1 \| The Rise of European Class Actions Latest News client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition firm news Eversheds Sutherland strengthens restructuring offering with senior partner appointment firm news Eversheds Sutherland strengthens Commercial Advisory practice with technology partner hire firm news Eversheds Sutherland Advises Powerlaw Corp. on NASDAQ Listing as PWRL Latest Events virtual \| June 09, 2026 UK employment law training virtual \| June 16, 2026 Nordic (Denmark, Finland, Norway and Sweden) employment law training virtual \| June 23, 2026 Introduction to Swiss employment law virtual \| September 10, 2026 UAE - Employment law in the Dubai International Financial Centre Tabs Label legal updates June 02, 2026 Illinois tax increases part two: Digital asset privilege tax, prediction ma... legal updates June 02, 2026 Georgia’s corporate governance reform: Key changes under HB 1185 legal updates June 01, 2026 Illinois tax increases part one: Digital services taxes legal updates May 29, 2026 Consumer Lens - Session 1 \| The Rise of European Class Actions Legal notices Terms & conditions Privacy notice Cookies Disclaimer LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Sitemap Offices © 2026 Eversheds Sutherland (US) LLP Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the member firms or their controlled, managed or affiliated entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For information on Konexo please also see the Legal Notices page of this website ATTORNEY ADVERTISING - Prior results do not guarantee a similar outcome. Unless otherwise indicated, attorneys at Eversheds Sutherland (US) LLP are not certified by the Texas Board of Legal Specialization.

Draft Subcontracting Regulatory Technical Standards (“Subcontracting RTS”) as mandated by Article 30(5) of the Digital Operational Resilience Act (“DORA”) have been published

Why should I read this?

The Subcontracting RTS was published by the Joint Committee of the European Supervisory Authorities (“ESAs”) on 26 July 2024. It is the last of several policy documents mandated by DORA, which are essential for implementing its requirements and also arguably the most controversial. A wide range of financial entities within scope of DORA (“financial entities”) have until 17 January 2025 to ensure that they comply with DORA and the final form policy documents, so the timeframe for understanding and implementing these new rules is incredibly tight.

The Subcontracting RTS specifies further the elements referred to in Article 30(2)(a) of DORA that financial entities must determine and assess when subcontracting ICT services supporting critical or important functions (or material parts thereof). Article 30(2)(a) of DORA requires of financial entities that:

“the contractual arrangements on the use of ICT services shall include at least the following elements […] a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating where subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting.”

Financial entities must ensure that they comply with Article 30(2)(a) and the Subcontracting RTS in respect of both their new contracts for ICT services and their existing contracts for ICT services. Any changes required to those contracts must be implemented in a timely manner and as soon as it is possible and the financial entity must document the planned timeline for the implementation (Article 4(2) of the Subcontracting RTS).

Service providers providing ICT services (‘ICT third-party service providers’) should expect their financial entity customers to request changes to their contracts for ICT services in the coming months, as the deadline for DORA compliance rapidly approaches.

What should I do?

Financial entities must review their contracts for ICT services, assess their compliance with the Subcontracting RTS and make amendments to the existing contracts and template documentation where required. The same requirements apply to intra-group arrangements for ICT services.

The Subcontracting RTS places no direct obligations on service providers (it is the regulated financial entity’s obligation to ensure compliance). Nevertheless, we recommend that service providers who provide ICT services to financial entities familiarise themselves with the requirements of the Subcontracting RTS so that they are prepared to respond to customer change requests driven by DORA.

What are the key provisions in the Subcontracting RTS?

The obligations under the Subcontracting RTS for financial entities within scope of DORA fall within two categories.

First, financial entities must decide before entering into an arrangement with an ICT third-party service provider whether an ICT service supporting critical or important functions (or material parts thereof) may be subcontracted, having assessed at least the elements in Article 3 of the Subcontracting RTS. These elements fall broadly under the headings of due diligence and risk assessment:

Due diligence

assessing the due diligence processes implemented by the ICT third-party service provider to assess the operational and financial abilities of potential ICT subcontractors;
assessing the ability of the ICT third-party service provider to identify, notify and inform the financial entity of any subcontracting in the chain of subcontracting providing ICT services supporting critical or important functions or material parts thereof;
that the subcontracting arrangements will allow the financial entity to comply with its own obligations;
the ICT third-party service provider’s ability to monitor its subcontractors;
the abilities of the financial entity to monitor and oversee the subcontracted services;

Risk Assessment

the impact of possible failure of a subcontractor on the financial entity’s digital operational resilience and financial soundness;
risks associated with the potential location of potential subcontractors;
ICT concentration risk;any obstacles to the exercise of audit, inspection and access rights.
any obstacles to the exercise of audit, inspection and access rights.

Secondly, if sub-contracting of ICT services supporting critical or important functions is permitted, the financial entity must identify the conditions under which such subcontracting is permitted. In particular, the written contractual agreement between the financial entity and the ICT third-party service provider must specify the elements in Articles 4, 5, 6 and 7 of the Subcontracting RTS. At a high level these include, in relation to the subcontracting of ICT services supporting critical or important functions (or material part thereof):

responsibility, monitoring and reporting obligations of the ICT third-party service provider;
contractual requirements on the subcontractor on business contingency plans and service levels in relation to those plans;
security, rights of access, inspection and audit;
identification of the chain of ICT subcontractors, on an ongoing basis;
provisions enabling the financial entity’s effective monitoring of the contracted ICT services;
information rights on contractual documentation between ICT third-party service providers and its subcontractors;
requirements in relation to material changes to those subcontracting arrangements (as specified in Article 6);
termination rights in the scenarios specified in Article 7 (e.g. if the ICT third-party service provider implements material changes to its subcontracting arrangements despite an objection to the changes from the financial entity).

What else do I need to know about the Subcontracting RTS?

The first draft of the Subcontracting RTS was published by the ESAs in Consultation Paper ESA/CP/2024. The deadline for responding to that consultation was 4 March 2024. In response to consultation, the ESAs made a number of changes.

The key changes include:

Scope - clarification that these requirements apply to subcontracting of ICT services supporting critical or important functions (or material part thereof). While financial entities must identify the overall chain of subcontractors performing those ICT services as part of their risk assessment, monitoring and other obligations relate to the chain of subcontractors providing ICT services supporting critical or important functions (and not the supply chain in its entirety).
Proportionality – helpful clarity on the elements relevant to applying the proportionality principle to the Subcontracting RTS. Financial entities must take into account the size and the overall risk profile of the financial entity and the nature, scale and elements of increased or reduce complexity of its services, activities and operations, including the elements in Article 1 of the Subcontracting RTS. In reply to feedback given in consultation, the ESAs have stated that these are further criteria that can be taken into consideration by financial entities for the application of the requirements under the Subcontracting RTS in a proportional manner. This supplements the proportionality principle in Article 4 of DORA. The ESAs have stressed that proportionality does not mean waiving the requirements.
Conditions for subcontracting relation to the chain of ICT subcontractors providing a service supporting critical or important functions by the financial entity – Article 5 has been largely written to make the requirements more specific and to clarify that the requirements do not apply to the full ICT subcontracting chain but rather the ICT subcontractors supporting critical or important functions. The obligation on financial entities to review contractual documentation between ICT third-party service providers and subcontractors has been softened such that the contractual arrangement must permit the financial entity to obtain information on such contractual documentation but does not mandate review of that documentation.
Material changes to subcontracting arrangements of ICT service supporting critical or important functions – the new Article 6 on this topic is useful clarification.

Next steps

The Subcontracting RTS is still marked as draft and is awaiting adoption by the European Commission. Any further changes are likely to be minimal but interested parties will need to check the final form remains as currently published.

For more information on the Subcontracting RTS

Please contact Joanne Veitch, Simon Lightman, Simon Gamlin, Craig Rogers, Stephanie Shepherd, Isabella Norbu, Nils Muller, Eve England or Richard Hill.