The Subcontracting RTS Saga: Why the Commission Rejected It and What the Revision Means
Four Days In, and the Framework Was Already Contested
On January 17, 2025, DORA became applicable law. On January 21, the European Commission formally rejected the draft Regulatory Technical Standard (RTS) on ICT subcontracting, developed jointly by the EBA, EIOPA, and ESMA. The rejection — coming just four days after the regulation's application date — was unprecedented in speed and sent a clear signal about the limits of regulatory delegation under DORA's framework.
The rejection was not a procedural technicality. It reflected a substantive disagreement about how far the ESAs could extend DORA's requirements through technical standards. The specific point of contention: Article 5 of the draft RTS, which imposed monitoring obligations on financial entities regarding their ICT service providers' subcontracting arrangements. The Commission concluded that these monitoring requirements exceeded the mandate granted by DORA itself — in effect, that the ESAs had used the RTS process to create new obligations rather than operationalizing existing ones.
This distinction matters. Under EU law, technical standards are delegated instruments — they specify how to implement requirements that the Level 1 regulation (DORA) establishes. They cannot create new requirements. The Commission's rejection drew a line that will shape the entire RTS/ITS development process under DORA.
The Timeline: From Draft to Rejection to Adoption
| Date | Event | Significance |
|---|---|---|
| June 2023 | ESAs publish first consultation draft | Industry consultation on subcontracting chain monitoring |
| September 2023 | Consultation closes; 78 responses received | Strong industry pushback on monitoring scope |
| July 2024 | ESAs submit final draft RTS to Commission | Includes controversial Article 5 on subcontracting monitoring |
| January 17, 2025 | DORA becomes applicable | All entities subject to Pillar IV obligations from this date |
| January 21, 2025 | Commission rejects draft RTS | Article 5 monitoring requirements exceed DORA mandate |
| February-March 2025 | Rapid revision cycle | ESAs revise Article 5 scope; Commission staff engage closely |
| March 7, 2025 | ESAs acknowledge Commission's amendments | Formal acceptance of narrowed scope |
| March 24, 2025 | Commission adopts revised RTS | Modified monitoring requirements within DORA mandate |
| Q3 2025 (expected) | Publication in Official Journal as Delegated Regulation | Enters into force 20 days after Official Journal publication |
The two-month revision cycle between rejection and adoption was remarkably fast by EU regulatory standards. It reflected both the urgency — financial entities needed clarity on subcontracting requirements that were already applicable — and the relatively narrow scope of the disagreement.
What the Commission Objected To
The rejected Article 5 imposed three categories of monitoring obligations that the Commission deemed beyond DORA's mandate:
Active chain monitoring. The draft required financial entities to continuously monitor the subcontracting chain of their ICT service providers — not just the first-tier provider, but sub-contractors and sub-sub-contractors throughout the chain. The Commission's position: DORA Art. 28(8) requires financial entities to assess subcontracting risks at the point of contracting and when material changes occur. It does not mandate continuous real-time monitoring of the entire subcontracting chain.
Prescriptive assessment methodology. The draft specified detailed assessment criteria and methodologies for evaluating subcontracting risk. The Commission's position: DORA establishes the obligation to assess subcontracting risks but deliberately leaves the methodology to the financial entity's discretion, consistent with the proportionality principle (Art. 4).
Enhanced notification requirements. The draft required ICT service providers to notify financial entities of any sub-outsourcing change within specified timelines, with detailed information requirements. The Commission's position: while DORA Art. 30(2)(a) requires contractual provisions on subcontracting notification, the specific notification timelines and content requirements in the RTS exceeded what the Level 1 text authorized.
What Changed in the Adopted Version
The revised RTS, adopted on March 24 and published as Delegated Regulation (EU) 2025/532, preserved the core subcontracting governance framework while narrowing the obligations that exceeded the Commission's mandate assessment:
| Aspect | Rejected Draft | Adopted Version | Practical Impact |
|---|---|---|---|
| Monitoring scope | Continuous monitoring of full subcontracting chain | Assessment at contracting and material change | Reduces operational burden; shifts to event-driven assessment |
| Assessment methodology | Prescriptive criteria and scoring | Principles-based assessment aligned with entity's risk framework | Greater flexibility; institutions choose methodology |
| Notification obligations | Specific timelines and content requirements for all sub-outsourcing changes | Notification requirements aligned with DORA Art. 30(2)(a) contractual provisions | Relies on contractual arrangements rather than regulatory prescription |
| Critical function focus | Applied to all ICT service arrangements | Enhanced focus on services supporting critical or important functions | Proportionate approach; lighter burden for non-critical services |
| Sub-outsourcing approval | Detailed approval workflow requirements | Alignment with DORA Art. 30(2)(a) specific/general approval framework | Consistent with Level 1 text; no additional approval layers |
The adopted version is meaningfully less prescriptive than the rejected draft. For financial entities, this creates both opportunity and ambiguity: more flexibility in designing subcontracting governance, but less regulatory certainty about what "good" looks like.
What This Means for Third-Party Arrangements
The subcontracting RTS, in its adopted form, requires financial entities to address subcontracting in their ICT third-party risk management framework. The practical implications split into contractual and operational dimensions.
Contractual Implications
Art. 30(2)(a) requires contractual provisions that include:
- The ICT third-party service provider obtaining the financial entity's "specific approval" or "general approval" before sub-outsourcing ICT services supporting critical or important functions
- Notification requirements for material changes to sub-outsourcing arrangements
- The financial entity's right to object to sub-outsourcing or, in specified circumstances, to terminate the arrangement
The adopted RTS does not prescribe the form of these contractual provisions — it defers to the Art. 30(2)(a) framework. For institutions negotiating or renegotiating ICT service contracts, the practical task is to ensure that:
- Approval rights are explicit. The contract must specify whether the entity grants specific approval (for each sub-outsourcing arrangement individually) or general approval (a blanket consent with conditions). For services supporting critical functions, specific approval is the safer approach.
- Notification triggers are defined. The contract should specify what constitutes a "material change" in sub-outsourcing and the notification timeline. The rejected RTS proposed specific timelines; the adopted version does not. Institutions should negotiate timelines that are operationally meaningful — typically 30-60 days advance notice for planned changes.
- Information rights are actionable. Notification that a sub-outsourcing change has occurred is necessary but insufficient. The contract should require sufficient information about the sub-contractor (identity, jurisdiction, service scope, security posture) to enable a meaningful risk assessment.
Operational Implications
The adopted RTS requires financial entities to integrate subcontracting risk assessment into their broader ICT third-party risk management. Operationally, this means:
At onboarding. When entering a new ICT service arrangement, assess the provider's sub-outsourcing landscape. Which components of the service are delivered by sub-contractors? Are those sub-contractors in jurisdictions that present data protection, security, or political risk? Is the service architecture such that a sub-contractor failure would affect service delivery?
At material change. When a provider notifies a sub-outsourcing change, assess the impact on the entity's risk profile. Does the change introduce a new geographic concentration? Does it introduce a sub-contractor with known security issues? Does it alter the data processing chain in ways that affect regulatory compliance?
At review. Periodically — at minimum annually, aligned with the ICT risk management framework review cycle (Art. 6(5)) — reassess the subcontracting landscape of critical service providers. Sub-outsourcing chains are not static; they evolve as providers optimize costs, adopt new technologies, and respond to their own vendor dependencies.
The Precedent: What the Rejection Signals for Future RTS Development
The Commission's rejection of the subcontracting RTS sets a precedent that will influence the entire DORA technical standards programme. Three implications are clear:
Mandate boundaries are enforced. The ESAs cannot use the RTS/ITS process to expand DORA's scope beyond what the Level 1 text authorizes. Technical standards that create new obligations — rather than specifying how existing obligations should be implemented — will be rejected. This constrains the ESAs' ability to progressively tighten requirements through delegated legislation.
Industry feedback matters. The 78 consultation responses — many from industry associations and large financial institutions — flagged the Article 5 monitoring requirements as disproportionate. The Commission's rejection aligned with the industry's substantive objection. This does not mean the industry can veto technical standards, but it suggests that strong, substantive industry opposition on mandate scope will receive attention.
Speed of revision is possible. The two-month turnaround from rejection to adoption demonstrates that the EU regulatory machinery can move quickly when the scope of revision is narrow and the political will exists. For future RTS disagreements, the precedent suggests resolution in weeks-to-months rather than the years that some had feared.
Practical Guidance: What to Do Now
For financial institutions managing ICT subcontracting arrangements under DORA, the following actions are immediate:
1. Audit existing contracts for Art. 30(2)(a) compliance. Review all ICT service agreements supporting critical or important functions. Do they include sub-outsourcing approval rights (specific or general)? Notification provisions? Termination rights linked to sub-outsourcing changes? For contracts that predate DORA and lack these provisions, initiate amendment discussions.
2. Map current subcontracting chains for critical services. For each ICT service supporting a critical or important function, identify the primary sub-contractors. Where is the service actually hosted? Who provides the underlying infrastructure? What is the dependency chain from your provider to the end-point of service delivery? This information should feed both the Register of Information (Art. 28(3)) and the concentration risk assessment (Art. 29).
3. Establish a sub-outsourcing change management process. When a provider notifies a subcontracting change, what happens? Who receives the notification? Who assesses the risk impact? Who decides whether to exercise approval, objection, or termination rights? Define the process before the first notification arrives.
4. Align with adopted (not rejected) RTS. Institutions that began implementation based on the draft RTS should review their approaches against the adopted version. Requirements that were based on the rejected Article 5's enhanced monitoring obligations may need to be recalibrated to the adopted version's principles-based approach.
5. Leverage proportionality. The adopted RTS reinforces DORA's proportionality principle. The depth of subcontracting assessment should be proportionate to the criticality of the function supported and the materiality of the subcontracting relationship. Not every sub-outsourcing arrangement requires the same scrutiny.
The subcontracting RTS saga is a reminder that DORA's regulatory framework is not static. The technical standards that operationalize the regulation will continue to evolve — through consultations, Commission review, and practical experience. Institutions that build flexible, principles-based governance frameworks — rather than rigid compliance checklists tied to specific draft texts — will adapt more efficiently as the regulatory landscape matures.
This analysis reflects the subcontracting RTS timeline from consultation (June 2023) through Commission adoption on March 24, 2025, with Official Journal publication pending. Interpretation of Commission objections is based on published communications and regulatory commentary.