European Commission Finalizes Key DORA RTS and Launches Infringem

Nathaniel W. Lalone

Email

+44 0 20 7776 7629

Bio and Articles

Ciara McBrien

Email

44 (0) 20 7770 5231

Bio and Articles

Find Your Next Job !

Health Law Attorney

Senior Vice President and Chief Legal Officer

Associate Attorney

Explore More Job Openings

DORA Compliance: Navigating the Latest Developments

by: Nathaniel W. Lalone, Ciara McBrien of Katten - Advisories

Wednesday, April 9, 2025

Print Mail Download info_icon_img

/>i

On 24 March 2025, the following two developments relating to the implementation of the EU Digital Operational Resilience Act (DORA) took place:

the European Commission (Commission) adopted a Delegated Regulation supplementing DORA with regard to regulatory technical standards (RTS) on the subcontracting of information communication and technology (ICT) services that support critical or important functions (Subcontracting RTS); and
the Delegated Regulation supplementing DORA regarding the RTS to specify the criteria for determining the composition of the joint examination team was published in the Official Journal of the European Union (OJEU) (JET RTS).

In addition, on 27 March 2025, the Commission published a press release (Press Release)setting out its decision to open infringement procedures against certain EU member states for failing to fully transpose the Directive on DORA (DORA Directive) into their national law.

Subcontracting RTS

The Commission has adopted the Subcontracting RTS, which specifies the elements that a financial entity must determine and assess when it permits its ICT third-party providers (TPPs) to subcontract ICT services supporting critical or important functions (or material parts of such functions).

The Commission initially rejected a version of the draft Subcontracting RTS due to concerns that requirements introduced went beyond the mandate given to the European Supervisory Authorities (ESAs). Further information regarding such rejection of the draft Subcontracting RTS can be found in our previous article (available here).

The most significant change since the previous draft of the Subcontracting RTS is the deletion of Recital 5 and Article 5, which would have included mandatory contract content requirements relating to ongoing monitoring of the chain of ICT subcontractors providing ICT services supporting critical or important functions.

Nevertheless, in-scope financial entities will still have to monitor their subcontracting supply chains:

financial entities must still maintain an adequate register of information, which may in turn trigger indirect supply chain monitoring obligations (including contractual obligations) on TPPs; and
the Subcontracting RTS still include certain flow down requirements in relation to TPPs subcontracts, which were not rejected by the Commission.

In summary, the Subcontracting RTS:

establish the rules on proportionality and group application;
set out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions;
establish the description and the conditions under which ICT services supporting a critical or important function may be subcontracted; and
contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions and the provisions on the termination of contractual arrangements.

The Subcontracting RTS will enter into force on the twentieth day after its publication in the OJEU.

JET RTS

The JET RTS were published in the OJEU on 24 March 2025. This follows the Commission’s adoption of the JET RTS in December 2024.

The JET RTS have been developed under a mandate contained in Article 41(2) of DORA. The aim of the JET RTS is to ensure a balanced participation of staff members from the ESAs and from the relevant competent authorities, and to establish arrangements for their designation, tasks and working arrangements of team members.

The JET RTS will come into force on 13 April 2025 (i.e., 20 days after publication in the OJEU).

Non-transposition of DORA Directive

Member states were required to transpose the DORA Directive into national law by 17 January 2025.

The Commission has sent a letter of formal notice to 13 member states (i.e., Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the DORA Directive. These member states now have two months to respond and to complete their transposition and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may decide to issue a reasoned opinion.

In the Press Release, the Commission explains how full implementation of DORA is key to strengthen the digital operational resilience of financial entities across the EU.

The Subcontracting RTS, the JET RTS and the DORA Directive are available here, here and here, respectively.