The European Supervisory Authorities have published a final report on draft regulatory technical standards to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the Digital Operational Resilience Act. The draft RTS set out requirements when the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers is permitted by financial entities and set out the conditions applying to such subcontracting. In particular, the draft RTS require financial entities to assess the risks associated with subcontracting during the precontractual phase, which includes the due diligence process.

The draft RTS also set out requirements regarding the implementation, monitoring, and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof ensuring that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions. The ESAs will now submit the draft RTS to the European Commission for adoption.

[View source.]