Summary:
Le 24 mars 2025, la Commission européenne a adopté des règlements délégués dans le cadre de la mise en œuvre de la Loi sur la résilience opérationnelle numérique (DORA). Ces règlements fixent des normes techniques sur la sous-traitance des services TIC essentiels et les critères d’examen des équipes communes. Par ailleurs, la Commission a initié des procédures d’infraction contre certains États membres pour non-transposition de la DORA. L’enjeu principal concerne la conformité et la gestion des risques liés à la sous-traitance des services supportant des fonctions critiques.
Original Link:
Original Article:
On 24 March 2025, the following two developments relating to the implementation of the EU Digital Operational Resilience Act (DORA) took place:
– the European Commission (Commission) adopted a Delegated Regulation supplementing DORA with regard to regulatory technical standards (RTS) on the subcontracting of information communication and technology (ICT) services that support critical or important functions (Subcontracting RTS); and
– the Delegated Regulation supplementing DORA regarding the RTS to specify the criteria for determining the composition of the joint examination team was published in the Official Journal of the European Union (OJEU) (JET RTS).
In addition, on 27 March 2025, the Commission published a press release (Press Release) setting out its decision to open infringement procedures against certain EU member states for failing to fully transpose the Directive on DORA (DORA Directive) into their national law.
The Commission has adopted the Subcontracting RTS, which specifies the elements that a financial entity must determine and assess when it permits its ICT third-party providers (TPPs) to subcontract ICT services supporting critical or important functions (or material parts of such functions).
The Commission initially rejected a version of the draft Subcontracting RTS due to concerns that requirements introduced went beyond the mandate given to the European Supervisory Authorities (ESAs). The most significant change since the previous draft of the Subcontracting RTS is the deletion of Recital 5 and Article 5, which would have included mandatory contract content requirements relating to ongoing monitoring of the chain of ICT subcontractors providing ICT services supporting critical or important functions.
Nevertheless, in-scope financial entities will still have to monitor their subcontracting supply chains:
– financial entities must still maintain an adequate register of information, which may in turn trigger indirect supply chain monitoring obligations (including contractual obligations) on TPPs; and
– the Subcontracting RTS still include certain flow down requirements in relation to TPPs subcontracts, which were not rejected by the Commission.
In summary, the Subcontracting RTS:
– establish the rules on proportionality and group application;
– set out rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions;
– establish the description and the conditions under which ICT services supporting a critical or important function may be subcontracted; and
– contain the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions and the provisions on the termination of contractual arrangements.
The Subcontracting RTS will enter into force on the twentieth day after its publication in the OJEU.
The JET RTS were published in the OJEU on 24 March 2025. This follows the Commission’s adoption of the JET RTS in December 2024.
The JET RTS have been developed under a mandate contained in Article 41(2) of DORA. The aim of the JET RTS is to ensure a balanced participation of staff members from the ESAs and from the relevant competent authorities, and to establish arrangements for their designation, tasks and working arrangements of team members.
The JET RTS will come into force on 13 April 2025 (i.e., 20 days after publication in the OJEU).
Member states were required to transpose the DORA Directive into national law by 17 January 2025.
The Commission has sent a letter of formal notice to 13 member states (i.e., Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania and Slovenia) for failing to fully transpose the DORA Directive. These member states now have two months to respond and to complete their transposition and notify their measures to the Commission. In the absence of a satisfactory response, the Commission may decide to issue a reasoned opinion.
In the Press Release, the Commission explains how full implementation of DORA is key to strengthen the digital operational resilience of financial entities across the EU.