Position paper - Regulatory Technical Standards on Subcontracting under the Digital Operational Resilience Act

The final report on the Regulatory Technical Standard (RTS) on Subcontracting introduces helpful guidance and addresses several key points raised by industry during the consultation period. However, certain provisions remain concerning. The scope of application continues to be overly broad, imposing all the requirements in the RTS on all information and communication technology (ICT) subcontractors that provide ICT services supporting critical or important functions, which risks unnecessary complexity. A more focused application of the requirements to subcontractors that effectively underpin the primary ICT service would allow for a more proportionate and risk-based approach to third-party risk management. Furthermore, the timeline for implementation is insufficient given the scale of changes required. The RTS introduces substantial new obligations that will necessitate updates to existing contractual and operational frameworks. To ensure smooth and effective compliance, a minimum implementation period of two years from the finalisation of the RTS is essential.