DDORA & IT Security

The new DORA-RTS SUB is here!

The new DORA-RTS SUB is here! 1
0
Shares
0
0
0
0
0
0

On 2 July 2025, the European Commission formally adopted the Regulatory Technical Standards (RTS) to specify the aspects that a financial entity must determine and assess when subcontracting ICT services supporting critical or important functions (so-called RTS SUB). This was enacted as Delegated Regulation (EU) 2025/532. The RTS SUB sets out the requirements that financial institutions must comply with when outsourcing or sub-outsourcing ICT services. These requirements apply whenever ICT services support critical or important functions within a financial institution. The standards are particularly relevant to risk assessment and the management of ICT sub-service providers.

In February 2025, the Commission initially rejected the adoption of the original draft RTS SUB. The draft, submitted by the European Supervisory Authorities (ESAs) in July 2024, contained provisions on the “conditions for sub-outsourcing within the ICT supply chain” which, in the Commission’s view, went beyond the mandate set out in Article 30(5), subparagraph 4 of DORA. The Commission argued that these provisions were not sufficiently linked to the conditions governing subcontracting and therefore exceeded the scope of the mandate. As a result, the ESAs were asked to delete Article 5 and Recital 5 from the original draft. The ESAs complied and submitted a revised draft of the RTS SUB on 24 March 2025, which has now been adopted and published by the Commission.

The new RTS SUB will enter into force on 22 July 2025.

Annerton DORA Monitor Adjust processes, review systems, document evidence: DORA’s requirements are diverse, and implementation calls for clarity and structure.

The Annerton DORA Monitor supports you on your journey to digital resilience: We summarise developments and practical tips for you in a concise format.

📥 Download the first edition free of charge now. – And sign up for our mailing list to be automatically notified by email whenever a new edition is released – ensuring you are reliably guided through the DORA jungle.

Practical significance of the new RTS SUB for financial institutions

The RTS SUB further specifies and expands upon the requirements established by DORA regarding the use of ICT services by financial entities. Its main focus is on the considerations financial institutions must take into account when subcontracting ICT services that support critical or important functions. In essence, the implications for financial institutions can be summarised as follows:

  • Clear sub-outsourcing processes
    The RTS SUB sets out detailed criteria on how financial institutions must structure and control sub-outsourcing arrangements. In particular, clear processes must be established to ensure that sub-service providers meet the same standards for security, data protection, and compliance as the original service provider.
  • Due diligence and risk assessment
    According to the RTS SUB, financial institutions may only outsource ICT services to a third-party provider if that provider is capable of managing controlled and transparent sub-outsourcing for the support of critical or important functions, and meets all regulatory requirements. The RTS SUB imposes stricter requirements on how financial institutions must identify, assess, and manage risks related to sub-outsourcing. These include a range of risks (e.g. system failures) listed in Article 3(1)(a) to (j) of the RTS SUB. The risk assessment must include:
    • the primary service provider’s ability to identify the full chain of sub-service providers, notify and inform the financial institution, and provide all necessary information regarding the sub-providers used;
    • the evaluation of the operational, financial, and security performance of potential subcontractors;
    • ensuring that the financial institution and supervisory authorities retain full access, audit, and information rights along the subcontracting chain;
    • sufficient skills, expertise, and appropriate financial, human, and technical resources at the primary service provider to monitor ICT risks at the subcontractor level;
    • the assessment of location-specific risks, ICT concentration risks, and the impact of a subcontractor’s failure—especially where critical or important functions are involved—on the digital operational resilience and financial soundness of the financial institution.

As a result, financial institutions must enhance their risk management practices concerning ICT services supporting critical functions. Regular reviews and updates of risk analyses, particularly when there are changes to supported business functions, ICT threats, concentration risks, or geopolitical developments, must also be implemented.

  • Contractual requirements with the primary service provider
    The RTS SUB provides extensive guidance on the contractual obligations between the financial institution and the ICT third-party provider supporting critical or important functions or substantial parts thereof. Among other things, it clarifies that:
    • The primary service provider remains responsible even in cases of sub-outsourcing;
    • The primary provider must monitor sub-service providers and ensure compliance with the contractual obligations towards the financial institution, including specific reporting duties;
    • The primary provider must assess the risks related to sub-service providers and the locations of data processing or storage;
    • The primary provider must ensure the continuity of ICT services supporting critical or important functions across the entire subcontracting chain, even if a sub-provider fails to fulfil its contractual obligations;
    • The financial institution must contractually secure various intervention rights (especially regarding compliance with ICT security standards, business continuity plans, and access/audit rights).

In addition, Article 6 of the RTS SUB lays down specific termination rights that must be contractually agreed between the financial institution and the primary provider in the context of sub-outsourcing arrangements involving critical or important functions.

  • Handling of material changes
    The RTS SUB also requires financial institutions to include provisions in their contracts with the primary provider stipulating that the ICT third-party provider must notify the institution in advance of any intended material changes to existing subcontracting agreements involving ICT services for critical or important functions. This is to enable the financial institution to assess the impact on its risk exposure and the provider’s performance. The contract must provide for an appropriate notice and review period. Without explicit approval or non-objection, the provider may not implement the changes. If the financial institution determines that the proposed changes exceed its risk tolerance, it is obliged to notify the provider within the review period, reject the change, and, if necessary, request modifications.
0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.

Peter has been working as a lawyer since 2002. As a lawyer and partner at Annerton law firm in Munich he specialises in extensively advising clients in the areas of banking and banking supervisory law, payment transaction law as well as asset management.



By continuing, you accept our privacy policy.
You May Also Like
DDORA & IT Security
IT-Anforderungen an Finanzunternehmen in Deutschland – ein Überblick über den regulatorischen Rahmen IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework
Read More
  • 7 minute read

IT Requirements for Financial Institutions in Germany – an overview of the regulatory framework

IT regulation in the financial sector is becoming increasingly complex. With DORA, the FinmadiG, the NIS 2 Implementation Act, GDPR, the Cyber Resilience Act, the Data Act and the AI Act, financial institutions face far-reaching requirements regarding digital resilience, third-party risk management and governance. This article provides a structured overview of the current regulatory framework in Germany and at EU level.
Read More
PPodcast
KI-Regulierung in der Praxis: Was die Aufsicht zu KI im Finanzsektor wirklich sehen will | ALLES LEGAL #126 AI Regulation in Practice
Read More
  • 2 minute read

AI Regulation in Practice: What Supervisors Really Expect to See from AI in the Financial Sector | ALLES LEGAL #126

Annerton partner Josefine Spengler explains how supervisory authorities assess AI systems in the financial sector in practice. AI is not treated as a regulatory special case but as an ICT system embedded within existing frameworks, particularly DORA. The focus lies on governance, accountability, traceability and ongoing monitoring. The interaction between DORA and the EU AI Act adds further complexity. The key takeaway: AI is not merely an IT issue – it is a management responsibility.
Read More