As the financial sector continuously evolves through digital innovations and systems, so do the regulations that govern it. One such regulation is the Digital Operational Resilience Act (DORA) and the newly adopted Subcontracting Regulatory Technical Standards (Subcontracting RTS), which specify the elements that financial entities must follow when subcontracting IT services and, more importantly, what to include in their contracts with third-party providers that support critical functions.
The ability to balance complex data protection due diligence with financial operational resilience is critical, making DPOs crucial spokes within privacy teams, now more than ever, to ensure compliance is maintained.
Proportionality and group application
Articles 1 and 2 of the subcontracting RTS establish a proportionality principle where compliance requirements are tailored to a financial entity’s size, complexity and risk profile. Whilst smaller institutions may face less burdensome compliance demands, organisations are still obliged to maintain operational resilience standards. For multinational or group-structured entities, this means ensuring centralised IT arrangements meet compliance requirements across subsidiaries whilst respecting local regulatory requirements.
A DPO is instrumental in mapping data flows and identifying where subcontracted services involve the processing of personal data, balancing group-level standardisation with entity-specific data protection requirements. Particularly as financial institutions scale, a DPO should ensure data governance remains robust and adaptable to the entity’s specific circumstances.
Due diligence and risk assessment for subcontractors
DPOs are no strangers to conducting due diligence and risk evaluation, particularly within regulated sectors such as finance. Article 3 introduces stringent obligations for financial entities to conduct comprehensive due diligence before onboarding Information and Communications Technology (ICT) subcontractors. This includes a detailed appraisal of the subcontractor’s financial stability, historical and ongoing regulatory compliance and current technical capabilities. This Article also mandates risk assessments that identify potential vulnerabilities in the subcontracting chain and establish appropriate mitigation strategies.
When subcontractors process or access personal data, the DPO plays a vital role in carrying out the relevant assessments, such as Data Protection Impact Assessments (DPIAs), whilst also reviewing third-party security practices and existing Data Processing Agreements (DPAs). By consistently monitoring and reviewing existing and pending third-party vendor contracts and practices, a DPO can support an organisation’s privacy posture along its supply chain.
Material changes to subcontracting arrangements and termination
The most significant change since the previously rejected draft of the subcontracting RTS is the termination of Recital 5 and Article 5, with new requirements for financial entities to monitor and respond to material changes. This includes mandatory notification procedures, reassessment obligations in the event of significant changes to subcontractors, and clearly defined exit strategies to maintain operational continuity during transitions. The remaining provisions still require financial entities to ensure effective oversight of their direct ICT service providers.
Articles 6 and 7 further outline termination rights and the requirements for a smooth handover, extending the GDPR’s data return and deletion requirements with more detailed operational continuity measures. Here, a DPO is well-positioned to collaborate closely with procurement and privacy teams to design robust change management frameworks that safeguard data subjects’ rights and ensure compliance throughout these operational transitions.
As DORA continues to evolve, HewardMills’ experienced team is here to provide critical support in managing the complexities of multiple regulations that may apply to your business, strengthening your organisation’s overall security posture.
