Question ID: 3474 - DORA279
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Valdkond: ICT third-party risk management (DORA)
Article: 30(2)(a)
Olek: Rejected
Date of submission: 04 Dec 2025
Question
What is the purpose of indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting in a contract on the use of ICT services that do not support a critical or important function?
Background of the question
Article 30 (2) DORA applies to all contractual arrangements on the use of ICT services regardless of whether the ICT service in question supports a critical or important function. Therefore, according to lit. a of Article 30 (2) DORA, these contracts must include an indication whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, if applicable, the conditions of such subcontracting. Consequently, contracts on the use of ICT services that do not support a critical or important function must also include such an indication.
EIOPA answer
This question has been rejected because no issue of practical implementation has been identified.