Contents
- Subcontracting under DORA: What Financial Entities Must Know (2025 Update)
- What “Subcontracting” Means Under DORA
- How Delegated Regulation (EU) 2025/532 Defines and Governs Subcontracting
- Elements a Financial Entity Must Assess When ICT Services Supporting CIFs Are Subcontracted?
- 1. Overall Risk Profile and Complexity (Art. 1)
- 2. Due Diligence and Risk Assessment of ICT Providers and Subcontractors (Art. 3)
- 2.1 The ICT provider can effectively evaluate and oversee subcontractors
- 2.2 Complete transparency of subcontractors
- 2.3 Flow-down contractual obligations
- 2.4 Risk monitoring capabilities
- 2.5 The financial entity itself has sufficient oversight capabilities
- 2.6 Location, geopolitical and concentration risks are assessed
- 2.7 No obstacles to audit, access or supervision exist
- 2.8 Periodic reassessment
- 3. Contractual Conditions Governing Subcontracting (Art. 4–6)
- Why Subcontracting is a high-impact topic?
Subcontracting under DORA: What Financial Entities Must Know (2025 Update)
Subcontracting is one of the most important – and most complex – topics under the EU’s Digital Operational Resilience Act (DORA). When an ICT third-party provider relies on another provider to deliver part of a digital service, the financial entity remains fully responsible for risk management, oversight, and compliance. To close regulatory gaps in multi-layer outsourcing chains, the COMMISSION DELEGATED REGULATION (EU) 2025/532 introduces detailed requirements on how subcontracting must be assessed, monitored, and contractually controlled.
This article explains what subcontracting means under DORA, why it matters, and which elements financial entities must evaluate before ICT services supporting critical or important functions (CIFs) can be subcontracted.
What “Subcontracting” Means Under DORA
Under Articles 28–30 of DORA, subcontracting occurs when an ICT third-party service provider (e.g., cloud provider, SaaS platform, data centre operator) engages another provider to deliver ICT services supporting a financial entity’s critical or important functions.
Key features of subcontracting under DORA:
- It includes direct and indirect subcontractors (multi-tier chains).
- It applies to external and intra-group subcontractors.
- The financial entity remains fully responsible for compliance, resilience, and oversight.
- Subcontracting is only allowed if explicitly permitted by the contract with the financial entity.
- Every subcontractor performing CIF-relevant tasks must grant the same access, audit and information rights as the original ICT provider.
DORA’s objective is to ensure visibility and control in increasingly complex ICT supply chains, where hidden dependencies can create significant operational and concentration risks.
How Delegated Regulation (EU) 2025/532 Defines and Governs Subcontracting
The Delegated Regulation (EU) 2025/532 supplements DORA by defining:
- what financial entities must determine and assess,
- which contractual elements must be included,
- when subcontracting is permitted or prohibited,
- and what rights financial entities must have to manage subcontractor risk.
It acts as a technical blueprint to ensure that ICT services supporting critical or important functions remain stable, secure, and auditable even when provided through subcontracting chains.
Elements a Financial Entity Must Assess When ICT Services Supporting CIFs Are Subcontracted?
Before allowing any subcontracting of ICT services that underpin critical or important functions, a financial entity must assess a broad set of risk, complexity and resilience criteria. These requirements are defined primarily in Articles 1–3 of Delegated Regulation (EU) 2025/532.
Below is a structured overview.
1. Overall Risk Profile and Complexity (Art. 1)
Financial entities must evaluate the nature, scale and complexity of subcontracting arrangements, including:
1.1 Type of ICT services involved
- Which services support critical or important functions?
- Which services are further subcontracted by the ICT provider?
1.2 Subcontractor locations
- Country of establishment, parent company, and where data are processed or stored.
- In-EU vs third-country risk implications.
1.3 Length and complexity of subcontractor chains
- Single tier or multiple layers?
- Potential loss of transparency or control?
- Sensitivity, confidentiality, and data protection implications.
1.5 Group considerations
- Are subcontractors intra-group?
- Do group structures add resilience or concentration risks?
1.6 Supervisory status
- Are subcontractors authorised or supervised in the EU?
- Are foreign providers subject to equivalent oversight?
1.7 Concentration risk
- Dependency on a single subcontractor or a small group.
- Impact on portability and exit strategies.
1.8 Impact on service continuity
- Potential disruption effects on the financial entity’s critical operations.
2. Due Diligence and Risk Assessment of ICT Providers and Subcontractors (Art. 3)
Before entering into a contract, the financial entity must ensure that:
2.1 The ICT provider can effectively evaluate and oversee subcontractors
Including financial, technical, security, and operational capabilities.
2.2 Complete transparency of subcontractors
The ICT provider must be able to identify and notify all subcontractors involved in CIF delivery.
2.3 Flow-down contractual obligations
Subcontractors must grant the financial entity the same rights regarding access, audit, inspection, information, and continuity planning.
2.4 Risk monitoring capabilities
The ICT provider must have sufficient resources and governance to monitor ICT risks at subcontractor level.
2.5 The financial entity itself has sufficient oversight capabilities
Including ICT security, risk management, incident response, and business continuity.
2.6 Location, geopolitical and concentration risks are assessed
Including where services are provided and where data are processed.
2.7 No obstacles to audit, access or supervision exist
Financial entities and competent authorities must be able to exercise all rights without limitations.
2.8 Periodic reassessment
Risk assessment must be repeated regularly to account for changes in functions, risks, threats, or subcontracting structures.
3. Contractual Conditions Governing Subcontracting (Art. 4–6)
The financial entity must ensure that the ICT provider contract includes:
- clear specification of which CIF-related services may be subcontracted,
- obligations for continuous monitoring,
- mandatory notification of material changes,
- approval or objection rights,
- full audit, access, and information rights,
- subcontractor security and continuity obligations,
- and explicit termination rights if subcontracting breaches occur.
These elements ensure end-to-end visibility and enforceability, even when multiple subcontractors are involved.
Why Subcontracting is a high-impact topic?
Because modern IT and cloud architectures rely on layered service chains, subcontracting increases:
- operational risk,
- cyber risk,
- third-country exposure,
- audit and access complexity,
- and concentration risk.
DORA and Delegated Regulation 2025/532 aim to ensure that financial entities remain operationally resilient even if an ICT service provider relies on other providers behind the scenes.
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32025R0532