top of page
Search

Delegated Regulation on ICT Sub-Contracting under DORA

1. Executive Summary


On July 22, 2025, a new Delegated Regulation will come into effect, supplementing the Digital Operational Resilience Act (DORA). This regulation establishes specific Regulatory Technical Standards (RTS) that govern how financial entities manage the sub-contracting of Information and Communication Technology (ICT) services that support their critical or essential functions. The primary objective is to fortify the digital operational resilience of the financial sector by ensuring entities maintain rigorous oversight and control over their entire ICT supply chain, including complex multi-layered subcontracting arrangements. This report outlines the key provisions of the regulation and analyses its significant implications for financial entities and their ICT service providers.

ree

2. Key Provisions of the Regulation


The regulation introduces a comprehensive framework for managing risks associated with ICT subcontracting. The core requirements are as follows:


2.1. Risk Assessment and Due Diligence


Financial entities are required to conduct thorough and ongoing risk assessments of their ICT third-party service providers and any subcontractors they may have. This due diligence must cover:

  • Operational and Financial Stability: Assessing the subcontractor's capabilities and long-term viability.

  • Information Security: Verifying the adequacy of security policies, procedures, and controls.

  • Organisational Structure: Understanding the governance and operational structure of the subcontractor.

  • Geopolitical and Concentration Risks: Evaluating risks associated with the subcontractor's location and the potential for over-reliance on a single entity or region.


2.2. Contractual Requirements


Contracts between financial entities and their primary ICT providers must now include explicit and detailed conditions for any further subcontracting of critical functions. These contractual clauses must clearly define:

  • Responsibilities: Delineating roles for monitoring, reporting, and risk assessment throughout the subcontracting chain.

  • Business Continuity: Ensuring that robust business continuity and exit strategies are in place and tested at the subcontractor level.


2.3. Transparency and Control


To ensure complete visibility, financial entities must be granted comprehensive rights to oversee subcontractors. Key requirements include:

  • Access and Audit Rights: The right to access, inspect, and audit the premises, systems, and records of subcontractors to verify compliance.

  • Notification of Changes: ICT third-party providers must inform the financial entity of any planned material changes to subcontracting arrangements in advance. This allows the economic entity to assess the potential impact and exercise its right to object if the proposed changes introduce unacceptable risks.


2.4. Termination Rights


The regulation empowers financial entities with clear termination rights to mitigate unacceptable risks. An economic entity can terminate its contract with an ICT third-party service provider if:

  • The provider implements material changes to subcontracting arrangements without the entity's prior approval.

  • Unauthorised subcontracting is discovered.


2.5. Proportionality and Group Application


The principle of proportionality is central to the regulation. Financial entities must tailor the intensity of their assessments and controls based on their size, risk profile, and the nature and complexity of their activities. For financial groups, the parent undertaking holds the ultimate responsibility for ensuring these subcontracting conditions are applied consistently across all entities within the group.


3. Implications and Strategic Considerations


The implementation of this regulation will have profound effects on the operational and strategic management of ICT risk within the financial sector.


3.1. For Financial Entities


  • Increased Due Diligence Burden: Vendor management functions will require significant enhancement to conduct deep-dive due diligence not only on direct providers but also on their subcontractors.

  • Robust Contractual Agreements: Legal and procurement teams must revise existing ICT contracts and draft new ones to incorporate the stringent conditions, control mechanisms, and termination rights mandated by the RTS.

  • Enhanced Risk Management Frameworks: Internal risk frameworks must be updated to enable continuous monitoring of the entire ICT supply chain, incorporating assessments of geopolitical and concentration risks.

  • Operational and Resource Impact: Compliance will demand significant investment in resources, including skilled personnel for vendor management, legal review, risk assessment, and IT governance.

  • Focus on Intra-Group Subcontracting: The regulation's application to intra-group ICT providers means that internal service arrangements will be subject to the same level of scrutiny as external ones.


3.2. For ICT Third-Party Service Providers


  • Increased Transparency Demands: Providers will face pressure from financial clients to offer unprecedented transparency into their own supply chains and subcontracting practices.

  • Re-evaluation of Subcontracting Strategy: ICT providers may need to consolidate their subcontractor networks, choosing partners who can meet the high standards demanded by financial entities.

  • Complex Contractual Negotiations: Providers should anticipate more complicated and lengthy contract negotiations as financial entities work to embed the required controls and rights into agreements.

  • Potential for Disputes: The explicit right for financial entities to object to or terminate contracts based on subcontracting changes introduces a new layer of risk for providers, necessitating a more collaborative and transparent relationship with their clients.


4. Conclusion


This Delegated Regulation marks a pivotal shift in regulatory expectations, placing the ultimate responsibility for digital operational resilience squarely on financial entities. It moves beyond managing direct third-party relationships to demanding comprehensive oversight of the entire ICT supply chain. Proactive adaptation is crucial. Financial entities must begin immediately to enhance their due diligence processes, revise contractual frameworks, and invest in the necessary resources to ensure full compliance by the July 2025 deadline. Failure to do so will not only pose a significant compliance risk but also expose them to operational vulnerabilities in an increasingly interconnected digital ecosystem.


 
 
 

Comments

bottom of page