Commission Delegated Regulation (EU) 2025/532 – New Responsibilities

The new EU Delegated Regulation (EU) 2025/532 introduces detailed requirements for outsourcing ICT services supporting critical or important functions. It complements the DORA regulation and imposes strict oversight duties on financial institutions. Managers in banks and insurers must monitor not only main IT providers but also their subcontractors. ICT providers working with the financial sector must prepare for new contractual duties, audits, and transparency rules.

Outsourcing ICT is like a system of gears – failure of one part can stop everything. Managers must fully understand how this mechanism works in their organization.

DORA and New ICT Subcontractor Standards

On January 17, 2025, the DORA regulation took effect. It aims to strengthen the digital resilience of the financial sector. DORA requires institutions to manage ICT risk, report incidents, and oversee IT vendors. The EU now introduces executive acts to clarify DORA obligations. The Delegated Regulation (EU) 2025/532 is one of them. It defines technical standards for cases where a vendor uses subcontractors to deliver services to financial institutions.

Managing ICT outsourcing risk from the ground up

A financial firm must understand the risk in the full ICT supply chain. Regulation 2025/532 requires that before signing an outsourcing contract, institutions must decide if subcontracting is allowed – and under what conditions. Article 3(1) says: “Before entering into contractual arrangements with an external ICT provider, the financial entity shall decide whether that provider may subcontract the ICT service […] only if all the following conditions are met.”

In short: Before allowing subcontractors, institutions must assess risk and ensure all safety criteria are fulfilled.

What factors should be considered? Article 1 says the institution must evaluate its own risk profile, operational scale, and key factors affecting outsourcing risk, such as:

• The type of ICT services being subcontracted – whether critical infrastructure or simple support tasks.
• The criticality of the service: the more vital, the more caution needed.

Rights of access and audit

The institution must retain the right to audit all levels of the subcontracting chain. Article 5 says contracts must include full access and inspection rights. This includes on-site audits, even at subcontractor locations. ICT providers must not block access. The institution must be able to monitor performance, compliance, and incident handling. If access is denied, the provider may breach DORA compliance.

Termination rights and risk mitigation

If a subcontractor creates unacceptable risk, the contract must allow termination. Article 6 emphasizes the need for clear exit strategies. Financial institutions must define steps to end cooperation if security or compliance is compromised. Backup plans must be in place to avoid disruptions. Institutions must ensure the continuity of services in case of sudden termination.

Applying the regulation in practice

These obligations are not optional. Regulation 2025/532 applies to all financial firms using external ICT. CEOs, compliance leads, and IT managers must align outsourcing contracts with the law. Providers outside the EU – such as cloud hyperscalers – must also comply. Institutions must renegotiate terms where necessary. Practical steps include: reviewing all ICT contracts, mapping subcontractors, introducing audit clauses, and preparing for inspections.

Summary for decision-makers

Regulation 2025/532 strengthens the DORA framework. It ensures that even hidden layers in ICT outsourcing are secure and under control. Decision-makers must focus on clarity in contracts, transparency in subcontracting, and strong audit rights. Compliance is not just legal duty – it’s essential for resilience. The entire ICT supply chain must support security, continuity, and regulatory oversight.