ICT Outsourcing Management: The DORA Focus on Subcontracting Chains

ICT Outsourcing and New Obligations under DORA

ICT outsourcing that supports critical or important operational functions is now one of the most complex and sensitive areas of compliance under the DORA regulation. Although the financial sector has relied on external IT providers for years. It must now effectively oversee not only the primary service provider but also the entire network of subcontractors. Including infrastructure vendors, integrators, fintech firms, or non-EU hyperscalers.

Key Challenges According to Compliance Departments

Compliance experts point to several recurring challenges. One of them is the lack of transparency and visibility between subsequent parties in the supply chain. The complex structure of relationships between ICT providers often limits effective oversight of all process participants.

Many financial institutions are forced to renegotiate existing contracts with providers to incorporate new regulatory requirements. However, they often face limited openness from partners – especially global cloud providers who hold a strong negotiating position, making agreement difficult.

Another issue is the checklist-based approach to due diligence, where responses are superficial and not backed by real risk analysis. In such cases, there is a risk of apparent compliance without real control over service quality and security.

Organizations must also build early warning systems that enable rapid assessment of changes in the subcontracting chain. Their impact on business continuity and overall risk profile. In capital groups operating across multiple markets, an additional challenge arises from inconsistent subcontracting policies, especially outside the EU.

RTS 2025/532: Specific Requirements for Financial Institutions

In response to these challenges, the European Commission published Delegated Regulation 2025/532. Defining Regulatory Technical Standards (RTS) on ICT outsourcing and subcontractor management. Article 5(1) states:

“Financial entities shall implement operational risk management frameworks covering the entire chain of ICT subcontractors, regardless of their location and level of dependency.”

The regulation emphasizes that a financial institution cannot transfer compliance responsibility – even when ICT services are further subcontracted. Before signing a new agreement (or amending an existing one), a thorough due diligence must be conducted, assessing each subcontractor’s technical, financial, and security capabilities.

Institutions must also maintain a comprehensive register of all supply chain entities, monitor their activities, and evaluate associated risk levels, considering geographical reach and the complexity of relationships. Importantly, under Article 6(3):

“Financial entities shall include in outsourcing contracts provisions related to audit rights, reporting requirements, and conditions for termination in case of risk levels exceeding acceptable thresholds.”

This requires contracts to include specific clauses on permissible subcontracting, change notifications, objection rights, and the ability to terminate the contract.

For parent entities operating within capital groups, it is crucial to ensure consistent ICT outsourcing policies across the organization – including beyond the EU. This involves unifying collaboration principles with providers, implementing common procedures. Conducting internal training and audits to ensure compliance with DORA.

What Should Compliance Managers Do?

Compliance teams must act swiftly and decisively. Reviewing current outsourcing policies should be paired with mapping the entire supply chain, identifying key risk areas, and updating contract terms accordingly.

Special attention should be given to non-EU providers, entities with strong negotiating leverage, and cloud infrastructure operators. Well-prepared institutions will not only ensure DORA compliance but also strengthen operational resilience, reduce systemic risk. And improve collaboration quality with external service providers.

In an era of growing digitalization and globalization. Effective ICT outsourcing management becomes one of the key pillars of financial sector security.

Wizards’ Support in ICT Outsourcing Management

The Wizards team supports organizations in assessing ICT outsourcing risks, preparing RTS-compliant contracts, and creating monitoring and reporting mechanisms. If you need practical assistance – get in touch.