EU DORA ICT subcontracting chain controls

Start with the function, not the vendor. DORA defines a critical or important function by the impact its disruption, defective performance, or failure would have on financial performance, service continuity, authorisation conditions, or other financial-services obligations. If an ICT service supports that function, subcontracting of the service or a material part of it needs explicit treatment.

The chain review should cover direct ICT third-party providers and the subcontractors that effectively underpin ICT services supporting critical or important functions or material parts of them. Intra-group ICT subcontractors are not automatically outside the review: Delegated Regulation 2025/532 treats ICT intra-group subcontractors providing those services as ICT subcontractors.

Before entering into a contract with an ICT third-party provider, the financial entity must decide whether that provider may subcontract ICT services supporting critical or important functions or material parts of them. The assessment should be completed before approval, not reconstructed after the subcontractor is already in the chain.

The assessment should test both the provider's control of its subcontractors and the financial entity's own ability to monitor the resulting risk. Delegated Regulation 2025/532 lists conditions covering subcontractor identification, provider due diligence, contractual flow-down, access and inspection rights, provider and financial-entity monitoring resources, operational resilience impact, location risk, concentration risk, and obstacles to audit or supervisory access.

For ICT services supporting critical or important functions, the main contract should say whether subcontracting is permitted and, if permitted, under what conditions. A simple consent sentence is too thin; the contract needs operational conditions that let the financial entity monitor the chain and object when material changes exceed risk tolerance.

The clauses should also flow through core DORA controls to the subcontracting chain: service levels, continuity, security requirements, contingency plans, incident assistance, access and audit, cooperation with competent and resolution authorities, notification of material changes, and termination rights.

The register of information should make the subcontracting chain visible enough for internal ICT risk management and supervision. DORA requires a register for contractual arrangements on ICT services, distinguishing arrangements that support critical or important functions from those that do not. The ITS then adds structured templates for provider identity, ICT service supply chains, functions, and assessment fields.

For subcontracting, the important register question is not whether every remote supplier appears somewhere in procurement data. The register must include information on subcontractors that effectively underpin ICT services supporting critical or important functions or material parts of them, including those whose disruption would impair security or continuity of the service provision.

Once subcontracting is permitted, the control becomes continuous. Delegated Regulation 2025/532 requires periodic reassessment against changes in supported business functions, ICT threats, concentration risks, geopolitical risks, and the wider business environment. It also requires the provider to inform the financial entity about intended material changes well in time for assessment.

Exit and termination evidence should be practical. The financial entity should be able to show when it can object to a material subcontracting change, when the provider may not implement a change, when the contract may be terminated, and how the service and data can move to another provider or back in-house without disrupting business activities, regulatory compliance, or client service continuity.