Uniform Standards for ICT Subcontracting in EU Financial Sector: New Obligations

Key Elements

On 2 July 2025, Delegated Regulation (EU) 2025/532 was published in the Official Journal of the European Union. This regulation supplements the main DORA framework (Regulation (EU) 2022/2554) and, for the first time, lays down RTS concerning subcontracting of ICT services that support critical or important functions within financial entities. 

This delegated regulation seeks to: 

• Enhance the digital operational resilience of the financial sector;
• Address risks arising from complex ICT outsourcing chains; and
• Ensure harmonized oversight and risk management practices across the EU financial system.

Scope and Applicability: Delegated Regulation (EU) 2025/532 applies to all financial entities subject to DORA that rely on ICT subcontracting for critical or important functions. The regulation is directly applicable across the EU, with no need for national transposition, and forms part of the EU's broader strategy to strengthen digital resilience in the financial sector.

Deleted Article from Draft RTS: It is notable that Article 5 of the final draft of the RTS, which would have imposed expansive monitoring obligations was not retained in the adopted delegated regulation. In this regard, DORA imposes stricter and more granular requirements than pertinent frameworks such as the MaRisk (Minimum Requirements for Risk Management under German law). While MaRisk broadly requires clear contract terms, audit rights, and emergency measures, DORA demands specific clauses addressing data localization, access to real-time risk metrics, termination triggers tied to non-compliance of subcontractors, and ongoing risk re-assessment obligations. 

Risk Profile and Complexity: Financial entities must consider their own risk profile, the nature, scope and complexity of the ICT services outsourced, as well as the length, layering and structure of the subcontractor chain, the location of subcontractors or data processes especially for cross-border arrangements, and the sensitivity and criticality. This risk assessment must be proportionate and dynamic, updated regularly, and revisited upon any material changes to the ICT setup or subcontractor chain. The company itself must carry out the risk assessment, while the competent supervisory authority is not involved.

Group-Wide Application: Where financial entities are part of a group structure, the parent company that is responsible for providing the financial statements also is responsible for ensuring that the subcontracting requirements are uniformly applied across all relevant subsidiaries and group entities in the EU. 

Due Diligence and Risk Assessment: Before entering into, renewing, or materially modifying any outsourcing arrangement involving ICT services that support critical or important functions, entities must conduct comprehensive due diligence on both the direct service providers and any foreseeable subcontractors, and assess the provider's and subcontractors' technical capabilities, resource adequacy, financial soundness, and information security practices. Special attention must be paid to subcontracting chains involving non-EU service providers or service providers operating from jurisdictions with less robust legal safeguards for data protection and oversight.

Contractual Requirements: Outsourcing contracts must explicitly identify which services may be further subcontracted, require prior notification of any changes in the subcontractor chain, include clear monitoring and reporting obligations, define rights of access, audit, and inspection (both direct and indirect), and include provisions for termination rights. 

Change Management and Termination Rights: Any material change in the subcontractor chain (e.g., addition, removal, or relocation of a subcontractor supporting a critical or important function) must be pre-notified to the financial entity, and subject to the entity's right to object or, if necessary, terminate the outsourcing arrangement, if the associated risks become unmanageable. The financial entity must be able to demonstrate to its competent authority that it can retain full control and oversight over outsourced functions even when services are subcontracted.

Immediate Action Required: With the delegated regulation entering into force on 22 July 2025, financial entities should act without delay to ensure compliance. Immediate priorities include:

• Identify and classify all current and planned ICT outsourcing arrangements, focusing on those that support critical or important functions, as defined in the information register.
• Conduct a gap analysis of existing contracts and amend terms to ensure compliance with DORA's subcontracting requirements.
• Implement robust internal policies and processes for managing subcontractor risk throughout the outsourcing lifecycle.
• Coordinate with group-level functions to ensure coherent implementation across legal entities and jurisdictions.
• Launch targeted staff training and awareness campaigns, especially for personnel in outsourcing management, procurement, compliance, risk management, and legal functions.

Given the binding nature of these RTS and the tight implementation timeline, early preparation will be essential to avoid regulatory enforcement, operational disruption, reputational damage, and potential fines under the broader DORA framework.