All Posts

New EU regulation to subcontract ICT services for critical or important functions

Von
Hussam Greg
Veröffentlicht am
May 3, 2025

On March 24, 2025, the European Commission adopted a delegated regulation to DORA regulation (EU) 2022/2554 published. It specifies the requirements for financial companies when outsourcing (subcontracting) ICT services that support critical or important functions.

Why is that relevant?

ICT services — in particular cloud solutions — are often not provided directly by contracted service providers, but via multi-stage supply chains by subcontractors. These complex structures make risk management significantly more difficult. The new regulation addresses exactly this challenge — with clear requirements for financial companies.

Monitoring vs. tax: The crux of regulation

As early as January 21, 2025 — just four days after DORA came into force — the EU Commission rejected a writing the original RTS design from ESAs. The reason was Article 5, which required financial companies to actively monitor the entire ICT supply chain.

“Monitoring” would have meant ongoing monitoring, SLA reviews, incident management and audits — even with sub-service providers with whom there are no direct contracts.

The Commission's conclusion:

This operational responsibility lies not with the financial company but with the ICT service provider — otherwise the draft would go beyond the DORA mandate.

Instead, the following now applies:

“Taxes” means: The financial company remains responsible for risk management, but does not have to intervene operationally itself. It must ensure that the ICT service provider has its subcontractors under control — through contracts, risk analyses and control rights.

What do financial companies actually have to do?

1. Ex-ante risk assessment and due diligence

Before a critical or important function is subcontracted, the financial firm must:

Create transparency via:
  • Type and scope of services
  • Subservice provider's location and group membership
  • Length and complexity of the supply chain
  • Type of data processed
Evaluate risks, such as:
  • information security
  • Data processing in a third country
  • Concentration risks
  • geopolitical dependencies
Ensure that the ICT service provider:
  • can effectively monitor subservice providers themselves (including emergency plans, audit rights)
  • Report relevant information and changes in good time

2. Drafting of contracts

Contracts with ICT service providers must clearly regulate:

  • Which services may be subcontracted
  • What notification and information requirements exist
  • Which safety and audit standards apply
  • Under which conditions the financial company may terminate

Does the entire chain have to be actively controlled?

Yes — but not supervised.

When subcontractors provide ICT services for critical or important functions, financial firms must:

  • ensure full transparency across the entire supply chain
  • Identify, assess and manage relevant risks associated with ICT services and their ICT supply chains
  • be informed of significant changes and, if necessary, be able to object
  • Contractually secure audit and control rights
  • be able to cancel the contract if the risk is exceeded.

________________________________________

conclusion

With the new regulation, it is clear:

👉 Financial companies don't have to monitor everything themselves — but they are fully responsible for ensuring that their service providers can.

Anyone who manages their ICT supply chain in a structured manner, documents and contractually secures risks is not only meeting regulatory obligations, but also strengthening the digital resilience of their company.

United Governance, Risk & Compliance

About usCareerBlog
Contact us
Zu unserem Trust Center
© 2025 LeanMind. All rights reserved.
Privacy PolicyImprint