FREE NEWSLETTER

Subscribe to receive updates on topical legal matters, news, events and more. Sign up.

DORA Sub-Contractor Compliance: A Brief Guide For Financial Entities

DORA Sub-Contractor Compliance: A Brief Guide For Financial Entities

Back to News & Insights

The EU’s Digital Operational Resilience Act (“DORA”) is a few years old now, but its requirements are still as relevant as ever in light of the continuingly evolving landscape of data security. We discuss below some of the main DORA obligations that should be considered when financial entities outsource services involving data processing to third-party ICT suppliers and their sub-contractors.

DORA (Regulation (EU) 2022/2554) and the more recent regulatory technical standards on sub-contracting (Delegated Regulation (EU) 2025/532 – the “Delegated Regulation”), impose obligations on financial entities to ensure their third-party ICT suppliers and any associated sub-contractors (and their sub-contractors!) handle a financial entity’s data securely and appropriately.

DORA and the Delegated Regulation set out rules governing how financial entities and their sub-contractors should manage ICT risk in relation to data that is processed in connection with the contracts they enter into with one another. In respect of sub-contractors, the purpose of DORA and the Delegated Regulation is to oversee third‑party ICT suppliers and to ensure suitable levels of data security across financial entities’ digital supply chains.

For many businesses engaging with third-party ICT suppliers, although their internal processes might be stringent, operational risk may actually originate from the way in which data is handled by their third-party ICT suppliers. As many ICT services provided to financial entities increasingly rely on layered sub-contracting models, it is critical to understand the ways in which sub-contractor adherence to DORA (and the Delegated Regulation) can be implemented in a practice so as to reduce the risks arising when data handling is outsourced.

This article provides a brief reminder of what regulated financial entities should do to ensure their processes meet the requirements under DORA and the Delegated Regulation in respect of their engagement of third-party ICT suppliers and their sub-contractors.

  1. DORA, the Delegated Regulation, and sub-contractors.

ICT service delivery in the financial sector can frequently involve potentially long or complex chains of third-party ICT suppliers and sub-contractors. These complicated arrangements can:

  • Impair a financial entity’s ability to identify, assess, and manage the associated risks to their data;
  • Increase the risk of vulnerabilities; and
  • Impose limits on the financial entity’s ability to see critical dependencies in their chain of operations.

In answer to the above, DORA was introduced to provide rules on governance, risk‑management, and contractual requirements that should be followed when a financial entity engages and manages third-party ICT suppliers and sub-contractors. The more recent Delegated Regulation strengthens these requirements by requiring financial entities to maintain full visibility of sub-contracting chains.

  1. Know your sub-contractors!

One of the core obligations under DORA is the requirement for financial entities to be able to identify (and know inside and out) their supplier and sub-contracting chains for ICT services. This is especially important where critical or important functions of the financial entity are being supported by third parties as part of such services.

The Delegated Regulation makes the point that financial entities must have full visibility of the entire sub-contracting chain, regardless of whether such chain involves direct or indirect suppliers or sub-contractors.

Accordingly, financial entities should:

  • Have sufficient understanding of each sub-contractor’s role, including the scope of the services they are providing to the third-party ICT supplier and the extent of the data that they process;
  • Evaluate the length and complexity of the chain of sub-contractors;
  • Ensure that they are aware of the locations of the sub-contractors in the chain, especially when such sub-contractors are outside of the EU; and
  • Identify sub-contractors in the chain whose failure would materially impact critical or important functions.

The above obligations reinforce DORA’s and the Delegated Regulation’s broader requirement for financial entities to maintain their understanding of their third‑party ICT supplier and sub-contractor engagements.

  1. Due diligence

Prior to engaging a third-party ICT supplier for the provision of its services, a financial entity should of course carry out the necessary due diligence risk assessments. The Delegated Regulation details the expectations in this regard, and a financial entity may only proceed if the obligations relating to risk, transparency, and service continuity are adhered to.

The due diligence risk assessments should, as best practice, include the following:

  • A review of the way in which sub-contractors handle their obligations relating to security and security incidents;
  • An assessment of the sub-contractors’ operational resilience, including their data recovery capabilities;
  • A review of any relevant regulatory and supervisory status; and
  • An understanding of the ways in which a disruption to the work carried out by the third-party ICT supplier or their sub-contractors will impact the financial entity’s business operations.

DORA has raised the standard for due diligence beyond what has been in place previously – Continuous and detailed evaluation is the benchmark to adhere to.

  1. What about third-party ICT supplier contracts?

DORA and the Delegated Regulation require robust contracts to be in place when engaging third-party ICT suppliers. If a contract is already in force, then these can be amended by way of an addendum – Essentially altering the existing agreement so that its provisions fall in line with the requirements under DORA and the Delegated Regulation.

In respect of sub-contracting, this typically involves the inclusion of a number of provisions that should give clarity to the financial entity on how data is handled by the third-party ICT supplier. Furthermore, these contractual obligations should flow down to sub-contractors to ensure compliance further down the chain.

The requirements on these provisions include the following:

  • Provisions requiring third-party ICT suppliers to notify the financial entity of any sub-contracting that takes place/that will take place;
  • Provisions that address changes to sub-contractors that supporting critical or important functions;
  • Provisions relating to any additional training that may be required;
  • The ways in which the financial entity’s rights to access data, carry out audits on the activities carried out by the third-party ICT supplier, and inspection relating to the services provided, can be carried out. The purpose here is for the financial entity (and any relevant regulators) to be able to assess compliance;
  • Service‑level requirements that bind third-party ICT suppliers and their sub-contractors to specific performance standards;
  • Provisions setting out how incidents should be reported, including mandating sub-contractors to provide support in a timely manner; and
  • Provisions that ensure the continuity of service in the event that a sub-contractor fails or no longer meets the required standards.

These contractual obligations should be applied consistently across all entities involved in a chain to ensure the requirements under DORA and the Delegated Regulation are met, and the parties should be mindful of, and reach an agreement on, the cost implications of some of these requirements.

  1. Continued monitoring

Checking in on third-party ICT supplier and sub-contractor compliance is not intended to be a one-and-done activity. To enable continued monitoring, financial entities should:

  • Create a structured monitoring process, and agree suitable assessments with their third-party ICT suppliers based on relevant performance metrics;
  • Verify compliance with technical and security obligations; and
  • Maintain an up‑to‑date audit trail.
  1. What are some suggested practical steps?

Financial entities should:

  1. Identify all the sub-contractors that are involved in a third-party ICT supplier’s services;
  2. Update existing agreements with third-party ICT suppliers to include clauses regarding expectations as to sub-contracting;
  3. Assess risks by conducting detailed due diligence when engaging third-party ICT suppliers and their sub-contractors;
  4. Maintain sufficient documentation/records relating to DORA/Delegated Regulation compliance, including records of the financial entity’s ongoing monitoring of any third-party ICT suppliers and associated sub-contractors; and
  5. Set clear expectations for sub-contractor transparency with any third-party ICT supplier.

Conversely, if you’re a third-party ICT supplier, you should:

  1. Check with your clients as to any proposed DORA related amendments to contracts to which you may be subject;
  2. Update any of your relevant terms and conditions of supply to reflect any DORA obligations imposed on you;
  3. Identify all the sub-contractors that are involved in the provisions of your services;
  4. Ensure DORA obligations imposed on you are applied to your relationships with your sub-contractors;
  5. Assess risks by conducting detailed due diligence when engaging with your sub-contractors;
  6. Maintain sufficient documentation/records relating to DORA/Delegated Regulation compliance;
  7. Set clear expectations for sub-contractor transparency with your sub-contractors.

Long story short…

DORA and the Delegated Regulation created a significant shift in what financial entities should do in order to effectively govern their arrangements with third-party ICT suppliers. They effectively seek to ensure that sub-contractor compliance is no longer optional. The obligations imposed under DORA and the Delegated Regulation require all parties involved to:

  • Have full visibility of what is happening with the data involved in the ICT services;
  • Carry out effective due diligence; and
  • Ensure the contracts involved in any supply of ICT services seek to keep data secure and handled appropriately.

The combined effect of DORA and Delegated Regulation on sub-contracting can concisely be stated: Financial entities should have a thorough understanding of their ICT supply chain, they should actively manage it, and they should ensure that data that travels along the chain is sufficiently secure.

By proactively addressing these obligations, financial entities can bolster their client’s confidence in their services, and they can mitigate regulatory, operational, and reputational risks.

If you would like to discuss your company’s obligations in connection with DORA or the Delegated Regulation, whether you are a financial entity or a third-party ICT supplier (or sub-contractor!) – Please get in touch – We would be happy to provide you with more detailed advice on the above.

Please contact [email protected]

Why not get in touch today?

Contact Us