DORA's framework for ICT third-party risk management depends on transparent vendor chains, but Article 30(5) of the Regulation deferred the operational rules on subcontracting to a regulatory technical standard. The Commission adopted that RTS on 24 March 2025 as Commission Delegated Regulation (EU) 2025/532, supplementing Regulation (EU) 2022/2554, and the text entered into force on 22 July 2025. The RTS specifies what financial entities must assess before allowing an ICT third-party provider to subcontract services that support critical or important functions (CIFs), and it imposes documented controls over the entire subcontracting chain. The final text is materially different from the December 2024 draft — the most significant change being the deletion of the originally-proposed Article 5 on mandatory contract content regarding subcontractor monitoring.
What does the RTS cover?
The RTS applies only to ICT services supporting CIFs or material parts of them. CIFs are defined in DORA Article 3(22): functions whose disruption would materially impair the financial performance of the entity's services and activities, or the soundness or continuity of the entity's services and activities. The RTS leaves entity-level CIF identification to the financial entity itself, supervised by its competent authority. Once a service is on the CIF perimeter, the RTS imposes due diligence on subcontracting throughout the chain — not only the direct subcontractor of the contracted ICT provider, but onward through the chain as long as the same CIF support is being relied upon.
What must the financial entity assess?
Article 4 of the RTS lists the substantive elements a financial entity must determine and assess before authorising subcontracting. They cluster into five buckets:
# RTS Article 4 due diligence checklist
1. Risk profile of the subcontracted service
- criticality to the CIF
- data sensitivity and processing scope
- geographic location (including non-EU third countries)
- dependency depth in the subcontracting chain
2. Subcontractor capability
- technical and organisational capacity
- resilience controls and certifications
- track record in similar engagements
- financial soundness
3. Operational arrangements
- data flows and processing boundaries
- identity and access controls
- exit and stepping-in rights
- sub-subcontracting limitations
4. Concentration risk
- exposure if same subcontractor serves multiple CIFs
- market-wide concentration with single subcontractor
- alternatives availability
5. Audit and inspection rights
- financial entity's audit rights extend down the chain
- competent authority access rights preserved
- documented audit cycle
The financial entity must complete this assessment before authorising the ICT third-party provider to subcontract, and must repeat it on material changes per Article 5.
What is a "material change" to a subcontracting arrangement?
Article 5 defines material change broadly: any change to a subcontracting arrangement that materially affects the risk profile or operational characteristics of the service. Examples specified include a change of subcontractor identity, a change of country of service performance, a material change in subcontracted scope, a change in data processing location for personal or sensitive financial data, and any change that affects the financial entity's audit or stepping-in rights. The RTS requires the ICT third-party provider to notify the financial entity of any material change with sufficient lead time to allow assessment and, if necessary, exercise of contractual exit rights. Lead times are not specified numerically; the RTS uses a reasonableness standard that supervisors will calibrate over time.
What changed between the December 2024 draft and the final text?
The most notable difference is the deletion of Recital 5 and Article 5 of the draft, which would have imposed mandatory contract content requirements on financial entities relating to ongoing monitoring of the chain of ICT subcontractors. The Commission accepted concerns raised in consultation that this was both prescriptive beyond the empowerment in Article 30 of DORA and operationally infeasible — particularly where financial entities deal with large global cloud providers whose subcontractor chain spans dozens of regions and providers. The result is that ongoing monitoring sits in the financial entity's general risk management obligations under DORA Article 28 rather than as a prescriptive contractual clause. The RTS still requires that monitoring is performed and evidenced, but leaves the mechanism to the entity.
How does this interact with cloud providers?
Major cloud providers are themselves ICT third-party providers to thousands of financial entities, and frequently subcontract elements of their service to their own affiliates and third parties — for example, regional data centre operators, managed Kubernetes services, telco connectivity providers, and SaaS sub-processors. The RTS does not bar this practice but requires the financial entity to assess the chain. In practice, cloud providers have been issuing standardised subcontractor lists with regular update cycles, allowing financial entities to perform due diligence against a documented register rather than negotiating bespoke disclosures. Where a cloud provider is designated as a critical ICT third-party provider under DORA Article 31, the Oversight Forum led by the European Supervisory Authorities (ESAs) performs additional layered scrutiny — but the financial entity's own Article 4 assessment under the RTS does not disappear.
What about non-EU subcontractors?
Where any link in the subcontracting chain is established in a third country, additional considerations apply. The RTS specifically calls out the need to assess the legal and supervisory framework of the third country, the data transfer mechanism used (typically SCCs under the GDPR for personal data, plus DORA-specific contractual terms), and the practical enforceability of audit and exit rights from a non-EU jurisdiction. These are not new obligations under EU law but the RTS makes them an explicit part of the documented Article 4 assessment, which means competent authorities can request the assessment file and check that third-country dimensions were considered.
What are the enforcement implications?
The RTS is directly applicable; competent authorities supervise financial entity compliance. Article 50 of DORA mandates effective, proportionate, and dissuasive penalties. Where the contracted ICT third-party provider is designated as critical under Article 31, the Lead Overseer (one of the three ESAs) has direct powers including issuing recommendations and ultimately fines of up to 1% of average daily worldwide turnover. The most operationally pressing element for 2025-2026 is documentation: financial entities subject to the April 2025 Register of Information submission (under separate RTS) reported gaps in subcontracting chain visibility, and supervisors have signalled that the RTS will be a focus area in upcoming inspections.
How Safeguard Helps
Safeguard's TPRM module captures the complete ICT third-party chain that DORA's subcontracting RTS contemplates — direct ICT providers, their subcontractors, and onward dependencies — with continuous attestation tracking that surfaces material changes the moment a provider notifies them. The Article 4 due diligence checklist becomes a recurring evidence pack rather than an annual scramble, with risk scoring weighted to CIF criticality and concentration exposure. For cloud providers and large SaaS vendors, Safeguard normalises subcontractor lists across providers and flags concentration risk where one underlying subcontractor sits behind multiple top-line vendors. When competent authorities request the Article 4 assessment file, financial entities can export a structured artefact directly from the platform rather than reconstructing the chain from procurement records.