RTS on Subcontracting (EU) 2025/532

Abstract

Regulatory Technical Standards under DORA (Article 30(5)) specifying the elements financial entities must consider and assess when ICT third-party service providers subcontract ICT services supporting critical or important functions. Covers proportionality based on risk profile and complexity, group application, due diligence and risk assessment prerequisites, contractual conditions for permitted subcontracting, requirements to manage and approve material changes in subcontracting chains, and termination rights where subcontracting increases risk beyond tolerance or breaches agreed conditions.

Key Takeaways

• ✓
  Requires financial entities to consider size, risk profile, and complexity factors (e.g., subcontracting chain length, data locations, concentration, transferability) when permitting subcontracting for ICT services supporting critical or important functions.
• ✓
  Mandates pre-contract due diligence and risk assessment to ensure the ICT third-party provider can identify subcontractors, provide necessary information, and flow down rights and obligations (including access, audit, and inspection) across the subcontracting chain.
• ✓
  Sets contractual requirements defining which services are eligible for subcontracting, monitoring/reporting obligations, data-location elements, continuity expectations, and security standards to be imposed on subcontractors.
• ✓
  Introduces governance for material changes to subcontracting arrangements, including advance notification, reasonable notice periods, and approval/objection mechanisms.
• ✓
  Establishes termination triggers where a provider implements non-permitted subcontracting or material changes without required approval or despite objections.

Keywords