New obligations for the financial sector: RTS on ICT subcontracting have entered into force

On 2 July 2025, the Official Journal of the European Union published the long-awaited Commission Delegated Regulation (EU) 2025/532, clarifying the obligations of financial institutions in relation to the use of ICT subcontractors (including digital services and data-related services) supporting critical or important functions.

This regulation constitutes another key element in the implementation of DORA (Regulation (EU) 2022/2554), aimed at enhancing the digital operational resilience of the financial sector.

Who is affected by the new rules?

The regulation is of significant relevance to the following entities:

• Payment institutions
• Electronic money institutions
• Banks
• Credit institutions
• Investment firms
• Insurance and reinsurance undertakings
• and Crypto-Asset Service Providers (CASPs) – if subject to DORA.

All of the above are required to implement procedures and mechanisms set out in the RTS, especially when concluding or amending agreements with external ICT service providers who, in turn, rely on their own subcontractors.

What do the regulatory technical standards (RTS) cover?

The regulation specifies the elements that must be identified, assessed, and supervised when a financial institution uses ICT services provided by subcontractors. The requirements include:

Obligation to identify and assess the entire ICT supply chain

A financial institution outsourcing ICT services that support critical or important functions must have full visibility of the entire subcontracting chain – regardless of whether the subcontractors are direct or indirect.

Key aspects subject to assessment include:

• the location of subcontractors,
• the length and complexity of the subcontracting chain,
• the type of data processed by subcontractors,
• the potential impact of subcontractor failure on business continuity,
• the regulatory and supervisory status of ICT providers and their subcontractors.

Where services are provided within a group of undertakings, outsourcing requirements must be applied consistently across all entities within the group.

New contractual requirements

Any external agreement concerning ICT services supporting critical or important functions must include a range of detailed provisions concerning subcontracting. The contract must clearly define:

• which services may be subcontracted and under what conditions,
• the obligation of the ICT provider to fully monitor its subcontractors,
• the requirement to notify any changes in the outsourcing chain,
• provisions ensuring continuity of services in case of subcontractor default,
• reporting obligations, security standards, contingency plans, and service level agreements (SLAs).

In addition, the ICT provider must ensure that its subcontractors:

• grant the same audit, access, and oversight rights to the financial entity and relevant authorities as are granted by the main service provider,
• comply with applicable EU and national legal and regulatory requirements.

Risk assessment and ongoing monitoring

Before concluding a subcontracting arrangement, the financial institution must conduct a comprehensive risk assessment. This includes evaluating:

• the operational and financial capacity of the subcontractor,
• technical and organisational resources and professional expertise,
• information security and incident management structure,
• compliance with DORA and other applicable supervisory frameworks,
• the impact of disruptions on the institution’s digital and financial resilience,
• concentration and geographical risks,
• potential barriers to the exercise of audit and control rights.

This risk assessment must be updated periodically, especially in light of operational, geopolitical, or organisational changes. Importantly, relying solely on the analysis provided by the ICT provider does not absolve the financial institution from its own regulatory responsibilities.

Oversight of changes and right to terminate

Every agreement must provide a framework for managing material changes to the subcontracting structure. ICT providers are required to:

• notify the financial institution in advance of any planned changes,
• allow the institution to assess the impact on risk exposure,
• obtain the institution’s approval or allow objections to be raised.

The financial institution retains the right to terminate the contract where:

• changes are implemented despite a formal objection,
• the provider acts contrary to agreed subcontracting terms,
• the institution determines that new risks exceed acceptable tolerance thresholds.

When does the regulation apply?

The regulation enters into force 20 days after publication, i.e. 22 July 2025. From this date:

• new ICT agreements must comply with the RTS,
• material amendments to existing agreements must also be brought into compliance.

What’s next?

The introduction of the RTS marks a significant step toward securing ICT supply chains and enhancing the responsibility of both service providers and financial institutions.

Now is the time to:

• review existing ICT contracts,
• assess internal procedures for approving and managing subcontracting,
• ensure effective oversight and reporting mechanisms are in place.

In the face of increasing cyber threats, these rules form a key regulatory tool for mitigating systemic risk in the financial sector.

Full text of the regulation is available here.

Want to stay up to date with the latest DORA regulations and obligations for the financial sector?

Sign up for our Fintech newsletter to receive regular legal analysis, alerts on new regulations, and practical guidance on compliance and risk management in the financial sector.