Munich. In early July, the European Commission adopted final Regulatory Technical Standards (RTS) supplementing its Digital Operational Resilience Act (DORA) for the financial sector. These standards clarify how risk management should be approached in the often complex ICT supply chains covered by DORA. The new RTS focus primarily on subcontracting. TÜV SÜD offers a practice-oriented overview of the key aspects:
Most ICT supply chains are overly complex, posing a challenge for financial institutions that fall under DORA’s scope – especially when it comes to implementing effective risk management in this domain. To address these challenges, the European Commission published its “Delegated Regulation with regard to regulatory technical standards on the subcontracting of ICT services supporting critical or important functions.” In this seven-page delegated regulation, the Commission outlines how financial entities must manage ICT subcontractors involved in critical or important functions. The regulation was published in the Official Journal of the European Union on July 2, 2025, and entered into force on July 22.
“The European Commission is aware that ICT subcontracting chains can be complex and not fully transparent. Nevertheless, achieving a robust level of cyber resilience in the financial sector requires a thorough understanding and management of risks associated with outsourced critical functions,” explains Richard Skalt, Advocacy Manager Cybersecurity at TÜV SÜD. “The RTS provide a binding framework to this end. In areas where transparency and contractual clarity are lacking, best practices should complement regulatory requirements. TÜV SÜD supports financial institutions with risk assessment and helps ICT service providers demonstrate compliance.”
Key requirements at a glance:
- Contractual arrangements: Contracts play a key role in the implementation of DORA requirements. Contractual agreements between financial institutions and third-party ICT service providers should specifically include provisions for the planning and approval of subcontracting arrangements, the conduct of risk assessments, and the fulfilment of due diligence obligations. It is also advisable to contractually define whether responsibility for assessing the subcontractors’ expertise, organizational structure, and risk management lies with the financial institution itself the primary subcontracting service provider.
- Monitoring of services and reporting obligations: To identify and mitigate security risks in multi-tier IT supply chains at an early stage, financial institutions should implement measures to ensure they are informed of all relevant changes in a timely manner - preferably before those changes take effect. This is especially important in the case of new subcontracting arrangements or significant changes to existing agreements. If these changes are found to exceed the institution’s risk tolerance, the organization should secure the contractual right to terminate or modify the agreement accordingly.
- Risk-based analysis and control: Entities outsourcing critical IT services are required to have adequate expertise, resources, and internal procedures in place to effectively oversee and manage the related risks. This includes information security measures, emergency response planning, and internal control mechanisms. Institutions must also assess the potential impact of an IT subcontractor’s failure on their digital operational resilience and financial stability. Furthermore, the geographical location of the service provider - or its parent company - introduces additional risks that should be factored into the risk assessment.
- Subcontracting conditions: Third-party IT service providers that rely on subcontractors are expected to carefully assess the risks associated with such arrangements. This involves analysing the conditions at the service location, the corporate group structure, and the actual service locations. While not all aspects necessarily require contractual regulation, it is recommended to ensure transparency regarding these risks and to establish contractual safeguards where appropriate.
In the future, the responsible supervisory authorities will coordinate the examination and evaluation of critical third-party service providers (CTPPs) - notably by means of risk assessments and on-site inspections. Further guidance on this is offered by the DORA Oversight Guide recently published by the European Banking Authority (EBA), which provides a practical overview of the supervisory process for CTPPs under the Digital Operational Resilience Act (DORA).
Risk Assessments and Compliance Audits
Financial institutions that wish to have their existing contracts and implemented measures reviewed by a neutral third party in light of the new RTS can turn to TÜV SÜD for independent compliance audits. These audits help to identify potential gaps in the implementation of DORA and support the development of a clear roadmap to address them.
“We support clients identify gaps in their implementation or documentation and develop practical, actionable plans to address them,” says Skalt. “TÜV SÜD also supports ICT service providers of financial institutions in helping them meet their contractual obligations and demonstrate compliance through structured risk assessments.”
For more information on TÜV SÜD’s DORA services, go to tuvsud.com/en/themes/cybersecurity/digital-operational-resilience-act.
Press contact: Laura Albrecht
