Skip to main content
DORA Auditor

Subcontracting

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Subcontracting under DORA occurs when an ICT third-party provider uses further providers to deliver part of a service to a financial entity. Article 30 requires contracts to specify the conditions for subcontracting ICT services that support critical or important functions, so the entity retains visibility and control over the chain.

Detailed explanation

Modern ICT services are rarely delivered by a single supplier: a cloud platform may rely on other data-centre operators, and a software vendor may embed third-party components. DORA treats these chains as a source of risk that must be governed, not ignored. Under Article 30, contractual arrangements for services supporting critical or important functions must set out whether subcontracting is permitted and under what conditions, and must ensure the financial entity can monitor the full chain, including where subcontractors are located. The European Supervisory Authorities have developed regulatory technical standards clarifying how entities should assess and monitor subcontracting risk, for instance, requiring visibility of material subcontractors and the ability to object to changes that would materially increase risk. Poorly controlled subcontracting can undermine audit rights, complicate exit strategies, and reintroduce the concentration risk that DORA seeks to limit, which is why subcontracting conditions are a standard focus of both contract reviews and the register of information.

In context

This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 30.

Related terms

Sources

  1. DORA Article 30, EUR-Lex