ICT provider vs. its subcontractors

22.05.2025

Automation

Spis treści

Every financial entity needs a number of third-party service and equipment providers to conduct its business. Without these collaborations, no representative of the financial industry would be able to offer quality services to its customers. However, each of these suppliers also has its own relationships with other suppliers. As a result, a financial entity may have exposure to entities with which it does not have a relationship and may not itself conduct a risk asessment that takes these entities into account. The DORA regulation also addresses this issue and provides specific guidance on this type of chain of cooperation. Additionally, the European Supervisory Authorities (ESAs)—the EBA, ESMA, and EIOPA—develop technical standards, overseeing critical ICT third-party providers.

Who is an ICT subcontractor according to DORA?

Before defining an ICT subcontractor, it is worth mentioning who an ICT supplier is. DORA (Digital Operational Resilience Act) defines it as a company that provides ICT services. An external provider is a company that offers digital and data services through ICT systems to at least one external or internal user. If you want to learn more about who ICT third party providers are under the DORA regulation, you can refer to our blog articles aimed at providers and financial entities.

An ICT subcontractor, or more specifically, according to DORA, an “ICT service subcontractor” is mentioned in DORA in two definitions:

“risk from ICT third-party service providers” means ICT-related risks that a financial entity may face in connection with its use of ICT services provided by ICT third-party service providers or by their subcontractors, including through outsourcing arrangements;
“ICT service subcontractor based in a third country” means an ICT service subcontractor that is a legal entity based in a third country and that has entered into a contractual arrangement with either an external ICT service provider or an external ICT service provider based in a third country;

From the above, it can be concluded that an ICT subcontractor is an entity that provides ICT services (as defined by DORA) to an ICT provider that provides ICT services to a financial entity. Subcontractors may be involved in various stages of the ICT service delivery process, which include planning, development, implementation, monitoring and technical support. They may be responsible for a variety of aspects, such as IT infrastructure management, application or software delivery, systems monitoring, information security assurance, or user support.

Who is a subcontractor providing critical or important functions?

DORA pays particular attention to ICT subcontractors that support critical or important functions. The financial entity does not contract directly with this entity but with the ICT supplier. The contractual relationship is between the ICT supplier and its subcontractor. Nevertheless, such a subcontractor can have a significant impact on the operation of the financial entity’s critical or important functions and therefore on the level of digital operational resilience.

What are the risks associated with a long ICT supply chain?

As mentioned earlier in this article, every company works with its suppliers. The financial institution purchases hardware, software, and ICT services from the marketplace from various suppliers. In order to operate efficiently, these suppliers use services and equipment provided by other companies. For this reason, a financial entity may not be aware that a company in Africa operates the ICT system it has purchased from its supplier on a server rented from an ICT supplier in Asia and developed by a team in South America.

For this reason, DORA and many previous regulations, such as the FSC’s Cloud Communiqué, highlight the risks associated with long and uncontrolled supply chains. It is worth noting that the indicated lack of knowledge regarding the ICT supply chain may affect the third-party risk management. On the other hand, this does not limit the responsibility of financial entities to manage risks and comply with legal and regulatory requirements.

What responsibilities does DORA impose on the ICT supplier regarding subcontractors?

Because of the financial entity’s responsibility to manage the organization’s risks and ensure digital operational resilience, it has many tasks in working with ICT providers. For this reason, the critical third-party provider must prepare to meet various requirements that will enable it to begin working with the financial entity.

They must notify the financial entity of the fact that they are a subcontractor. The financial entity must then take this into account and weigh the benefits and risks of working with your organization. The financial entity pays particular attention to:

the potential risks associated with subcontracting, especially if the subcontractor is based in a third country;
compliance with data protection regulations in the third country if your subcontractor is based there;
possible restrictions and procedures for dealing with the bankruptcy of your organization and your subcontractor, including the possibility of recovering data processed outside the financial entity;
the impact of the length and complexity of the subcontracting chain on your ability to monitor and supervise services.

In short, if you work for a company that works or wants to start working with the financial sector, you need to especially monitor your subcontractors. What can you do?

Analyze whether you support or intend to support a financial entity in critical or important functions.
Map your suppliers and areas of cooperation. Verify whether they are involved in supporting the financial entity in critical or important functions.
Verify the location of your suppliers, including their headquarters and data processing location.
Ensure that they provide a minimum level of availability, integrity and confidentiality of customer data equal to your organization.
Develop a clear and complete description of all ICT functions and services that your organization will provide to the financial institution.
Describe which functions, especially the critical and important ones, will be supported by subcontractors and under what conditions.
You must establish an ongoing process to monitor the location of subcontractors. The goal is to notify the financial entity well in advance of a change in the location of your subcontractors’ processing of the financial entity’s data.

What obligations does DORA impose on the ICT subcontractor?

DORA does not directly impose any obligations on ICT subcontractors. It imposes them on financial entities and ICT providers. Only these organizations can contractually impose obligations on ICT subcontractors. Therefore, the primary obligation of ICT subcontractors is to ensure a high level of cybersecurity for the data of the financial entity and its customers. This should be at least equal to or higher than the level of security provided by the ICT provider working with the financial entity.

RTS on subcontracting of ICT services supporting critical or important functions

The European regulator is drafting six regulatory technical standards, one of which is expected to answer a number of questions related to the subcontracting of ICT services supporting critical or important functions. Consultations on the documents were open until March 4, 2024, with publication scheduled for July 17. The draft RTS requires financial entities to assess subcontracting risks at the pre-contract stage; this includes a due diligence process. The draft RTS also sets out requirements for implementing, monitoring and managing contractual arrangements for the terms and conditions of subcontracting ICT services that support critical or important functions or important parts thereof, ensuring that financial entities can monitor the entire ICT subcontracting chain.

Check the prepared manual on how to document subcontracting and what kind of records should an ICT provider keep?

Liability for subcontractor errors

While reliance on subcontractors may be unavoidable or even beneficial from a business standpoint, it can come with additional risks. Remember, financial entities must meticulously assess these risks and take appropriate steps to manage them effectively to ensure the business continuity and security of their ICT services. The ultimate responsibility for ensuring the digital operational resilience of a financial entity rests with the board of directors and management.

These are also the people who make the decision to engage with your organization. It’s your job to provide them with information about which of your suppliers are supporting you in providing services to the financial entity, as well as data like the location of your supplier and the level of data security. If you don’t have this information, the financial entity may choose not to work with your organization.

Governance, Risk and Compliance (GRC) tools can be of great help in this regard. One such tool is RIG DORA, which will help you create a Register of Information about your suppliers and prepare the appropriate documentation for your client, the financial entity.

Similar entries from the category

10.06.2025
- Automation
- Risk control
Tenable and RIG DORA – Technical and business cybersecurity

Discover how Tenable and RIG DORA combine technical and business cybersecurity to meet DORA and NIS2 requirements and manage ICT risk.

Read more
10.06.2025
- Automation
- ICT providers
GRC tools and compliance with the DORA regulation

DORA requires a new approach to ICT risk and compliance. See how GRC tools supports documentation, risk analysis, and oversight of providers.

Read more
19.05.2025
- Automation
- ICT providers
DORA Register of information – 7 key points to do it right

The register of information should be maintained and updated, as it may be subject to inspection by the authorities at any time.

Read more