On 24 March 2025, the European Commission adopted Delegated Regulation (C(2025) 1682 final) supplementing Regulation (EU) 2022/2554 (DORA) with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions. It aims to enhance digital operational resilience in the financial sector by ensuring a comprehensive approach to managing subcontracting risks.

The Regulation emphasises the need for financial entities to identify and manage the risks associated with ICT subcontractors, ensuring that subcontracting does not compromise their responsibility to manage risks and comply with regulatory obligations. The Regulation outlines detailed conditions for due diligence, risk assessment, and the management of subcontracting arrangements. Specifically, the Regulation:

• Establishes the rules on proportionality and group application (Articles 1 and 2).
• Sets out the rules on due diligence and risk assessment regarding the use of subcontractors supporting critical or important functions (Article 3).
• Establishes the description and the conditions under which ICT services supporting a critical or important function may be subcontracted (Article 4).
• Contains the rules on material changes to subcontracting arrangements of ICT service supporting critical or important functions, the provisions on the termination of the contractual arrangement, as well as the final provisions on entry into force (Articles 5 to 7).

The Delegated Regulation entered into force on 13 April 2025 (20 days after its publication in the OJEU).