On 22 July 2025, the DORA legal framework reached full maturity. With the entry into force of the Final Delegated Regulation on Subcontracting, the European Union has now locked in the last critical component of its ambitious Digital Operational Resilience Act (DORA). This final piece brings essential clarity to one of the most sensitive areas in digital risk management—the subcontracting of critical and important ICT services.
So, what does this mean for financial entities and ICT third-party service providers? In short: It’s time to move from planning to full implementation, compliance, and enforcement.
he new regulation clarifies the rules and expectations for subcontracting ICT services that are considered critical or important to financial institutions. This includes fourth-party subcontractors—those often hidden deep within complex digital supply chains.
Key requirements include:
Clear allocation of responsibilities in subcontracting chains.
Robust contractual obligations and well-defined exit strategies.
Provisions that facilitate regulatory oversight of ICT risk, even when services are subcontracted.
This is not a minor add-on. This is a game-changer—particularly for firms relying on layered service providers like cloud, data analytics, or cybersecurity partners.
The compliance clock is ticking. Supervisory authorities now have the full legal authority to assess, investigate, and, where necessary, enforce penalties for non-compliance.
The outsourcing landscape is under the microscope. Expect regulators to ask: “Do you know your fourth parties?”
Contractual laziness is no longer an option. Agreements must not only meet technical and legal standards—they must actively support resilience, continuity, and recovery.
With this final regulation, the DORA legal framework is now complete.
The focus has shifted decisively from drafting and planning to demonstrable implementation, control, and resilience.
And that’s where many firms are struggling.
Whether you’re a compliance officer, legal counsel, procurement manager, or IT risk professional, the reality is clear: subcontracting arrangements can make or break your DORA compliance posture. Ignorance or ambiguity will not be an acceptable excuse.
This is why now, more than ever, enrolling in the DORA Certified Compliance Specialist (DCCS) course is mission-critical.
The DCCS course:
Covers every element of the DORA regulation—including the latest delegated acts like this subcontracting regulation.
Prepares you to build resilience by design into your third-party risk management strategy.
Equips you to communicate compliance status clearly and confidently to your board, auditors, and regulators.
The final delegated regulation on subcontracting is more than just legal housekeeping—it is a clarion call to the financial sector to take responsibility, act decisively, and ensure digital resilience from the ground up.
Don’t wait for a regulatory probe or a disruption to expose your gaps.
🎯 Be ready. Be resilient. Be certified.
Join the next cohort of the DORA Certified Compliance Specialist course today and lead your organisation confidently into the new era of regulatory enforcement.
