Spotlight on ICT subcontracting: digital resilience compliance in the supply chain

As legislation including DORA, NIS2, CRA, and GDPR extend requirements throughout the supply chain, how can organisations and their ICT suppliers manage supply chain risk in a holistic and proportionate way? We discuss some of the challenges affecting parties at different points in the supply chain (whether the underlying user of ICT services, the primary ICT vendor, or the party being subcontracted to) and some key practical themes.

There are many reasons for the increased regulatory focus on subcontracting compliance: expansion of complex supply chains, increased reliance on third-party ICT services, and (unfortunately) incidents like CrowdStrike (see more on this here). The lack of a single concept of subcontracting and different requirements across different regulatory regimes can be overwhelming, especially for smaller organisations without large compliance and security teams.

The challenge is particularly acute for ICT suppliers, grappling with a myriad of legislation that applies both directly (eg NIS2, GDPR), as well as indirectly, where customers in regulated sectors like financial services and healthcare seek to flow down certain compliance obligations to their suppliers. Importantly, in such cases the regulated organisation remains responsible for compliance - notwithstanding any outsourcing or further subcontracting – but suppliers still face significant compliance challenges from subcontracting.

Even legislators and regulators have grappled with finding effective but proportionate means of regulating subcontracting. For example, four days before firms were required to comply with DORA, the European Commission rejected the RTS on subcontracting as exceeding the legal mandate under DORA. 7 March 2025 saw progress towards adoption with the ESAs acknowledging the Commission's suggested amendments, but this delay and uncertainty has not helped an already complex area.

Which parties are in scope as 'subcontractors' and third-party risk management - focus on critical services and material subcontractors as part of a risk-based approach

Determining which parties in the value chain are in scope is not straightforward. The approach varies under different legislation, and different organisations will have differing areas of focus. This can make identifying and managing subcontractors a real challenge, especially for IT vendors that provide services or software across different sectors.

Initially, GDPR forced the industry to identify "sub-processors" (ie parties that process personal data), and sub-processor lists became commonplace. However certain subcontractor compliance obligations now extend to parties beyond those that process personal data, reflecting a focus on broader operational resilience as well as data protection.

Under DORA for example, subcontracting isn't specifically defined and can capture any third party that provides "ICT services" (broadly construed) used to provide the underlying services to the financial entity. Given this breadth, DORA focuses on ICT subcontracting of ICT services supporting a financial entity's critical or important functions (CI functions), particularly those subcontractors that "effectively underpin" the relevant ICT service supporting the CI function, including where disruption to the subcontractor would impair the security or continuity of the CI function. This element of proportionality and risk-based approach is important, although does require a thorough understanding of supply chain exposure.  One challenge for ICT suppliers is that a subcontracter used by (and material for) one customer's CI function may differ for another customer.

The NIS2 Directive itself is less detailed on subcontracting and the approach will depend on Member State implementation. However, the Directive includes requirements for in-scope entities to take measures relating to supply chain security, including security-related aspects of relationships with "direct suppliers or service providers".  When it comes to supervision and enforcement, competent authorities can take a "risk-based approach", suggesting in-scope entities (and where relevant, their suppliers) could prioritise focus on the most critical ICT services and more material third-party arrangements.

Other legislation takes a different approach to supply chain risk. For example, the Cyber Resilience Act imposes specific obligations on different parties (manufacturers, distributors, importers) across the supply chain, although third-party considerations remain relevant. For example, manufacturers need to exercise due diligence when integrating components from third parties.

With elements of supply chain risk management across so many different pieces of legislation, organisations will need to understand which regime(s) are most relevant to their businesses and/or customer base, and use that as a starting point for assessing which subcontractors or third parties might be in-scope of compliance or contractual obligations.  

What substantive obligations might extend to subcontracting?

The substantive compliance obligations that apply to subcontracting or third parties in the supply chain, depend on the relevant legislation and the nature of the services – including whether or not the subcontracting supports material functions.  Relevant compliance areas include:

• Disclosure, including through registers - since GDPR, it has been common to disclose sub-processors, and a similar approach is often taken for subcontractors more widely. Taking this a step further, certain regulators are requiring increased visibility of supply chains - both DORA and proposals from the FCA require in-scope firms to disclose detailed information on relevant third parties, including certain subcontractors, via a 'Register of Information'. ICT vendors may need to provide the necessary information to enable them to do so.
• Due diligence - due diligence is a key part of the process – both by the underlying ICT customer (before enabling subcontracting) or by the ICT vendor (before engaging a subcontractor).  This could include understanding the nature of the subcontracting, extent of reliance, location, and assessing what any third-party risk management process looks like.
• Contractual requirements - some legislative frameworks (eg DORA) include specific requirements for contractual terms relating to subcontracting. In other cases, even where legislation does not impose specific contractual requirements, the indirect nature of subcontracting means that parties in practice often seek to 'flow down' contractual obligations through their supply chain. Over time, the market is grappling with finding the right balance and approach here.
• Monitoring, audit and inspection - subcontractor compliance is not 'one and done'. Depending upon the nature of the services and the role of the subcontracting, an appropriate level of monitoring, auditing and inspection will be required on an ongoing basis.
• Security and risk management - maintaining security notwithstanding subcontracting is critical, especially where the subcontractor is relied on for important services or to process personal or other critical data.
• Business continuity management - similarly, parties also need to consider how they can continue to provide the relevant services, even if the subcontractor(s) were to be disrupted or unavailable. Various strategies might be necessary here, including desktop risk assessments and business continuity testing.

Designing subcontractor compliance strategies is never a 'one size fits all' process, and requires an appreciation of the type of services, what they are used for, delivery model, and the nature of the subcontracting arrangements.

Practical tips to manage subcontractor compliance

Clearly, subcontractor compliance expectations will vary across different parties in the supply chain and the relevant regulatory regime(s). They will also depend on the specific scenario, the underlying technology and delivery model (eg outsourcing vs. shared responsibility). However, some common practical themes can be identified:

• Create a culture of compliance. Relevant teams need to understand why holistic subcontractor oversight is important; checklists play an important part in compliance, but a 'check the box' approach to compliance can create a false sense of security. 
• Assign clear responsibilities for oversight of third parties. Governance is central to frameworks like DORA and NIS2. Even for organisations that are not directly subject to the legislation, clear responsibilities for managing third party risk will help discussions with customers and regulators and implement checks and balances. Where responsibility sits (eg within Security, Operations, Compliance, or a combination) will vary between organisations. The 'Three Lines of Defence' model used by financial institutions can also help inform how other organisations structure oversight.
• Document any internal processes or policies for identifying which parties are considered in scope under different regimes. Referencing a coherent rationale can go a long way if a regulator or customer asks questions on supply chain compliance.
• If contractual revisions to subcontractor contracts are necessary, try to address requirements under different pieces of legislation in one go where possible. This will help limit 'negotiation fatigue' with suppliers.
• Trust but verify - this is especially important in financial services, where the regulators have shown willingness to take enforcement action against individuals where parties haven't adequately verified third- and fourth-party assurances.
• Choose third parties and technology wisely. Look for parties with comprehensive compliance controls, but make sure those are properly implemented and understood within your organisation. 
• Buy or build? As the compliance burden on subcontracting increases, this might weigh into considerations to keep certain ICT functions in-house or within the group. In financial services, intra-group outsourcing is still in scope of frameworks such as DORA, but in many cases parties might have greater visibility over subcontracting within the group. Similarly, ICT vendors that subcontract within their group may be more likely to have risk management, security and monitoring procedures across those group entities.  
• Take time to understand how obligations flow down the supply chain. Understanding the underlying legislation that applies to you and/or your customers (as applicable) can help manage customer demands to pass certain obligations on to ICT suppliers.

Get in touch

If you need support with the legal aspects of subcontracting in a regulated context, please do get in touch. We have experience helping clients find practical solutions to the legal complexities associated with subcontracting – whether as the underlying customer, immediate supplier, or the subcontractor.