Delegated Regulation (EU) 2025/532 - Complete guide for managers

Management summary

TheDelegated Regulation (EU) 2025/532has completed the Digital Operational Resilience Act since July 2, 2025:

Financial companies must create complete transparency across the entire ICT subcontracting chain, anchor group-wide subcontracting policies and test resilient exit scenarios. Key KPIs include ≥ 95% end-to-end visibility of critical services, quarterly cloud risk review and SIEM-powered live monitoring. Instant gap analysis, contract updates and dashboard rollout ensure compliance, reduce third-party risks and strengthen digital resilience.

1. What has happened since the beginning of 2025

January 21, 2025:The EU Commission rejects the ESAs' first draft RTS because parts of it monitoring the ICT subcontracting chain would have exceeded its authority. This signals that Brussels wanted to avoid excessive obligations and called for more stringent measures.

March 24, 2025:Revised version of the RTS adopted as Delegated Regulation (EU) 2025/532. Core demands remain, but the controversial “Article 5 chain control” is deleted.

July 2, 2025:Publication in the Official Journal (L 2025/532); 20 days later, the RTS applies immediately. This marks the start of adaptation/review projects across all financial companies.

2. The new duties in brief

Key provisions of Delegated Regulation (EU) 2025/532 on subcontracting

The new subcontracting regulatory provisions establish a comprehensive set of rules covering various aspects of subcontracting. The focus is on the principle of proportionality, according to which financial institutions must integrate the level of risk and complexity of the entire subcontracting chain into their governance structures. In particular, factors such as location, data type, chain length and group context must be taken into account.

At a group-wide level, parent companies are required to have a consistent subcontracting policy for all group companies in order to ensure uniform standards. This group-wide implementation is intended to avoid discrepancies between different business units and ensure a coherent risk strategy.

The regulation places particular emphasis on preventive measures through comprehensive due diligence processes and risk analyses. Contracts are only permitted if it can be proven in advance that third-party providers have the necessary capacity to select and monitor subcontractors. At the same time, financial companies must maintain their own resources for monitoring order chains and assess various exit scenarios that take geopolitical risks, concentration effects and data storage locations into account.

The minimum contractual requirements include detailed regulations on monitoring obligations, location risks, the transfer of audit rights and exit clauses in the event of violations of risk tolerance. These provisions are intended to ensure that financial institutions can effectively exercise their control and monitoring functions even in complex order chains.

Particular attention is paid to the treatment of significant changes in existing contractual relationships. Providers are obliged to report planned changes in good time, while institutions have the right to reject them. This regulation is supplemented by extensive termination rights, which provide for an automatic special right of termination in the event of unauthorized relocation or significant changes against the will of the institute.

Table: Core provisions of the DORA-RTS on subcontracting

3. Strategic implications for top management

Supply chain transparency becomes a KPI

Without a complete view of fourth and fifth party providers, DORA compliance cannot be demonstrated. CIOs should therefore anchor a central subcontracting register in the GRC or CMDB system.

Risk-based provider diversification

Boards of directors must decide which critical functions can only be operated by multiple tested providers or in multi-cloud architectures in order to reduce concentration risks.

Contractual “fail-safe mechanisms”

Termination and exit clauses are now deeper. Procurement teams need templates that address location/jurisdictional risks, data portability, and business continuity plans.

Board Reporting & Metrics

• Proportion of critical services with full chain view (≥ 95%)
• Median time between provider change announcement and internal risk decision
• Number of tested exit scenarios per year

(These metrics support a fact-based discussion without touching on liability issues.)

4. Best practice measures (quick wins)

Immediately implementable measures for DORA compliance

Governance:Board resolution on zero blind spot policy: No critical function without 100% subcontracting transparency. Benefits: Clear expectations for all units; facilitates internal audits.

Risk assessment:Quarterly Cloud Dependency Review (IT + Risk + Legal) with scoring for lock-in, geo and concentration risks. Benefit: Early warning system for monopolistic dependencies.

Contract management:Checklist with mandatory clauses (e.g. audit rights, notification periods, data location, exit testing, BCM obligations). Benefit: Uniform basis for negotiations; minimizes renegotiations.

Continuous monitoring:SIEM/SOAR integration of provider telemetry; Auto ticket for SLA violation. Benefit: Real-time monitoring instead of selective audits.

Training & Awareness:"DORA Bootcamp" for purchasing, legal and TPRM teams; Focus on new termination triggers. Benefit: Accelerates implementation roadmap, reduces misconfigurations.

Crisis exercises:Semi-annual exit drills with cloud providers (data portability, DNS switching). Benefit: Provable resilience towards supervision and auditors.

HereYou can find further information on how ADVISORI can support you in the area of third-party risk management.

5. Next steps by the end of 2025

Implementation roadmap

1. Gap analysis against RTS articles 1-6
2. Roadmap for adapting contracts & registers
3. Live monitoring dashboard including ICT subcontract chain KPIs (Q4 2025)
4. Board update on progress & remaining risks at each quarterly meeting

Conclusion

With this structured approach, you not only implement the new RTS compliantly, but also efficiently - and at the same time create the basis for more robust, data-based control of your third-party management.

ADVISORI supports you with tailor-made solutionsThird party management under DORA.

Next step: Free initial consultation

Would you like to implement DORA compliance in a timely manner? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

📖 Also read:The new DORA Oversight Guide for tech providers – What decision-makers need to know now

📖 Also read:The new DORA Oversight Guide for tech providers – What decision-makers need to know now

Would you like to implement DORA compliance in a timely manner? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →