# ICT Subcontracting Oversight (DORA) > Draft the ICT subcontracting oversight framework per DORA and RTS 2025/0532, covering conditions for sub-outsourcing critical functions, notification and approval processes, concentration risk, and monitoring. Tags: DORA, Subcontracting, ICT Outsourcing, Third-Party Risk, EU Regulation, Financial Services ## Example Prompts - Assess sub-outsourcing risks in our cloud provider's supply chain - Draft the sub-outsourcing notification and approval process - Evaluate ICT concentration risk from shared sub-contractors - Create the contractual flow-down requirements for sub-outsourcing URL: https://rakenne.app/skills/dora-subcontracting-oversight/index.md Try this skill: https://rakenne.app/a/?skill=dora-subcontracting-oversight ## Overview Draft the ICT subcontracting oversight framework per DORA and RTS 2025/0532, covering conditions for sub-outsourcing critical functions, notification and approval processes, concentration risk, and monitoring. ## What It Covers - **RTS 2025/0532 conditions assessment** -- prior notification, right to object, TPP due diligence on sub-contractors, maintained service quality, no increased risk, contract flow-downs, and supervisory access - **Sub-outsourcing inventory** -- map each ICT TPP's sub-contractors with jurisdiction, services, data processing locations, chain depth, and criticality classification - **Concentration risk analysis** -- shared sub-contractors across multiple TPPs, geographic concentration, criticality cascades, single points of failure, and sectoral concentration - **Monitoring framework** -- KPI/KRI cascade for sub-outsourced services, audit rights flow-down, incident reporting chain, periodic review, and Information Register updates - **Approval and notification process** -- internal governance for sub-outsourcing decisions, objection conditions, escalation procedures, termination triggers, and response timelines - **Contractual flow-downs** -- Art. 30 equivalent provisions for sub-outsourcing contracts (SLAs, data protection, audit rights, exit assistance, incident notification, security requirements) - **Governance** -- roles and responsibilities, management body reporting, three lines of defense alignment, and competent authority reporting ## Example Conversation > **You:** Our main cloud provider (TechCloud) wants to sub-outsource database hosting to a third party in Singapore. We're a credit institution and that database supports our core banking platform, which is a critical function. Can you help us assess this? > > **Agent:** I'll build the sub-outsourcing oversight assessment. First, let me gather context. Can you confirm: (1) your proportionality tier, (2) your competent authority, and (3) whether TechCloud has provided a formal notification with the sub-contractor's identity, jurisdiction, services, and due diligence results? > > **You:** We're a Tier 1 credit institution supervised by BaFin. TechCloud sent a notification naming "DataHost SG Pte Ltd" in Singapore, covering managed PostgreSQL hosting. They included a SOC 2 Type II report but no financial viability data. We have 45 days to respond. > > **Agent:** I've created the sub-outsourcing inventory entry and started the RTS 2025/0532 conditions assessment. Key findings so far: (1) prior notification is present but incomplete -- missing financial viability data and data processing locations; (2) Singapore is a third country, so we need to verify supervisory access and GDPR Chapter V compliance; (3) this sub-outsourcing supports a critical function, so management body approval is required under Art. 28(2). Let me also check concentration risk -- do any of your other ICT TPPs use DataHost SG or infrastructure in the same Singapore data center region? > > **You:** Actually, our payment processor also uses a Singapore-based sub-contractor for transaction logging. I'm not sure if it's the same entity. > > **Agent:** That's a potential geographic concentration risk. I'll flag it in the concentration risk section and recommend you verify whether the two sub-contractors share infrastructure. I'm now drafting the full framework with the conditions assessment, the notification response process, and the contractual flow-down checklist. I'll also map the criticality cascade: core banking depends on TechCloud, which would depend on DataHost SG for database hosting -- a failure there propagates directly to the critical function. > > **Agent:** Running `dora_subcontracting_checker` against the framework... > > **Agent:** The checker found 2 errors: (1) TPP due diligence is incomplete -- financial viability assessment missing; (2) supervisory access for the Singapore jurisdiction is not yet confirmed. I've added these to the objection grounds section. I recommend requesting the missing due diligence from TechCloud before the 45-day window closes, and obtaining a legal opinion on BaFin's ability to exercise audit rights in Singapore. ## Sample Output Excerpt Below is a representative excerpt from a generated ICT subcontracting oversight framework document. --- ## 1. Executive Summary This framework governs the oversight of ICT sub-outsourcing arrangements for [Entity Name], a Tier 1 credit institution supervised by BaFin, in accordance with Regulation (EU) 2022/2554 (DORA) and Commission Delegated Regulation (EU) 2025/0532. ## 3. Sub-Outsourcing Inventory | TPP | Sub-Contractor | Jurisdiction | Services | Critical Function | Chain Depth | Data Locations | |-----|---------------|-------------|----------|-------------------|-------------|----------------| | TechCloud GmbH | DataHost SG Pte Ltd | Singapore | Managed PostgreSQL hosting | Yes -- Core banking | 1 | Singapore (SG-1, SG-2) | | PayFlow Ltd | TxLog Asia Pte Ltd | Singapore | Transaction logging | Yes -- Payment processing | 1 | Singapore (SG-3) | ## 4. RTS 2025/0532 Conditions Assessment ### 4.1 Prior Notification | Condition | Status | Finding | |-----------|--------|---------| | Notification received before sub-outsourcing takes effect | Met | Notification received 2025-06-01; planned commencement 2025-07-15 | | Sub-contractor identity and corporate structure | Met | DataHost SG Pte Ltd, subsidiary of DataHost Holdings (Cayman Islands) | | Jurisdiction of service delivery | Met | Singapore | | Due diligence results included | Partial | SOC 2 Type II provided; financial viability assessment missing | | Data processing locations specified | Not met | Notification references "Singapore" generically; specific data center locations not provided | ### 4.2 Right to Object The contractual right to object is exercisable within 45 calendar days of notification. Grounds for objection identified: 1. **Incomplete due diligence**: Financial viability assessment not provided (RTS 2025/0532 condition 3) 2. **Third-country supervisory access**: No confirmation that Singapore jurisdiction permits BaFin audit and inspection rights (RTS 2025/0532 condition 7) 3. **Geographic concentration**: Combined with TxLog Asia arrangement, creates concentration in Singapore region ## 5. Concentration Risk Assessment ### 5.1 Shared Sub-Contractors No shared sub-contractor entity identified across TPPs. However, TechCloud and PayFlow both have sub-contractors operating in Singapore, creating **geographic concentration risk**. ### 5.2 Criticality Cascade ``` Core Banking (Critical Function) --> TechCloud GmbH (Primary TPP) --> DataHost SG Pte Ltd (Sub-contractor, Singapore) Impact: Database unavailability = core banking outage RTO requirement: 4 hours Sub-contractor RTO: Unknown -- must be contractually defined ``` ## Extension Tools **`dora_subcontracting_checker`** validates that the subcontracting oversight framework JSON is complete against all RTS 2025/0532 requirements. The checker evaluates seven mandatory sections: - **Entity profile** -- entity type, proportionality tier, and competent authority must be present - **Sub-outsourcing inventory** -- all arrangements must include sub-contractor jurisdiction and criticality classification; missing jurisdiction or criticality flags a WARNING - **Conditions assessment** -- each of the seven RTS 2025/0532 conditions is checked individually: prior notification, right to object, TPP due diligence, maintained service quality, no increased risk, contract flow-downs, and supervisory access; each missing condition is an ERROR - **Concentration risk** -- shared sub-contractors, geographic concentration, criticality cascade, and mitigation strategies are required (ERROR if missing); single points of failure and sectoral concentration are recommended (WARNING if missing) - **Monitoring framework** -- TPP supervision obligation, audit rights flow-down, and incident reporting chain are required; KPI/KRI cascade, periodic review, and Information Register updates are recommended - **Approval process** -- approval authority, notification assessment, and objection conditions are required; escalation procedures, termination triggers, and response timelines are recommended - **Contractual flow-downs** -- service description, data protection, audit rights (Art. 30(3)(e)), exit assistance, incident notification, cooperation with authorities, and security requirements are required; termination rights and further sub-outsourcing conditions are recommended - **Governance** -- roles and responsibilities plus management body reporting (Art. 28(2)) are required; three lines alignment, competent authority reporting, and record-keeping are recommended Run the checker after building the framework structure. Missing mandatory items appear as ERRORs; incomplete but recommended items appear as WARNINGs. ## Getting Started Add your source materials to the project workspace -- for example, your current ICT third-party contracts, the Information Register extract (Art. 28(3)), any TPP sub-outsourcing notifications you have received, and known sub-contractor details. Then activate the *ICT Subcontracting Oversight (DORA)* skill. The agent will guide you through mapping sub-outsourcing arrangements, assessing RTS 2025/0532 conditions, evaluating concentration risk, and producing the complete oversight framework document. --- Back to [Skill Library](https://rakenne.app/skills/index.md)