Why “nth parties” are now your problem too

The hidden risk beneath the surface

When financial institutions think about ICT risk, they often stop at the third-party provider. The contract is signed, the service is delivered and the assumption is that this is the partner we’re accountable for.

But reality is rarely that simple. ICT providers often outsource elements of their own service, to cloud platforms, niche software vendors or offshore support functions. These subcontractors, often called “nth parties,” may never appear on a financial entity’s contract. Yet their performance, their resilience and their vulnerabilities can directly impact critical operations.

The Digital Operational Resilience Act (DORA) recognises this hidden dependency. And it makes it crystal clear that your risk doesn’t stop at your third party. It extends to whoever they rely on.

Why subcontracting matters

Modern ICT services are layered and interconnected. A managed service provider might run on a hyperscale cloud platform. A payments provider might outsource cybersecurity to a specialist firm. A SaaS platform might depend on overseas development and support teams.

Each subcontractor creates another dependency. If they fail, the service you depend on fails too. And if you don’t even know who they are, you can’t prepare.

Recent years have shown how disruptive these dependencies can be:

• A software update from a little-known subcontractor caused outages across multiple European banks, exposing systemic fragility.

• Supply chain cyberattacks, where attackers compromise one provider to infiltrate many, have become one of the fastest-growing threats to financial institutions.

• Firms have been blindsided by intra-group subcontracting arrangements that created conflicts of interest and reduced independence.

These are real vulnerabilities hidden one layer deeper in the supply chain.

DORA’s requirements on subcontracting

DORA tackles the subcontracting challenge head-on. It requires financial entities to ensure that ICT third-party providers are transparent about their subcontracting arrangements and that these are actively managed.

The key requirements are:

1. Disclosure of subcontractors
   Providers must declare whether they use subcontractors to deliver ICT services, particularly those supporting critical or important functions.

2. Conflict of interest management
   Firms must identify potential conflicts of interest arising from subcontracting, and put measures in place to prevent or mitigate them.

3. Ongoing oversight
   Subcontracting cannot be a blind spot. Financial entities must monitor these arrangements continuously, not just at the start of the contract.

4. Intra-group arrangements
   Even where ICT services are provided within the same corporate group, decisions on conditions (including financial ones) must be taken objectively. The assumption that “intra-group equals safe” is no longer acceptable.

In short, subcontracting is no longer an excuse, it is a regulated responsibility.

The challenges for financial entities

Meeting these requirements is easier said than done.

1. Limited visibility

Many providers are reluctant to disclose subcontracting arrangements, citing confidentiality or complexity. Financial entities must now demand transparency, and regulators will expect evidence.

2. Dynamic ecosystems
   Subcontracting arrangements change frequently. A provider may add or replace subcontractors during the life of a contract. Firms must ensure these changes are disclosed and assessed in real time.

3. Global supply chains
   Subcontractors may be based in jurisdictions with different regulatory or supervisory frameworks. This creates added complexity for compliance, especially when sensitive data is involved.

4. Conflicts of interest
   Intra-group arrangements can blur accountability. A provider may outsource to an affiliated company, raising questions about objectivity and resilience. Firms must ensure decisions are evidence-based, not automatic.

Managing subcontracting risk

So how can firms rise to the challenge? The answer lies in embedding subcontracting into the same governance and oversight frameworks that apply to direct ICT providers.

Contractual clauses
Contracts with third parties must include provisions requiring disclosure of subcontractors, notification of changes and rights to review and assess those arrangements.

Risk assessments
Subcontractors must be factored into risk assessments. Firms should evaluate their resilience, regulatory oversight and potential to create concentration risk.

Monitoring and reporting
Ongoing monitoring must cover subcontractors, not just primary providers. Firms should require reporting on subcontracting arrangements and review them regularly.

Conflict management
Objective measures must be in place to identify and manage conflicts of interest. This is especially important where subcontractors are part of the same corporate group.

Exit strategies
Exit and transition plans must account for subcontractors. If a provider fails, can services be transferred when subcontractors are in the chain?

The strategic dimension

Subcontracting under DORA is all about resilience in an interconnected world.

Financial entities that excel in managing nth-party risk will not only meet regulatory expectations but also reduce hidden vulnerabilities, strengthen operational resilience and build trust with regulators and clients alike.

It’s also an opportunity. By demanding transparency and accountability, firms can push providers to raise their own standards. The result is a healthier, more resilient ecosystem.

You can outsource services, but not accountability

DORA’s approach to subcontracting delivers a simple but powerful message: you can outsource ICT services, but you cannot outsource accountability.

Nth parties may not be on your contract, but they are still your risk. Ignoring them is no longer an option.

In a digital financial system where supply chains are long, complex and often opaque, subcontracting is the hidden frontier of resilience. Managing it is hard. But under DORA, it is non-negotiable.

The firms that succeed will be those that look beyond their contracts, beyond their providers and into the layers beneath, where the real risks often lie.