RTS on subcontracting

Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions

This delegated regulation outlines regulatory technical standards under Regulation (EU) 2022/2554 for financial entities subcontracting ICT services that support critical or important functions. It specifies the elements to be assessed in such arrangements, including risk assessments, monitoring obligations, due diligence, and contractual safeguards. The regulation addresses issues of proportionality, group-wide implementation, and termination rights, emphasizing the responsibility of financial entities to manage digital operational risks when using third-party ICT providers and their subcontractors.