Introduction
Surging costs, geopolitical uncertainty, and regulatory pressures are leaving third-party risk management (‘TPRM’) teams having to face regular supplier renegotiations while under pressure to achieve efficiency and regulatory compliance.
Moreover, as the integration of AI into third-party services accelerates, organisations must further rethink their TPRM practices. Inevitably, new risks around security, bias and privacy need to be tackled when looking to derive the added value that technology can create.
To navigate this new risk landscape, business leaders must find innovative ways to manage their ICT risks to strategically position their teams to operate faster, smarter and with more flexibility. DORA’s TPRM framework offers an opportunity for business leaders to revisit strategy in a manner that is fully aligned with digital operational resilience.
How is TPRM addressed under DORA?
As a reminder, DORA introduces a harmonised framework across EU financial markets for effective and all-inclusive management of digital risks and further sets out specific TPRM rules under its fourth pillar.
Under this pillar, in-scope entities (such as banks, insurers, investment firms and other financial entities) are required to inter alia:
Maintain a register of information which captures various details of their contractual arrangements with ICT third-party providers (‘TPPs’);
Determine the criticality of those functions which are being supported by ICT TPPS; and
Based on the results of the criticality assessment, ensure that the contractual arrangements in place with ICT TPPs include a number of contractual rights and obligations, such as:
- specifying adequate notice periods for the termination of the contractual arrangement in specific circumstances,
- TPRM rights for the financial entity including the right to monitor the performance of the ICT TPP and carrying out audits, or even
- requiring the participation of the ICT TPP in the organisation’s security awareness programmes and threat-led penetration testing exercises.
Naturally, for those arrangements covering critical or important functions of the financial entity, the obligations imposed on the ICT TPPs are broader in scope when compared to non-critical functions. It is therefore essential for businesses to understand their position and their respective rights under each ICT arrangement to avoid any regulatory inconsistencies and renegotiation delays down the line.
What should you know about the RTS on subcontracting
The Regulatory Technical Standard (‘RTS’) on Subcontracting was adopted by the European Commission in March 2025 and published in the Official Journal of the EU in July 2025 under the title ‘Commission Delegated Regulation (EU) 2025/532’.
The RTS sets out detailed requirements and conditions for the use of subcontracted ICT services which support, even partially, critical or important functions of in-scope entities. Importantly, the standards set out rules around (but not limited to):
Overall, the RTS aims to ensure that FEs retain control and visibility over their ICT supply chains, especially when ICT services which underpin their critical or important functions are subcontracted.
It should also be highlighted that in the context of a group, the parent undertaking of the FEs must ensure that the policy on the use of ICT subcontractors is applied consistently within their group.
An opportunity for reinvention
While many businesses will be tempted to adopt a one-size-fits-all approach as they look to reduce their operational costs, the complexity and the breadth of the obligations under DORA’s fourth pillar means that tailored strategies in respect of each ICT TPPs may be required.
For instance, descriptions of service levels and provisions on protection of data (including personal data) will vary depending on the type of ICT services being received. Similarly, financial entities may wish to consolidate their risk levels and adopt more stringent conditions around assistance on ICT incidents and the rights of reporting and monitoring.
PwC’s 2025 Digital Trends in Operations Survey found that the majority of business leaders (82%) are facing challenges in balancing short-term needs with long-term strategic changes. This paints a broader trend whereby organisations are aiming to shift their compliance and TPRM from being a reactive function to a value creation centre.
The above survey also found that businesses are investing in AI at scale to navigate their supply chain risks. According to the study, 57% of business leaders have already integrated AI partially or fully into their operations.
Although adoption often results in friction, especially with privacy and security challenges, when done right, AI can be a tremendous help in accelerating regulatory compliance.
By establishing strong AI governance practices (such as safeguards mandated by the EU AI Act), TPRM teams and the wider business will have added confidence to use and deploy AI. As a result, the use of trustworthy, specialised AI tools can help organisations streamline risk assessments, decrease time-to-contract, and onboard suppliers faster.
How we can help
At PwC Malta, we empower organisations to confidently navigate DORA’s third-party risk requirements, including the latest rules included in the RTS on subcontracting. Our tech-driven, human-led approach accelerates your compliance journey, enabling you to responsibly explore Legal AI solutions.
For more information, connect with our sector leaders and specialists below.
Discover more about
Risk and regulation
Contact us
