Financial institutions have spent years mastering third-party vendor risk management. You've built comprehensive programs to monitor your direct ICT service providers, established robust due diligence processes, and implemented continuous oversight of critical vendors. But there's a new layer of complexity coming that many organizations haven't fully grasped yet.
Under DORA's upcoming subcontracting RTS (Regulatory Technical Standards), which the European Commission adopted on March 24, 2025, financial entities will need to extend their monitoring capabilities beyond their direct vendors to include their vendors' vendors—what we call fourth-party monitoring.
Think about your current vendor ecosystem. Your payment processor (third party) relies on cloud infrastructure providers. Your core banking system vendor subcontracts security services to specialized firms. Your customer communication platform depends on email delivery services. These are your fourth parties—and under DORA's new requirements, you'll need visibility into their performance and risk profile.
This isn't just about knowing who your vendors use; it's about understanding how subcontractor performance impacts your critical ICT functions. When a fourth-party cloud provider experiences an outage, it doesn't just affect your third-party vendor—it cascades directly to your operations and customers.
The revised DORA Subcontracting RTS maintains financial entities' obligations under DORA in relation to supply chain monitoring, such as maintaining an adequate Register of Information. This means financial institutions must:
Map the Complete ICT Service Chain: Identify all subcontractors supporting critical or important functions, not just your direct vendors. This includes understanding the full dependency chain for each critical service.
Monitor Fourth-Party Performance: Track how subcontractor issues affect your services. When your third-party vendor's cloud provider has performance problems, synthetic monitoring of your vendor's endpoints can detect these issues before they cascade to your customers.
Maintain Continuous Oversight: Fourth-party monitoring isn't a one-time mapping exercise—it requires ongoing visibility into subcontractor performance and risk changes.
Remediate Contracts: Execute addendums with third-parties that include clauses requiring subcontractor disclosure and approval, ensuring fourth-parties meet the same performance and oversight requirements as third-parties.
Document Risk Assessment: Demonstrate that you understand how fourth-party risks could affect your operations and have appropriate mitigation strategies in place. Automated compliance reporting can provide the documentation needed to show regulators your ongoing oversight of the complete service chain.
Traditional vendor monitoring approaches weren't designed for this level of complexity. Most organizations struggle to get timely performance data from their direct vendors, let alone their vendors' subcontractors. Fourth-party monitoring presents unique challenges:
Limited Direct Relationships: You may have no contractual relationship with fourth parties, making it difficult to get performance data or influence their operations. However, continuous monitoring of your third-party services can reveal when fourth-party issues are affecting performance, even without direct access to subcontractor systems.
Cascading Dependencies: A single fourth-party issue can affect multiple third-party vendors, creating complex failure scenarios that are hard to predict and manage. Real-time monitoring that tracks service availability and performance across your vendor ecosystem can help identify these cascade effects as they develop.
Scale Complexity: Large financial institutions may have hundreds of third-party vendors, each with their own network of subcontractors, creating thousands of fourth-party relationships to monitor.
Real-Time Requirements: In today's digital banking environment, fourth-party issues can impact customer services within minutes, requiring near real-time monitoring and alerting.
The DORA subcontracting requirements represent a fundamental shift in how financial institutions must think about vendor risk. Organizations that treat this as a compliance checkbox will struggle with the operational complexity and miss the strategic advantages of comprehensive supply chain visibility.
The most successful organizations will be those that embrace fourth-party monitoring as a core operational capability, not just a regulatory requirement. This means investing in technology solutions that can scale with their vendor ecosystems and provide the real-time visibility needed for effective risk management.
As financial services become increasingly interconnected and dependent on complex technology supply chains, fourth-party monitoring isn't just about compliance—it's about operational resilience in an increasingly complex digital ecosystem.
Contact Clarative to learn how our platform can help you achieve comprehensive supply chain visibility and meet DORA's subcontracting requirements.
