Regulatory Context
DORA Article 31 addresses ICT concentration risk, including the risk that arises from sub-outsourcing chains. When your ICT third-party service provider outsources part of the service it delivers to you — to a sub-contractor or sub-provider — a supply chain dependency is created that extends beyond your direct contractual relationship. Your operational resilience depends not just on your direct provider, but on their entire supply chain.
Consider a practical example: your payment processing runs on Provider A's platform, which is hosted on Provider B's cloud infrastructure, which stores data in Provider C's data centres. If Provider C suffers a catastrophic outage, your payment processing fails — even though you have no direct relationship with Provider C. DORA requires you to understand and document these chains.
The ITS 2024/2956 template B_05.02 mandates reporting the entire ICT service supply chain to your National Competent Authority (NCA). For each contractual arrangement, you must identify whether sub-outsourcing occurs, who the sub-providers are, what services they provide, and at what tier of the supply chain they operate. This gives the NCA visibility into systemic dependencies that could affect multiple financial entities simultaneously.
Sub-outsourcing List Page
Navigate to DORA > Register of Information > Sub-outsourcing Chains to see all recorded sub-outsourcing relationships. The page header displays a chain-link icon, the title "Sub-outsourcing Chains", and the subtitle "Article 31 ICT service supply chain tracking for B_05.02 reporting".
Sub-outsourcing entries are displayed as cards, each showing:
- Sub-provider Name — The heading of the card, in bold text.
- Tier Badge — A branded pill showing the tier level (e.g., "Tier 1", "Tier 2"). This badge uses the platform accent colour.
- Criticality Badge — If set, a colour-coded badge: Critical (red), Important (amber), or Supporting (blue).
- Contract Reference — Shows which contractual arrangement this sub-outsourcing relates to, including the direct provider name (e.g., "Contract: ICT-2024-001 via Microsoft Azure").
- Service Description — A description of the sub-outsourced service.
- Metadata Row — Additional details shown in small text: Country code, LEI (Legal Entity Identifier), and Sub-provider Type if provided.
Hovering over a card reveals Edit (pencil icon) and Delete (trash icon) buttons in the top-right corner.
Empty State
If no sub-outsourcing chains are recorded, the page displays a centred empty state with a chain-link icon, the heading "No sub-outsourcing chains", the message "Track your ICT sub-outsourcing supply chains for DORA Article 31 compliance", and an "Add chain" button.
Creating a Sub-outsourcing Entry
Click "Add chain" to open the inline creation form. The form appears above the card list. Complete all fields and click "Add Chain" to save, or "Cancel" to discard.
Choose the contractual arrangement under which this sub-outsourcing occurs. The dropdown shows the contract reference and provider name for each arrangement.
Enter the name of the sub-provider and optionally their LEI code. The LEI helps uniquely identify the entity in regulatory filings.
Specify where in the supply chain this sub-provider sits. Tier 1 means they are a direct sub-contractor of your provider; Tier 2 means they are a sub-contractor of a sub-contractor; and so on.
Explain what ICT service this sub-provider delivers within the overall arrangement. Be specific enough for NCA reporting purposes.
Optionally specify the country, sub-provider type, and sub-criticality level. These enrich the B_05.02 reporting data.
Click "Add Chain" to create the record. The new card appears in the list.
Field Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Contract | Dropdown | Required | The contractual arrangement under which the sub-outsourcing occurs. The dropdown displays each contract as "reference (provider_name)" — for example, "ICT-2024-001 (Microsoft Azure)". This links the sub-outsourcing entry to its parent arrangement for B_05.02 reporting. You must have at least one contractual arrangement recorded before creating sub-outsourcing entries. |
| Sub-provider Name | Text input | Required | The name of the sub-provider entity. This should be the legal or trading name of the organisation. Examples: "Acme Cloud Services", "Equinix", "Akamai Technologies". This name appears as the card heading and in the B_05.02 export. |
| Sub-provider LEI | Text input (max 20 chars) | Optional | The Legal Entity Identifier of the sub-provider — a 20-character alphanumeric code that uniquely identifies legal entities globally. The LEI is the preferred identifier in regulatory filings. If the sub-provider has an LEI, include it. You can look up LEIs at the GLEIF website. |
| Tier Level | Number input (minimum 1) | Required |
The position of this sub-provider in the outsourcing chain, starting from 1: Tier 1 — Direct sub-provider of your ICT provider. Your provider has outsourced part of their service to this entity. Tier 2 — Sub-provider of a Tier 1 sub-provider. The chain is now two levels deep from your direct provider. Tier 3+ — Further levels in the chain. Each tier represents an additional layer of sub-outsourcing. The default value is 1. Higher tier numbers indicate deeper supply chains, which generally represent greater opacity and risk. |
| Service Description | Textarea | Required | A description of the specific ICT service this sub-provider delivers. Be specific about what part of the overall service is sub-outsourced. Examples: "Cloud infrastructure hosting (IaaS) for the payment processing platform", "Data centre colocation for primary and disaster recovery sites", "Content delivery network for customer-facing web applications". |
| Country | Dropdown (EU/EEA) | Optional | The country where the sub-provider operates or where the sub-outsourced service is delivered from. The dropdown contains all 30 EU/EEA member states with their country codes. This is relevant for data residency considerations and cross-border risk assessment. |
| Sub-provider Type | Text input | Optional | A classification of the type of sub-provider. Examples: "Cloud", "Data Centre", "Network", "Software", "Managed Services", "Security". This categorisation helps in understanding the nature of each link in the supply chain. |
| Sub-criticality | Dropdown (4 options) | Optional |
An assessment of how critical this sub-provider is to the ICT service you receive: Not set (default) — Criticality has not been assessed. Critical — The sub-provider is essential. If they fail, the service your provider delivers to you will be materially impaired. Important — The sub-provider is significant. Their failure would degrade the service but not necessarily cause complete disruption. Supporting — The sub-provider plays a peripheral role. Their failure would have limited impact on the service you receive. |
Understanding Tier Levels
The tier level concept is fundamental to understanding sub-outsourcing chains. Here is how the supply chain structure works:
Your Entity (you) contracts with
→ ICT Provider (Tier 0 — your direct provider, recorded in Contractual Arrangements), who sub-outsources to
→ Sub-provider A (Tier 1 — direct sub-contractor of your provider), who sub-outsources to
→ Sub-provider B (Tier 2 — sub-contractor of the sub-contractor), who sub-outsources to
→ Sub-provider C (Tier 3 — and so on)
Each tier represents an additional link in the chain. The deeper the chain, the less direct control and visibility you have. DORA requires you to document as far down the chain as you can reasonably identify.
In practice, most organisations will have primarily Tier 1 sub-providers (the most common scenario), with some Tier 2 entries for critical supply chains. Tier 3 and beyond is less common but should be recorded when known, particularly for providers supporting critical or important functions.
Editing a Sub-outsourcing Entry
Hover over a card and click the pencil icon to open the edit form. The same inline form used for creation appears, pre-filled with the entry's current values. The form heading changes to "Edit Sub-outsourcing Chain". Make your changes and click "Update Chain" to save, or "Cancel" to discard.
Deleting a Sub-outsourcing Entry
Hover over a card and click the trash icon. A confirmation dialog appears: "Delete this sub-outsourcing chain entry?". Confirming permanently removes the entry from the register and the B_05.02 export.
ITS B_05.02 Mapping
The data you enter in the Sub-outsourcing module maps to the following fields in the ITS 2024/2956 B_05.02 template:
- Contract reference — Links to the parent contractual arrangement, identifying which provider relationship the sub-outsourcing falls under.
- Sub-provider name — The name of the entity performing the sub-outsourced service.
- Sub-provider LEI — The unique legal entity identifier for cross-referencing in regulatory databases.
- Tier level — The depth of the sub-outsourcing chain, indicating how far removed the sub-provider is from your direct relationship.
- Service description — What the sub-provider does within the overall ICT service delivery.
- Country — Where the sub-outsourced service is delivered from, relevant for data residency and jurisdictional risk.
- Sub-criticality — How important the sub-provider is to the overall service delivery.
When you generate the DORA regulatory export from Venvera, all sub-outsourcing entries are automatically included in the B_05.02 template output, linked to their parent contractual arrangements.