Current Directive 95/46/EC does not regulate sub-processing. A controller can choose a processor, but a processor cannot choose a sub-processor.
As a result, many processors chose sub-processors and designated them as their own processors. These cases should have been discussed in the last 20 years, considering that supply chains are getting longer.
The last GDPR proposal allows processors to “enlist another processor” and requires that “the processor should always inform the controller on any intended changes concerning the addition or replacement of other processors”. Let’s think of an SME that uses telecommunication services provided by a big player. In such cases, the SME should be updated by the big player about its suppliers that can access personal data (some application management suppliers, hardware maintenance providers, consultants, lawyers, etc.) and about any related change.
Why are there no other options? In the real world, a customer should ask details to a supplier about its purposes, means and sub-supplier management, evaluate if they are are aligned with its own purposes and means ad then decide if having it as a processor. But a customer cannot enforce such supplier to follow its own rules, nor oblige it to share its list of suppliers. We should also consider that big players have many customers and cannot change their processing for each and every customer.
Unfortunately, this subject is still not debated as it should be.
Post scriptum. After I wrote this article, I read another one about the same subject: https://iapp.org/news/a/gdpr-killing-cloud-quickly/. This article is only about cloud services suppliers, but it can be easily read considering all kind of suppliers.