That’s because you’re trying to do something fundamentally unsafe. A data controller is responsible for all the data they control and how it’s processed, as a result it needs to control and vet the entire data processing chain, regardless of how many processors or sub-processors there are.

If GDPR allows controllers to slip out of their obligations by using sub-contractors to firewall their legal responsibilities, then it would be useless as a data protection law. If you want to run a data processor that relies of byzantine structures in an attempt to create plausible deniability, then you’re gonna have a bad time.

Ultimately this is just a problem of dependency resolution, and conflicting dependency requirements, but it’s an unavoidable problem if you want to have truly accountable data controllers. Accountability is far more important than operational convenience. Remember GDPR exists to protect EU citizens, not businesses. It explicitly makes life hard for business, to ensure protection for citizens. Don’t like it, then leave, go exploit some other population.