DORA Third-Party Risk Management: ICT Provider Requirements
DORA recognizes that financial sector resilience depends on technology supply chains. Chapter V establishes comprehensive requirements for managing ICT third-party providers, from pre-contract due diligence through ongoing monitoring to exit planning.
This represents a significant expansion of third-party oversight obligations. Financial entities can outsource technology services, but they cannot outsource accountability. You remain fully responsible for ensuring your providers meet DORA standards.
Key Takeaways
| Point | Summary |
|---|---|
| Lifecycle approach | Requirements cover selection, contracting, monitoring, and exit |
| Register of Information | Comprehensive register of all ICT third-party arrangements required |
| Contractual requirements | Mandatory provisions for all ICT service agreements |
| Critical functions | Enhanced requirements for services supporting critical functions |
| Exit strategies | Exit plans required for all ICT services |
Quick Answer: DORA requires financial entities to implement a comprehensive third-party risk management framework covering the entire relationship lifecycle with ICT service providers. Key requirements include a documented strategy, pre-contract due diligence, mandatory contractual provisions, ongoing monitoring, a Register of Information documenting all arrangements, and exit strategies for all ICT services. Enhanced requirements apply when providers support critical or important functions.
Third-Party Risk Management Strategy
Strategy Requirements
Non-microenterprises must adopt and regularly review a strategy on ICT third-party risk that includes:
| Element | Description |
|---|---|
| Policy framework | Policies governing use of ICT services, especially for critical functions |
| Risk appetite | Defined tolerance for ICT third-party concentration risk |
| Selection criteria | Factors to consider when selecting providers |
| Monitoring approach | How provider performance and risk will be overseen |
| Exit planning | General principles for exit strategy development |
Proportionality
The strategy should be proportionate to your size, risk profile, and reliance on third-party ICT services. A fintech heavily dependent on cloud services will need a more sophisticated approach than an institution with minimal outsourcing.
Pre-Contract Due Diligence
Before entering into arrangements with ICT third-party service providers, financial entities must conduct due diligence.
Due Diligence Factors
| Factor | Assessment |
|---|---|
| Provider capabilities | Technical competence, resources, capacity |
| Financial stability | Ability to sustain operations and investments |
| Security posture | Information security practices and certifications |
| Regulatory compliance | Provider's compliance with applicable requirements |
| Concentration risk | Impact on your concentration of ICT services |
| Sub-outsourcing | Provider's use of sub-contractors |
| Geographic location | Data residency and jurisdiction considerations |
Critical Function Assessment
When the service supports a critical or important function:
- Enhanced due diligence depth
- Assessment of provider's resilience capabilities
- Evaluation of exit feasibility
- Consideration of alternative providers
Contractual Requirements
DORA Article 30 specifies mandatory provisions for contracts with ICT third-party service providers.
Requirements for All Contracts
| Provision | Description |
|---|---|
| Service description | Clear specification of services provided |
| Service location | Where data will be processed and stored |
| Service levels | Quantitative and qualitative performance targets |
| Incident notification | Provider obligation to report ICT incidents |
| Assistance obligation | Provider support during incidents at no additional cost |
| Cooperation with authorities | Provider must cooperate with competent authorities |
| Termination rights | Rights to terminate in specified circumstances |
| Exit assistance | Provider support during transition |
Enhanced Requirements for Critical Functions
When ICT services support critical or important functions, contracts must additionally include:
| Provision | Description |
|---|---|
| Full service description | Comprehensive specification of all services |
| Sub-outsourcing conditions | Conditions for and visibility into sub-contractors |
| Performance monitoring | Rights to monitor performance on an ongoing basis |
| Audit and access rights | Unrestricted access, inspection, and audit rights |
| Business continuity | Provider must implement and test continuity plans |
| Participation in testing | Provider must participate in resilience testing, including TLPT |
| Exit strategy support | Specific provisions supporting exit and transition |
Audit and Access Rights
For critical functions, contracts must provide:
"Unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority."
This cannot be impeded by other contractual arrangements or practical limitations.
Sub-Outsourcing
When providers sub-contract services:
- Financial entity must be notified of material sub-outsourcing
- Sub-contractors supporting critical functions require prior approval
- Equivalent contractual requirements must flow down
- Entity must maintain visibility into the full supply chain
Register of Information
DORA Article 28(3) requires financial entities to maintain a comprehensive Register of Information (RoI) documenting all ICT third-party arrangements.
Register Content
The RoI must include:
| Element | Description |
|---|---|
| Provider identification | Name, registration details, contact information |
| Contract details | Contract dates, scope, value |
| Services provided | Description of ICT services |
| Critical function indicator | Whether services support critical functions |
| Data locations | Where data is processed and stored |
| Sub-outsourcing | Details of sub-contractors |
| Entity-level data | Information at individual entity level |
| Consolidated data | Aggregated view at group level |
Submission to Authorities
The Register of Information must be:
- Available to competent authorities on request
- Submitted according to regulatory timelines
- Maintained at entity, sub-consolidated, and consolidated levels
First submissions are due in 2025/2026, with the exact date announced by your competent authority.
ESA Use
The ESAs use Register data to:
- Monitor sector-wide concentration risk
- Identify candidates for Critical ICT Third-Party Provider designation
- Inform supervisory planning
Ongoing Monitoring
Financial entities must continuously monitor their ICT third-party arrangements.
Monitoring Activities
| Activity | Frequency |
|---|---|
| Performance monitoring | Ongoing (aligned with service levels) |
| Risk assessment updates | At least annually |
| Compliance verification | Periodic (aligned with audit cycle) |
| Incident analysis | Following provider incidents |
| Contract review | At renewal or significant change |
Performance Management
Monitor provider performance against:
- Agreed service levels
- Incident response and resolution
- Security metrics
- Business continuity readiness
- Regulatory compliance
Risk Reassessment
Reassess provider risk when:
- Contract renewal approaches
- Significant service changes occur
- Provider experiences incidents
- Provider's situation changes materially
- Regulatory requirements evolve
Exit Strategies
DORA requires documented exit strategies for ICT services, with enhanced requirements for critical functions.
Exit Strategy Requirements
| Element | Description |
|---|---|
| Trigger events | Circumstances that would trigger exit |
| Transition planning | Steps for transitioning to alternative arrangements |
| Alternative providers | Identified alternatives or in-house capabilities |
| Transition timeline | Realistic timeline for exit execution |
| Data migration | Plans for data extraction and transfer |
| Resource requirements | Staff, budget, and expertise needed |
| Risk mitigation | Measures to manage transition risks |
Testing Exit Strategies
For critical functions:
- Exit strategies should be tested periodically
- Table-top exercises validate feasibility
- Results inform strategy updates
Contractual Support for Exit
Ensure contracts include:
- Adequate notice periods for termination
- Provider assistance during transition
- Data access and extraction rights
- Continuity of service during transition
- Clear intellectual property ownership
Concentration Risk
DORA addresses concentration risk arising from dependence on a limited number of ICT providers.
Concentration Risk Assessment
Assess concentration at:
| Level | Consideration |
|---|---|
| Entity level | Single provider dependencies |
| Group level | Cross-entity dependencies |
| Sector level | Industry-wide concentration |
Mitigation Approaches
- Diversify critical ICT services across multiple providers
- Develop in-house capabilities for critical functions
- Ensure portability of services and data
- Maintain awareness of sector-wide concentration
Common Questions
How do we handle existing contracts that do not meet DORA requirements?
Review existing contracts against DORA requirements and negotiate amendments where necessary. Prioritize contracts supporting critical functions. Where providers refuse amendments, consider transition planning to compliant alternatives.
Do we need to audit all providers?
Audit and access rights must be contractually available, but you do not need to audit all providers annually. Prioritize audits based on risk: critical function providers and those with higher risk profiles warrant more frequent review.
How do we handle cloud provider standard terms?
Major cloud providers often resist custom contract terms. Where standard terms do not meet DORA requirements, document your risk assessment, consider compensating controls, and engage with providers on DORA-specific addenda. Some providers have developed DORA-compliant terms.
What happens if a provider is designated as a CTPP?
If your provider is designated as a Critical ICT Third-Party Provider, they will face direct EU oversight. This may require them to establish an EU subsidiary and comply with recommendations from Joint Examination Teams. Your contractual relationship continues, but the provider faces additional regulatory obligations.
How detailed must exit strategies be?
Exit strategies should be realistic and executable. For critical functions, this means specific plans with identified alternatives, transition timelines, resource estimates, and tested procedures. For non-critical services, higher-level strategies may suffice.
How Bastion Helps
Bastion supports financial entities in meeting DORA third-party risk management requirements:
- Strategy development: Creation of ICT third-party risk management strategies and policies
- Due diligence support: Vendor assessment frameworks and risk evaluation
- Contract review: Gap analysis of existing contracts against DORA requirements
- Register of Information: Preparation and maintenance support for the RoI
- Exit planning: Development and testing of exit strategies
- Ongoing oversight: Monitoring frameworks and risk reassessment support
Ready to strengthen your third-party risk management? Talk to our team
Sources
- DORA Chapter V - Managing of ICT third-party risk
- DORA Article 28 - General principles and Register of Information
- DORA Article 30 - Key contractual provisions
- ESA RTS on Third-Party Risk - Technical standards for third-party risk management