Of all DORA’s requirements, the ICT third-party risk management obligations are generating the most operational complexity for financial entities. The reason is straightforward: most financial entities have significant third-party ICT dependencies — cloud providers, core banking systems, payment processors, managed service providers — and the majority have never managed those dependencies to the level that DORA requires.

This post breaks down what DORA requires for ICT third-party risk management and what implementation looks like in practice.

The ICT Third-Party Register: Where It Starts

DORA Article 28 requires financial entities to maintain a register of all contractual arrangements with ICT third-party service providers. This is not a summary list — it is a detailed register containing specific information about each arrangement, including the nature of the services provided, whether the arrangement supports a critical or important function, the data and systems involved, and the contractual provisions in place.

The register must be reported to competent authorities upon request. From 2024, financial entities will be required to report key information from this register annually to their regulators as part of the DORA supervisory framework. This creates an accountability mechanism: the register is not an internal governance document but a regulatory obligation with external visibility.

The first challenge for most organisations is simply building the register. Comprehensive visibility of all ICT third-party arrangements — including the cloud-based SaaS tools adopted by individual business units, the data feeds from third-party providers, and the legacy arrangements from pre-digital operations — requires a discovery exercise that many organisations have never conducted.

The Critical Function Assessment

DORA requires financial entities to assess which of their ICT third-party arrangements support critical or important functions. This assessment is consequential because it determines which arrangements are subject to the most stringent DORA requirements — enhanced due diligence, mandatory contractual provisions, and concentration risk analysis.

A function is critical or important if its disruption would materially impair the financial entity’s ability to provide financial services, meet regulatory requirements, or maintain sound risk management. This captures most core technology dependencies: core banking platforms, payment processing systems, primary cloud infrastructure providers, and similar arrangements.

The assessment must be documented and reviewed regularly. Arrangements that initially appear non-critical may become critical as the organisation’s technology architecture evolves.

Mandatory Contractual Provisions

DORA Article 30 specifies mandatory provisions that must appear in ICT service agreements — particularly for arrangements supporting critical or important functions. These provisions include:

A clear description of the functions and services covered, with service levels and performance indicators. The data locations — where data is processed and stored — and the provider’s obligations to notify the financial entity of changes to these locations. Security requirements including incident notification obligations with specified timeframes. Audit and inspection rights — the financial entity must be able to conduct assessments of the provider’s security controls, either directly or through appointed third parties. Business continuity obligations on the provider, including cooperation with the financial entity’s own business continuity planning. Termination rights, including the right to terminate where the provider’s regulatory status changes or where it is designated a Critical Third-Party Provider by ESAs.

For existing arrangements that predate DORA, financial entities must review and update contracts to incorporate these provisions before January 2025. This is a significant contracting exercise — large financial entities may have hundreds of ICT service agreements requiring review.

Concentration Risk

DORA Article 29 requires financial entities to assess and manage ICT concentration risk — the risk arising from dependence on a small number of providers, or from using the same provider for multiple critical functions. The concern is systemic: if a significant proportion of the EU financial sector relies on the same cloud provider for critical infrastructure, a failure or disruption at that provider could have systemic effects.

Managing concentration risk does not necessarily mean diversifying away from concentrated providers — in many cases, concentration reflects a rational business decision. What DORA requires is that the risk is identified, assessed, and managed — with contingency planning that addresses the scenario of provider unavailability.

At Bitsecura, we help financial entities build DORA-compliant ICT third-party risk management programmes — from initial inventory and register development through critical function assessments, contract review programmes, and concentration risk analysis. This is complex, operationally intensive work, and eighteen months is not as long as it looks. Reach out here if you want to get started.


Bitsecura provides DORA compliance consulting and ICT risk management services for financial entities. Learn more about our DORA services.