ICT third-party risk management is one of the most operationally demanding aspects of DORA. The regulation requires financial entities to maintain a comprehensive Register of Information covering all ICT service providers, identify critical dependencies, conduct pre-contract due diligence, and include specific contractual provisions in all agreements with critical providers. For fintechs that run on cloud infrastructure and third-party APIs, this is substantial work.
What DORA Requires on Third-Party ICT Risk
DORA Chapter V (Articles 28–44) covers ICT third-party risk management in detail. The core requirements:
- Register of Information — a comprehensive list of all ICT third-party arrangements
- Critical provider identification — which providers are critical to operations
- Pre-contract due diligence — assess providers before engaging them
- Contractual requirements — minimum provisions for all critical provider contracts
- Exit strategies — documented plans for exiting critical provider relationships
- Ongoing monitoring — regular review of critical provider risk
The Register of Information (RoI)
The Register of Information is DORA's most visible requirement — and regulators are already asking for it. Every financial entity must maintain a detailed inventory of all ICT third-party service arrangements.
What to include:
| Field | Content |
|---|---|
| Provider name | Legal entity name |
| Provider location | Registered address and data processing locations |
| Services provided | Description of each ICT service |
| Criticality | Is this a critical service? |
| Data processed | Categories of data (personal, financial, customer, proprietary) |
| Contract start/end date | Term of the agreement |
| Sub-contractors | Key sub-contractors used by the provider |
| Data residency | Where data is stored and processed |
| Concentration risk | Is this provider used for multiple critical services? |
| Exit feasibility | How easily could this provider be replaced? |
The Register of Information must be updated whenever arrangements change and reviewed at least annually. Regulators (EBA, ESMA, EIOPA, and national competent authorities) may request submission of the register as part of supervisory activities.
Identifying Critical ICT Third-Party Service Providers
Not all ICT providers require the same level of oversight. DORA distinguishes between critical and non-critical ICT third-party providers:
Indicators of criticality:
- A failure of this service would significantly disrupt operations or services to customers
- No equivalent service is available from another provider
- This service processes large volumes of sensitive or regulated data
- The entity has high concentration risk in this provider (many critical services from one provider)
- Disruption would have systemic implications for the financial system
Examples of critical providers for most fintechs:
- Core banking platform or ledger system
- Payment processing infrastructure
- Cloud hosting provider (where hosted)
- Identity verification (KYC) provider
- Core security tools (SIEM, endpoint protection)
DORA EU oversight: DORA creates an EU-level oversight framework for critical ICT third-party service providers (CTPPs) — major cloud providers designated as critical will be subject to direct oversight by EU supervisory authorities (EBA, ESMA, EIOPA). This designation is separate from your internal criticality assessment.
Pre-Contract Due Diligence
Before engaging any new ICT third-party provider, DORA Article 28 requires a risk assessment covering:
- The security practices and certifications of the proposed provider
- The provider's business continuity and disaster recovery capabilities
- The provider's incident history and response track record
- Sub-contractor chains and concentration risks
- Data protection practices
- Whether the provider is subject to DORA EU oversight (as a CTPP)
Document this due diligence. It is evidence of compliance that regulators may request.
Contractual Minimum Provisions (Article 30)
Contracts with critical ICT third-party providers must include:
- Full description of services: Clear specification of what is provided, including SLAs
- Data locations: Where data is processed and stored
- Audit rights: The financial entity's right to audit the provider or access audit reports
- Incident notification: The provider must notify the financial entity of ICT-related incidents promptly
- Business continuity provisions: How the provider supports the financial entity's continuity obligations
- Termination provisions: Including termination in the event of a serious security incident
- Sub-contractor notification: Disclosure of sub-contractors and changes
- Exit assistance: The provider must support exit and data migration at contract end
Review existing contracts against these requirements. Contracts that predate DORA may be missing key provisions — plan a renegotiation programme for critical providers.
Exit Strategies
DORA requires documented exit strategies for critical ICT providers. An exit strategy covers:
- What would trigger an exit (financial failure of provider, security incident, service quality failure, regulatory direction)
- How long the exit would take
- What data needs to be migrated and in what format
- Alternative providers assessed and ready
- Business continuity during the transition
Exit strategy documentation demonstrates that you are not unacceptably dependent on a single provider. For cloud-hosted financial entities, this typically requires multi-cloud architecture or documented portability plans.