Skip to main content
DORA Auditor

ICT Third-Party Provider (TPP)

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Under DORA Article 3(21), an ICT third-party service provider is an undertaking that provides ICT services to a financial entity. These providers fall within scope of DORA's third-party risk-management requirements, including the register of information under Article 28.

Detailed explanation

ICT third-party providers include cloud platforms, data-centre operators, software vendors, and managed-service providers whose services support a financial entity's operations. DORA requires financial entities to identify every such arrangement, assess the risk it introduces, especially where it supports critical or important functions, and record it in a structured register of information. Contracts with these providers must contain specific provisions covering access, audit rights, data handling, sub-outsourcing, and exit strategies. Where a provider is designated 'critical', it additionally becomes subject to a dedicated EU oversight framework run by the European Supervisory Authorities.

In context

This term relates to the ICT Third-Party Risk pillar and is grounded in DORA Article 28.

Related terms

Sources

  1. DORA Article 3, EUR-Lex