Skip to main content
DORA Auditor

ICT Third-Party Risk under DORA

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

DORA's ICT third-party risk pillar (Articles 28–30) requires financial entities to manage risk arising from ICT third-party providers throughout the contract lifecycle and to maintain a register of information on all ICT arrangements.

The register of information

Entities must keep a structured register of every ICT third-party arrangement, distinguishing those that support critical or important functions, and report it to competent authorities. Our TPP register generator produces a register in the EBA format.

Contractual requirements & oversight

Contracts must include specific provisions on access, audit, exit strategies, and sub-outsourcing. Critical ICT third-party providers are additionally subject to a new EU-level oversight framework led by the European Supervisory Authorities.

Frequently asked questions

What is the DORA register of information?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex