ICT Third-Party Risk under DORA
DORA's ICT third-party risk pillar (Articles 28–30) requires financial entities to manage risk arising from ICT third-party providers throughout the contract lifecycle and to maintain a register of information on all ICT arrangements.
The register of information
Entities must keep a structured register of every ICT third-party arrangement, distinguishing those that support critical or important functions, and report it to competent authorities. Our TPP register generator produces a register in the EBA format.
Contractual requirements & oversight
Contracts must include specific provisions on access, audit, exit strategies, and sub-outsourcing. Critical ICT third-party providers are additionally subject to a new EU-level oversight framework led by the European Supervisory Authorities.
Frequently asked questions
What is the DORA register of information?
A structured record of all ICT third-party arrangements, maintained by the financial entity and reportable to competent authorities under Article 28.