DORA for ICT Third-Party Providers
ICT third-party providers, cloud, software, data and managed-service firms serving financial entities, are not directly bound by most DORA obligations, but they are pulled in through their clients' contractual and register requirements under Articles 28–30. A subset may be designated critical and face direct EU oversight.
How DORA reaches providers indirectly
Financial entities must include specific provisions in ICT contracts, access and audit rights, security, sub-outsourcing limits, and exit strategies, and must record every arrangement in their register of information. Providers that cannot meet these terms risk losing financial-sector business.
What providers should prepare
- Contract templates aligned to Article 30 mandatory clauses.
- Evidence packs: certifications, audit reports, resilience testing.
- Clear sub-outsourcing disclosure.
The critical-provider route
The largest, most systemic providers may be designated critical ICT third-party providers and brought under a direct EU oversight framework.
Frequently asked questions
Is my ICT company directly regulated by DORA?
Generally no, unless designated critical. Most providers are affected through contractual and register obligations imposed by their financial clients.
What contract terms will clients demand?
Article 30 mandatory clauses: access and audit rights, security and incident cooperation, sub-outsourcing controls, service levels, and exit strategies.
How do I become 'critical' and what changes?
The European Supervisory Authorities designate critical providers based on systemic importance; designation brings direct oversight, examinations, and possible recommendations.