Skip to main content
DORA Auditor

DORA for ICT Third-Party Providers

Last updated: 2 authoritative sourcesDORA Auditor Editorial Team

ICT third-party providers, cloud, software, data and managed-service firms serving financial entities, are not directly bound by most DORA obligations, but they are pulled in through their clients' contractual and register requirements under Articles 28–30. A subset may be designated critical and face direct EU oversight.

How DORA reaches providers indirectly

Financial entities must include specific provisions in ICT contracts, access and audit rights, security, sub-outsourcing limits, and exit strategies, and must record every arrangement in their register of information. Providers that cannot meet these terms risk losing financial-sector business.

What providers should prepare

  • Contract templates aligned to Article 30 mandatory clauses.
  • Evidence packs: certifications, audit reports, resilience testing.
  • Clear sub-outsourcing disclosure.

The critical-provider route

The largest, most systemic providers may be designated critical ICT third-party providers and brought under a direct EU oversight framework.

Frequently asked questions

Is my ICT company directly regulated by DORA?
What contract terms will clients demand?
How do I become 'critical' and what changes?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)