DORA Third-Party ICT Risk:
Complete Guide to Provider Oversight

DORA's most operationally complex pillar. Over 60% of critical financial sector functions rely on third-party ICT providers. This guide covers the Register of Information, Article 30 mandatory clauses, CTPP oversight, and the due diligence framework regulators are examining in 2026.

Art. 28–44
DORA articles dedicated
to third-party risk
19
Critical Third-Party Providers
designated by ESAs (Nov 2025)
15+
Mandatory contractual
clauses (Article 30)
Q1 2026
Register of Information
submission deadline
60%+
Critical systems hosted
by third parties

1 Why Third-Party Risk Is DORA's Most Complex Pillar

DORA's five pillars cover governance, incident management, resilience testing, third-party risk, and information sharing. Of these, Pillar 4 — third-party ICT risk management — occupies the largest share of the regulation by article count (Articles 28–44) and, in practice, the largest share of compliance programme effort. The reason is structural.

The European financial sector does not run on infrastructure it owns. Core banking systems, payment processing, cloud compute, data analytics, trading platforms, custody systems, and cybersecurity operations are predominantly delivered by specialist ICT providers. Estimates from the EBA's outsourcing registers suggest that more than 60% of critical functions in large EU financial institutions depend on third-party ICT services. DORA requires financial entities to manage, monitor, and account for every one of those dependencies.

📄
Register of Information
Every ICT arrangement mapped, classified, and submitted annually in xBRL-CSV format to your NCA.
📝
Article 30 Contracts
15+ mandatory clauses in every contract covering a critical or important function. No exceptions.
🔍
Due Diligence
Pre-contractual assessments, ongoing monitoring, audit rights, and concentration risk analysis.
CTPP Oversight
19 providers designated as critical. Direct ESA oversight. New obligations for their financial entity clients.
🔄
Exit Strategies
Documented and tested transition plans for every critical arrangement. Not optional, not theoretical.
🏛
Concentration Risk
Cross-sector dependencies on the same providers create systemic risk. Annual assessment required.

The Q1 2026 RoI submission was the first hard supervisory test. NCAs are now cross-referencing submitted data automatically — identifying providers absent from RoIs, inconsistencies with incident reporting history, and sub-outsourcing chains claimed to be non-existent for major cloud providers. If your submission was incomplete, supervisory follow-up is likely.

2 The Register of Information (Article 28)

Article 28(3) requires all in-scope financial entities to maintain a complete, up-to-date Register of Information covering every contractual arrangement with a third-party ICT service provider. Article 28(9) mandates annual submission of that register to the competent authority — and delivery upon request at any time.

What the RoI Must Contain

The ESA Implementing Technical Standard (ITS) translates Article 28(3) into a specific relational data model. The register is not a spreadsheet — it is a set of linked tables covering:

  • Entity and branch identification — who is submitting, including all group entities covered by a consolidated submission
  • Third-party provider master list — every ICT provider with its Legal Entity Identifier (LEI), country of establishment, and CTPP designation status
  • Contractual arrangements — one record per contract, with reference date, governing law, notice period, and criticality flag
  • Annual costs per arrangement — actual spend (prior year) and estimated cost (current year); feeds supervisory concentration analysis
  • ICT services received — each contract broken into individual service lines (cloud compute, managed security, data processing, etc.)
  • Functions supported — each ICT service mapped to the business function(s) it enables, with critical/important classification
  • ICT assets — servers, applications, databases associated with each service (mandatory for significant institutions from 2026)
  • Sub-outsourcing chains — material sub-contractors of providers delivering services to critical functions
  • Exit strategies — documented evidence that exit plans exist for critical arrangements

xBRL-CSV Format Requirements

Submissions must be delivered as an xBRL-CSV package: a folder containing a JSON metadata file (report-package.json), one CSV file per template following ESA taxonomy naming conventions, and references to the published ESA taxonomy version. Key validation requirements:

LEI codes
All providers must have valid, active 20-character LEI codes from the Global LEI Foundation. Expired or missing LEIs cause validation failures.
Controlled vocabularies
Country codes (ISO 3166-1 alpha-2), currency codes (ISO 4217), and service type codes must match ESA taxonomy exactly. Free text fails validation.
Referential integrity
Provider IDs, contract IDs, and function IDs must be consistent across all templates. A contract referencing a non-existent provider ID breaks the submission.
Business rule validation
A contract flagged as critical with no exit strategy entry triggers a validation error. Run the ESA ruleset before submission — not after.

Most Common Errors (Identified in the 2025 First Collection)

  • Missing or invalid LEIs — approximately one-third of first-round submissions had LEI issues. Run a Global LEI Foundation lookup against your entire provider list before submission.
  • Aggregated contracts — one record per provider instead of one record per contractual arrangement. A provider with five separate contracts needs five records.
  • Over-conservative criticality classification — classifying core banking infrastructure as non-critical to reduce scope. NCAs cross-reference criticality claims against incident reporting history.
  • Blank sub-outsourcing templates — major cloud providers sub-contract to infrastructure hyperscalers. Claiming no material sub-contractors for AWS or Azure deployments is not credible.
  • Empty exit strategy fields for critical arrangements — this is simultaneously a validation error and a substantive compliance gap.

Score your ICT providers before your next RoI review. Our Third-Party Risk Scorer helps you assess each provider against DORA requirements and identify contracts that need remediation before submission. Use the free tool →

3 Contractual Requirements: Article 30

Article 30 establishes minimum contractual content for all arrangements between financial entities and third-party ICT service providers supporting critical or important functions. These clauses are not optional and cannot be waived. If a contract predates DORA, it must be amended to include them.

The Mandatory Clause List

  • Clear and complete description of all ICT services to be provided, including whether sub-contracting is permitted and under what conditions.
  • Locations where services will be provided and where data will be processed and stored, including notification requirements for any change.
  • Service level objectives (SLOs) covering availability, performance, capacity, and security, with quantified targets and measurement methodology.
  • Notice period and reporting obligations for any development that may materially affect the provider's ability to deliver the contracted services.
  • Requirements for the provider to implement and test ICT business continuity plans and to participate in the financial entity's own continuity testing.
  • Full cooperation with ICT incident investigations affecting the financial entity, including providing logs, forensic data, and root cause analysis.
  • Unrestricted audit and inspection rights for the financial entity, its NCA, and relevant ESAs — including on-site access to the provider's premises.
  • Right to monitor performance continuously against agreed SLOs, with defined escalation procedures for underperformance.
  • Termination rights: the financial entity must be able to exit the contract under defined circumstances, including regulatory direction, material service degradation, or security concern.
  • Transition assistance period: upon termination, the provider must continue delivering services for a minimum period (typically 12 months) to allow an orderly transition.
  • Data portability and return: upon termination, all data belonging to the financial entity must be returned in a usable format and securely deleted from provider systems within a defined timeframe.
  • Sub-outsourcing restrictions: the financial entity's prior approval must be required for any material sub-contracting that affects services to critical or important functions.
  • Security standards compliance: the provider must maintain security standards at least equivalent to those required of the financial entity itself under DORA.
  • Disclosure obligations: the provider must proactively disclose any ICT incidents, security vulnerabilities, or regulatory actions affecting services to the financial entity.
  • Regulatory access: explicit provision allowing the financial entity's NCA direct access to the provider's premises and systems for supervisory examinations.

Contract remediation timeline. DORA does not provide a grace period for Article 30 contract compliance. Contracts predating January 2025 that lack these clauses are non-compliant today. Prioritise renegotiation or addendum for contracts supporting critical or important functions, starting with providers whose contracts are up for renewal soonest.

Sub-Outsourcing Chain Requirements

Where a provider sub-contracts elements of the service to another party, the financial entity must ensure that the sub-contracting chain is:

  • Fully mapped in the Register of Information
  • Approved by the financial entity (contractual approval right from the direct provider)
  • Subject to equivalent contractual protections flowing down the chain
  • Monitored for concentration risk — the same sub-contractor supplying multiple critical ICT providers creates systemic dependency

4 Due Diligence and Ongoing Monitoring

Pre-Contractual Assessment

Before entering any new arrangement with a third-party ICT provider for critical or important functions, financial entities must conduct a proportionate due diligence assessment. The assessment should cover:

Security and resilience

  • ISO 27001 or equivalent certification status
  • SOC 2 Type II reports (availability, confidentiality, integrity)
  • Penetration testing programme and results
  • Business continuity and disaster recovery capability
  • Incident history and mean time to recovery (MTTR) data

Operational and financial

  • Financial stability (audited accounts, credit ratings)
  • Ownership and control structure, including beneficial ownership
  • Regulatory status and licence history in relevant jurisdictions
  • Sub-contracting arrangements for the proposed services
  • Data residency and cross-border transfer arrangements

Ongoing Performance Monitoring

Post-contract, monitoring obligations are continuous. Regulators expect to see documented evidence of:

  • Quarterly SLO performance reviews against contractually defined metrics, with formal escalation where targets are missed
  • Annual audit or assessment of security controls and resilience measures — either through your own team or a qualified third party
  • Incident notification tracking: log every provider-reported incident affecting your services, date received, remediation timeline, and final closure
  • Change management notifications: review and approve any material changes to services, sub-contracting, data processing locations, or key personnel
  • Annual RoI update: reflect any changes to the contractual arrangement in the Register of Information within 30 days

Concentration Risk Analysis

Concentration risk — the risk that multiple critical functions depend on a single provider or a small number of providers — must be assessed at least annually. The analysis should cover:

  • Which providers support more than one critical function (internal concentration)
  • Which providers are shared with peer institutions in the same sector (systemic concentration — this feeds the CTPP designation process)
  • Geographic concentration: providers whose infrastructure is concentrated in a single data centre region or jurisdiction
  • Interdependencies: providers who themselves depend on a common underlying supplier (e.g., all major public clouds share certain semiconductor or networking suppliers)

Scenario: Your Cloud Provider Is Designated a CTPP

AWS, Azure, and Google Cloud are among the 19 designated Critical Third-Party Providers. If your institution uses any of these for critical or important functions, the designation changes your obligations in three ways:

  1. Your contracts with these providers are now subject to direct review by the Lead Overseer (EBA for banking). ESA examiners may request your contracts directly.
  2. The CTPP itself is required to cooperate with ESA oversight, including providing information about how it delivers services to your institution. You may receive requests for confirmation data.
  3. You must assess whether your concentration exposure to CTPP-designated providers exceeds your defined risk appetite, and document your concentration mitigation measures.

5 The 19 Designated Critical Third-Party Providers

In November 2025, the Joint Committee of the ESAs published the first list of Critical Third-Party Providers (CTPPs) designated under Article 31 of DORA. The designation reflects systemic importance to the EU financial sector — providers whose disruption would have sector-wide impact.

Provider Service category Primary services Lead overseer
Amazon Web Services (AWS) Cloud Cloud infrastructure, storage, compute, managed services EBA
Microsoft Azure Cloud Cloud infrastructure, SaaS (M365), AI services EBA
Google Cloud Cloud Cloud infrastructure, data analytics, AI/ML EBA
IBM IT Services Mainframe, managed services, consulting, hybrid cloud EBA
Oracle Software / Cloud Database, ERP, cloud infrastructure, financial applications EBA
Salesforce SaaS CRM, data platforms, financial services cloud EBA
SAP Software ERP, finance management, analytics, cloud migration EBA
SWIFT Financial Infra Interbank messaging, ISO 20022, correspondent banking EBA
Euroclear Post-Trade Securities settlement, custody, collateral management ESMA
Clearstream (Deutsche Börse) Post-Trade Securities settlement, custody, fund services ESMA
LCH (LSEG) Clearing Central counterparty clearing, risk management ESMA
Nasdaq Technology Trading Infra Exchange technology, surveillance, market data ESMA
FIS (Fidelity National) Payments / Core Banking Core banking, payment processing, wealth management systems EBA
Fiserv Payments Payment infrastructure, card processing, merchant services EBA
Temenos Core Banking Core banking software, digital banking, payments EBA
Finastra Financial Software Treasury, lending, payments, capital markets platforms EBA
SS&C Technologies Fund Services Fund administration, transfer agency, investor reporting ESMA
Broadridge Financial Investor Services Post-trade processing, investor communications, regulatory reporting ESMA
Murex Trading Systems Trading and risk management platform (MX.3) for capital markets ESMA

Source: ESA Joint Committee CTPP designation list, November 2025. Designations are subject to review and may be updated. Always verify current status with your Lead Overseer.

What CTPP Designation Means for Your Contracts

If your institution has a contractual arrangement with any of the 19 designated CTPPs for critical or important functions, specific obligations apply:

  • The CTPP is required to cooperate with its Lead Overseer — this may include the Overseer requesting information about services provided to your institution specifically
  • Your contracts with CTPPs may be reviewed directly by the ESA Lead Overseer during an examination of the CTPP
  • If the Lead Overseer issues a recommendation to the CTPP requiring service changes, you will receive notification and must assess the impact on your critical functions
  • If the Lead Overseer recommends your NCA require you to temporarily suspend or terminate a CTPP contract (Article 42(1)(f)), you must have an exit strategy ready to execute

Full analysis: CTPP Designations — Who Made the List and What It Means →

6 Practical Toolkit

Due Diligence Checklist for New ICT Providers

  • Request current ISO 27001 or SOC 2 Type II certification (not older than 12 months)
  • Review penetration testing programme: scope, frequency, and last test date
  • Confirm business continuity plan exists and has been tested within the last 12 months
  • Assess mean time to recover (MTTR) for incidents affecting the contracted service type
  • Review incident history: any major outages or security breaches in the last 24 months
  • Verify data encryption standards (at rest and in transit) and key management practices
  • Confirm vulnerability disclosure and patch management policies
  • Confirm all Article 30 mandatory clauses are present or will be included (use checklist from Section 3)
  • Verify governing law and jurisdiction for dispute resolution
  • Confirm unrestricted audit and inspection rights are explicitly granted
  • Verify sub-outsourcing approval rights: prior consent required for material sub-contracting
  • Confirm data portability and deletion obligations upon termination
  • Review indemnification and liability caps: ensure they do not limit DORA-required remedies
  • Confirm the transition assistance period is at least 12 months post-termination notice
  • Review last two years of audited financial statements: revenue trend, profitability, debt levels
  • Check credit ratings or financial stability indicators if available
  • Verify regulatory status: licences, authorisations, and any regulatory actions in last 36 months
  • Assess ownership and control: identify beneficial owners, flag state-ownership or conflict concerns
  • Map key sub-contracting dependencies for the proposed services
  • Assess data residency: confirm all data processing locations; flag non-EEA locations
  • Review DORA RoI submission status: is this provider already in other institutions' registers?
  • Define named relationship owner (internal) responsible for this provider relationship
  • Schedule quarterly SLO performance reviews: document outcomes and escalations
  • Schedule annual security audit or assessment (internal team or qualified third party)
  • Set up incident notification channel: define notification SLA and escalation path
  • Define change management approval process for material service changes
  • Add provider to annual RoI update schedule: review and refresh data within 30 days of any change
  • Include provider in annual concentration risk assessment
  • Test exit strategy: at minimum a tabletop exercise within 12 months of contract execution

Tools and Resources

🎯
Third-Party Risk Scorer
Score each ICT provider against DORA requirements across 5 dimensions. Identify which contracts need urgent remediation and prioritise your review programme.
Launch tool (free)
🔍
DORA Gap Analysis
Full 5-pillar compliance gap analysis including Pillar 4 third-party risk. Identify your weakest areas across the entire DORA framework in under 15 minutes.
Start assessment (free)
📄
RoI Submission Guide
Complete technical guide to the Register of Information: 15 templates, xBRL-CSV format, country deadlines, common errors, and automation recommendations.
Read the guide
📥
Gap Analysis Template
Download our structured third-party risk assessment template — pre-mapped to Article 28–44 requirements. Free with email registration.
Download free

Assess Your Third-Party Risk Programme

Use our free Third-Party Risk Scorer to identify which providers in your portfolio need urgent attention before your next supervisory review.

Score Your Providers Full Compliance Checklist Free Templates

Related Resources

RTS/ITS Standards Library

All 13 Regulatory Technical Standards under DORA decoded — including the RTS on third-party risk and the ITS on the Register of Information.

 Full CTPP Designation Analysis

Deep-dive on the 19 designated CTPPs: who made the list, the ESA designation methodology, and what it means for your institution's contracts.

 Register of Information Guide

xBRL-CSV format, 15 templates, national deadlines, common errors, and how to build a living register year-round.

 Banking Sector Guide

Third-party risk obligations specific to credit institutions, including SREP integration and significant institution thresholds.

 Insurance Sector Guide

DORA third-party risk for insurers and reinsurers — how EIOPA-supervised entities manage outsourcing under both DORA and Solvency II.

 45-Point Compliance Checklist

Interactive checklist covering all 5 DORA pillars — including the 8 Pillar 4 third-party risk items regulators examine first.