ICT Third-Party Risk (DORA)

ICT third-party risk is the risk that financial entities assume when using ICT service providers. DORA sets detailed requirements for actively managing these risks – including through contractual requirements, ongoing monitoring and exit strategies.

Back to Dictionary

What is ICT third-party risk?

ICT third-party risk arises when a financial entity outsources or procures ICT services from external providers – for example cloud computing, software-as-a-service (SaaS), data centre services or IT operations. These vendor relationships create dependencies and risks that can affect the financial entity's ability to deliver critical services.

DORA Chapter V (Articles 28–44) is one of the regulation's most extensive sections and covers everything from due diligence at contract inception to oversight of critical ICT third-party service providers.

DORA's requirements for third-party management

DORA imposes the following requirements for managing ICT third-party risks:

Register of contracts: Financial entities must maintain a register of all ICT third-party contracts, including a criticality classification.
Due diligence: Thorough assessment of ICT service providers prior to contract conclusion, including their security measures and financial stability.
Contractual requirements: Specific minimum requirements for contract content (see below).
Ongoing monitoring: Regular assessment of critical third parties' performance and security posture.
Exit strategies: Documented plans for terminating critical agreements without losing operational continuity.
Concentration risk: Assessment and management of the risk of excessive dependence on one or a few providers.

Contractual minimum requirements

DORA Article 30 sets out the contractual elements that must, as a minimum, be included in contracts with ICT service providers for critical or important functions:

Clear service descriptions and service level agreements (SLAs).
Provisions on availability and security.
Obligation to report ICT incidents.
Right of audit and inspection.
Exit clauses and transfer rights.
Provisions on data processing and data location.
Provisions on the use of sub-contractors.

Existing contracts must be reviewed: Financial entities that already have contracts with ICT service providers must ensure that these meet DORA's minimum requirements at the next contract renewal. New contracts must comply with the requirements from 17 January 2025.

Frequently Asked Questions about ICT Third-Party Risk (DORA)

Do DORA's third-party requirements apply to all vendor contracts?

DORA's most detailed contractual requirements apply primarily to ICT service providers supporting critical or important functions. However, all ICT third-party contracts must be registered and undergo a basic risk assessment.

What is the difference between ICT third-party risk under DORA and supply chain security under NIS2?

Both address vendor risks, but DORA is far more detailed and specifies precise contractual requirements, registration obligations and an EU supervisory regime for critical ICT service providers. NIS2's supply chain security is more principles-based and broader in sector coverage.

What is concentration risk in the context of DORA?

Concentration risk refers to the danger of excessive dependence on a single or small number of ICT service providers. DORA requires financial entities to assess and manage this risk, considering the potential impact if a critical provider were to fail or be disrupted.

Does DORA regulate cloud service providers directly?

DORA introduces an oversight framework for critical ICT third-party service providers, including major cloud providers. The European Supervisory Authorities can designate providers as critical and subject them to direct oversight, including recommendations and the power to request remediation.

What must an exit strategy for ICT third-party arrangements include?

An exit strategy must include plans for migrating services to alternative providers or bringing them in-house, transition timelines, data portability arrangements and measures to ensure continuity of critical functions during the transition period.