Adoptech logo
Sign in
GovernanceComplianceDORA

DORA Requirements for ICT Third Party Service Providers

As the compliance ‘go live’ date for the Digital Operational Resilience Act (DORA) draws closer—set for 17th January 2025 – both financial institutions and their technology suppliers are navigating a complex new regulatory landscape.

While regulated firms are implementing new policies to manage ICT risk, technology suppliers are faced with a critical question:

How Technology Suppliers (FinTechs) can prepare for DORA: A practical guide to compliance

This blog post clarifies the implications of DORA specifically for technology suppliers, outlining what the DORA third party requirements are and providing practical steps to ensure compliance ahead of the deadline.

What is DORA?

The Digital Operational Resilience Act (DORA) is a pivotal piece of EU legislation designed to enhance the security and operational resilience of the financial sector. It introduces a standardised framework for managing information and communication technology (ICT) risks across both financial entities and their technology service providers.

DORA aims to ensure that all players in the financial ecosystem are capable of withstanding, responding to, and recovering from ICT-related disruptions and cyber threats. The regulation covers incident reporting, operational resilience testing, and critical third-party management, ultimately building a more robust and resilient financial system.

DORA came into force across the EU on 16th January 2023, with a two-year transition period for full compliance. Non-compliance could lead to hefty fines, comparable to those under the General Data Protection Regulation (GDPR).

How does DORA apply to Third-Party Providers?

Given the financial industry’s growing reliance on external technology providers, the stability and resilience of these suppliers have become a key concern for regulators. DORA directly addresses this by bringing third-party technology suppliers within its scope for the first time.

This includes a broad range of ICT suppliers, such as cloud providers, SaaS platforms, market data firms, and network providers. DORA mandates that these suppliers meet the same cybersecurity and operational resilience standards as their financial clients. This involves more than just compliance; it requires ongoing assessments, robust risk management, and increased transparency throughout the supply chain.

Are technology vendors being directly regulated under DORA?

No, ICT suppliers will not be directly regulated by DORA. However, the onus is on regulated financial entities to monitor and manage their suppliers as they would their own internal ICT operations. While firms can outsource technology services, they cannot outsource accountability. Financial institutions remain fully responsible for ensuring their suppliers comply with DORA’s standards.

That said, some vendors providing essential services may be classified as Critical Third-Party Providers (CTPPs). These firms will be subject to direct oversight and audits by “Lead Overseers” appointed and governed by the European Supervisory Authorities (ESAs) and National Competent Authorities (NCAs). Such designation brings enhanced scrutiny and a range of additional requirements, as outlined later in this blog.

Key responsibilities for third-party technology suppliers under DORA

Under DORA, third-party technology suppliers are expected to meet stringent requirements, similar to those of their regulated clients. Key obligations include:

1. Ensuring Service Continuity:
Suppliers must demonstrate high standards of operational resilience. Theoretical plans will no longer suffice, companies need to regularly test continuity and disaster recovery (BCP/DR) plans and be able to provide evidence of those exercises.

2. Cybersecurity Measures:
DORA mandates a strong set of cybersecurity controls to protect against threats. Providers must be able to evidence these controls and demonstrate compliance through testing and documentation.

3. Incident Reporting:
Significant incidents affecting services must be reported promptly to financial clients, ideally using DORA’s standardised formats. This ensures clients can meet DORA’s stringent requirement to notify regulators of major incidents within 4 hours.

4. Risk Management Framework:
While many suppliers already have risk management frameworks (e.g., ISO 27001 or SOC 2), DORA’s requirements go further. Adoptech have mapped the legislation and technical standards to ~400 rules.

5. Third-Party Oversight:
Suppliers must oversee, track and share data on their subcontractors (fourth, fifth, and even sixth parties) with the same rigour their clients apply to them. This includes maintaining a detailed supply chain “Register of Information” details of which are outlined below.

6. Cooperation with Regulatory Authorities:
Suppliers must be prepared to cooperate with audits, inspections, and other regulatory activities.

What are Critical Third-Party Providers (CTPPs)?

A supplier may be designated as a Critical ICT Third-Party Service Provider (CTPP) under DORA if its failure could lead to significant disruptions in financial services or if it holds a key, irreplaceable position within the financial system’s technological infrastructure.

How will suppliers be designated as CTTPs?

Following an initial assessment in 2025 the ESA’s shall designate a number of technology suppliers as CTTPs. The assessment will take into account:

  1. Systemic Impact on Financial Services: If an operational failure of the supplier would significantly disrupt the stability, continuity, or quality of financial services, particularly for a large number of financial entities or entities with high total asset value, they may be deemed critical.
  2. Systemic Importance of Dependent Financial Entities: If systemically important institutions (like G-SIIs or O-SIIs) rely on the supplier, and these institutions are interconnected with other financial entities, increasing overall system dependency, the supplier may be designated as critical.
  3. Reliance on Critical or Important Functions: When financial entities depend heavily on the supplier for critical or important functions, either directly or through subcontracting, this can contribute to a CTTP designation.
  4. Lack of Substitutability: The supplier may be considered critical if it is difficult to replace due to factors such as limited alternatives, technical complexity, proprietary technology, or the high costs and risks associated with migrating services to another provider.

What are the implications of being designated a CTPP under DORA?

  • Designation & Oversight:
    CTPPs will be subject to direct oversight by a Lead Overseer and will be monitored by a joint team from the ESAs and NCAs.
  • Stress Testing:
    CTPPs must undergo regular stress testing to assess their ability to handle cyberattacks or operational disruptions.
  • Increased Transparency:
    CTPPs must provide transparency into their operations, risk management, and incident response.
  • Cost of Compliance:
    CTPPs will bear the cost of regulatory audits and may need to hire additional expertise to handle the compliance burden.
  • Enhanced Credibility:
    Achieving CTPP status can enhance trust and credibility, signalling to clients that a provider is under direct regulatory oversight.

How will DORA change supplier risk management for financial institutions?

DORA mandates that financial entities implement a comprehensive Third-Party Risk Management (TPRM) strategy that covers not only direct suppliers but also their sub-contractors. The TPRM programme requires financial firms to:

  • Implement a TPRM policy that defines oversight processes, risk management, and exit strategies.
  • Include specific contractual obligations in agreements with ICT providers, such as the right to sub-contract, audit, SLAs, and incident response procedures.
  • Maintain a complex Register of Information that captures the entire ICT supply chain.
  • Evidence a review of outsourcing strategy including assessment of concentration risk and justification for decisions made.

The Registers of Information

Under DORA, financial entities are required to maintain a Register of Information (RoI) that catalogs all ICT third-party service provider contracts. This register must include detailed information on the services provided, such as the service provider’s Legal Entity Identifier (LEI), the type of service, the business functions supported, the entity’s reliance on the service, data processing locations, service criticality, recovery time objectives, exit plans, material sub-contractors, and more.

The register must be formatted in a complex structure and be readily available to National Competent Authorities (NCAs) upon request.

The purpose of the register is to:

  • Enable financial entities to better monitor their ICT third-party dependencies and assess risk levels.
  • Allow national competent authorities to supervise ICT and third-party risk management at financial entities.
  • Provide the European Supervisory Authorities (ESAs) with the data required to designate certain suppliers as critical ICT third-party providers (CTTPs).
  • Help financial entities demonstrate DORA compliance to regulators.

Contractual obligations under DORA

Financial entities must establish detailed contracts with their ICT providers to manage risks effectively. The full requirements are listed in our Guide to DORA, key elements include:

  • Risk Management & Mitigation:
    Contracts must outline how the provider manages and mitigates risks, particularly in relation to cybersecurity threats, operational failures, and data breaches.
  • Service Level Agreements (SLAs):
    Agreements must specify performance standards, incident response times, and dispute resolution procedures.
  • Termination & Exit Strategies:
    Contracts should include exit strategies to enable smooth transitions to an alternative third-party or to bring the service back in-house without service disruptions.
  • Right to Audit:
    Financial firms must have the right to audit their providers to ensure compliance with DORA’s resilience requirements

How Adoptech can help you comply with DORA successfully?

Adoptech brings together a unique blend of skills, with our founders experienced in Financial Services, RegTech, Fintech and information security. We understand the requirements of DORA, its implications and how a blend of automation and expertise can help financial entities and their suppliers achieve and maintain compliance. 

We offer extensive expertise in compliance, information security, operational resilience and third-party risk management. Our expert team offers comprehensive solutions to help companies navigate the complexities of DORA implementation and establish robust frameworks for ongoing compliance and resilience.

Create, automate and monitor compliance

We can help you to create and automate the policies and processes you will need to comply with DORA, including:

Register of Information

Maintain your technology supplier register with ease. We’ve removed the complexity so you can export the data in DORA’s complex “Register of Information” format in seconds.

Invite your suppliers to maintain and share their Register Of Information with you and automatically gain a picture of your supply chain with no need to manually maintain the supplier data.

Risk & Control Tracking

Capture risks and automatically link controls and policies. Divide responsibility and track compliance against DORA’s ~400 rules that have been mapped out with guidance and can be directly tracked back to the legislation and technical standards.

Automated Compliance Management

Remove manual compliance checks by using our API integrations to run ongoing tests to confirm compliance with DORA controls. Tests can be set up for everything from employee background checks being completed to data being encrypted at rest.

Automated Document Management

Generate, track and share the 50 DORA aligned documents, policies, and reports through our centralised platform.

DORA Accredited

Adoptech’s DORA accreditation scheme is designed to show an organisation has a DORA compliant risk management framework in place. Self-certification and independent accreditation options are available.

Evidence compliance with DORA Accreditation and Audit Report

Demonstrate your organisation’s commitment to DORA compliance with an independent DORA Audit Report. Experienced independent auditors evaluate your controls and operational resilience, generating a detailed report that details your firm’s level of compliance with DORA’s standards. Such reports are essential for building trust with clients and demonstrating compliance to the Board and the regulators.

Avoid Costly Fines: Non-compliance can result in fines of up to 1% of average daily worldwide turnover per day until compliance is achieved—up to six months. Completing a DORA audit ensures you’re not only compliant but also prepared for potential disruptions.

Al Goodwin
Back to News

Further articles

Looking to implement DORA?

Let us show you the future of security compliance and automation.

BOOK A DEMO

Need to know more about DORA?

Download ‘An Overview to DORA’ and learn how DORA applies to your business.

DOWNLOAD THE GUIDE