DORA · Regulation (EU) 2022/2554 · In force since 17 January 2025

The complete DORA guide for ICT third-party risk management

Every financial entity in scope (banks, insurers, investment firms, payment institutions) must implement structured, auditable third-party risk governance under Articles 28 to 44. This is the operational guide, and where Supplier Shield and Acuna GRC fit into your compliance programme.

Jan 2025
DORA fully in force. Supervisory submissions now expected.
Art. 30
mandatory contractual provisions per critical ICT contract, detailed in ESA RTS JC 2023/84
Art. 28–44
articles dedicated solely to ICT third-party governance

§ What is DORA

Measurable resilience, not checkbox compliance

DORA is the EU regulation that standardises digital operational resilience across the financial sector. It requires firms to prove they can prevent, withstand, contain, and recover from ICT disruption, including disruption caused by the third-party providers they depend on for critical services.

DORA entered into application on 17 January 2025. National competent authorities (ECB, BaFin, AMF, ACPR, DNB, FMA, and others) are now requesting Registers of Information and ICT third-party risk evidence. Policy drafts are no longer sufficient. Auditable implementation is what supervisors expect to see.

In scope

  • Credit institutions and banks
  • Insurance and reinsurance firms
  • Investment firms and AIFMs
  • Payment and electronic money institutions
  • Crypto-asset service providers
  • UCITS management companies
  • ICT providers designated as critical (CTPPs)

§ Five pillars

What DORA requires across all five areas

DORA is structured around five pillars. Supplier Shield and Acuna GRC focus primarily on Pillar 4 (ICT third-party risk management), while the broader Acuna GRC platform covers Pillars 1 and 2.

01Art. 5–16

ICT risk management

Maintain a documented ICT risk management framework within the entity's overall governance structure, covering risk identification, protection, detection, response, and recovery.

Acuna GRC
02Art. 17–23

ICT incident management

Classify, log, manage, and report major ICT-related incidents to competent authorities within strict timelines. Early warning within 24 hours, full report within 72 hours.

Acuna GRC
03Art. 24–27

Resilience testing

Run regular digital operational resilience testing programmes, including threat-led penetration testing (TLPT) for significant institutions designated by supervisors.

Primary focus
04Art. 28–44

ICT third-party risk management

Implement strategy, governance, and continuous oversight of ICT providers. Maintain the Register of Information, enforce contractual provisions, monitor concentration risk, and hold exit strategies.

Supplier Shield
05Art. 45–49

Information sharing

Participate voluntarily in cyber threat intelligence sharing arrangements with other financial entities and relevant authorities to strengthen sector-wide resilience.

§ Art. 28–44 in detail

ICT third-party obligations: what supervisors will verify

These are the specific obligations in Articles 28 to 44 that ECB, BaFin, AMF, ACPR, DNB, and other competent authorities verify in supervisory reviews, on-site inspections, and annual Register of Information submissions.

Art. 28(2)Supplier Shield
ICT third-party risk policy and Register of Information

Define and maintain a documented ICT third-party risk policy. Build and maintain a Register of Information covering every ICT contractual arrangement, the functions supported, the systems involved, and the full sub-contracting chain. The Register is submitted annually to your NCA in the EBA/ESMA Annex III template format.

Art. 28(4)Supplier Shield
Pre-contract due diligence

Before onboarding any ICT provider, conduct structured due diligence proportionate to the criticality of the service. Assess the provider's security controls, operational resilience, financial stability, and sub-contracting arrangements. Results must be documented and retained as evidence.

Art. 29Supplier Shield
ICT concentration risk at entity level

Assess and monitor concentration risk: identify where a single provider supports multiple critical or important functions, analyse geographic concentration, and evaluate substitutability. Where replacement within a reasonable timeframe is not possible, the risk must be escalated and documented. Firms with CTPPs in their register face heightened scrutiny.

Art. 30Supplier Shield
Mandatory contractual provisions for critical ICT contracts

Contracts with providers of critical or important ICT services must include: full service description and SLAs, data location and accessibility clauses, audit and access rights for the firm and competent authorities, security and resilience obligations, incident reporting requirements, sub-contracting disclosure and approval rights, business continuity cooperation, and documented termination and exit support terms. The ESA RTS on contractual requirements (JC 2023/84) specifies the content expected for each element.

Art. 31 + 33–44Supplier Shield
Critical ICT Third-Party Service Providers (CTPPs)

EBA, EIOPA, and ESMA jointly designate providers as CTPPs and subject them to direct supervisory oversight. If a provider in your Register is designated CTPP (major cloud hyperscalers including AWS, Microsoft Azure, and Google Cloud are among those being assessed), you must adapt your governance, escalate monitoring intensity, and ensure your contractual arrangements cover the additional CTPP oversight obligations.

Art. 32Supplier Shield
Exit strategies

For every critical ICT provider, document and periodically test an exit strategy covering: service substitution options, data portability and migration, transition timelines, and continuity of operations during transition. Exit strategies must be reviewed annually and reassessed when the provider receives CTPP designation, following an incident, or when a material change in the contractual arrangement occurs.

Art. 5–16Acuna GRC
ICT risk management framework

Maintain a documented ICT risk management framework embedded in overall governance, with board-level accountability. Cover identification, protection, detection, response, and recovery. The framework must be reviewed at least annually and after significant ICT incidents or major changes.

§ How the platform covers DORA

What Supplier Shield and Acuna GRC do for each obligation

Supplier Shield is the TPRM module inside Acuna GRC. Together they cover the ICT third-party obligations and the broader ICT risk management framework that DORA requires.

Register of Information
Art. 28 · Annex III EBA/ESMA template

Import your existing ICT supplier list, classify each provider by criticality (critical, important, or standard), document sub-contracting chains, and map which functions and systems each contract supports. Export the completed Register in the Annex III format expected for annual NCA submission. Fields align to the ITS published in EBA/GL/2024/02.

OSINT automated risk scoring
Art. 28(4) · continuous · A–F grades

Before a due diligence questionnaire is even sent, Supplier Shield scans each ICT provider externally: DNS hygiene, TLS configuration, breach exposure, and threat intelligence signals. Each provider receives a composite A–F grade that updates automatically. Your team starts due diligence with external posture already quantified, not with a blank questionnaire sent into silence.

Art. 30 contractual gap analysis
Key contractual provisions · per contract

Structured checklists verify the mandatory DORA contractual provisions per critical ICT contract: service description, SLA, data location, audit rights, incident obligations, sub-contracting disclosure, exit support, and continuity cooperation. Aligned to the ESA RTS on contractual requirements (JC 2023/84). Gaps surface into a remediation queue with owner assignments and deadlines.

Concentration risk monitoring
Art. 29 · entity-level · annual reporting

Identify where a single ICT provider supports multiple critical or important functions. Track geographic concentration and substitutability ratings per provider. Where a CTPP is in your register, flag the heightened monitoring obligation automatically. Generate the concentration risk data your team needs for the annual supervisory submission.

Exit strategy management
Art. 32 · documented and periodically reviewed

For each critical ICT provider, document service substitution options, data portability and migration approach, transition timelines, and continuity obligations during transition. Supplier Shield tracks review dates and triggers reassessment when a provider receives CTPP designation, following an incident, or when a material contractual change is logged.

Multi-framework control mapping
DORA + GDPR + ISO 27001 · one record

The DORA Art. 30 contractual provisions, GDPR Art. 28 data processing agreements, and ISO 27001:2022 clauses 5.19–5.22 (supplier relationships) govern the same underlying vendor relationship. In Acuna GRC, one vendor record maps to all three frameworks simultaneously. Your ICT register and your data protection register are the same record. No duplicate questionnaires, no conflicting evidence.

Full platform overview: Acuna GRC cloud platform

§ Implementation roadmap

DORA ICT third-party compliance in five steps

A practical sequence for financial entities building or maturing their DORA third-party risk programme, from initial inventory to continuous supervisory evidence.

1

Build your ICT vendor inventory

Create a complete Register of Information covering all ICT providers, services, systems they touch, and the owners responsible. Map sub-contracting chains and fourth-party dependencies.

Supplier Shield: import existing supplier list, auto-classify by criticality, surface missing sub-contractor data.
2

Tier providers by DORA criticality

Classify each provider as critical, important, or standard based on business criticality, data sensitivity, substitutability, and concentration exposure. Criticality tier drives due diligence depth and monitoring frequency.

Supplier Shield: configurable criticality scoring with automatic tier assignment.
3

Run due diligence and close contractual gaps

Assess security and resilience controls against DORA requirements. Verify that each critical ICT contract includes the mandatory Art. 30 provisions as specified in the ESA RTS (JC 2023/84). Assign remediation owners and deadlines for every gap identified.

Supplier Shield: structured questionnaires aligned to Art. 29 requirements, plus Art. 30 contractual checklist per contract.
4

Monitor concentration risk and exit readiness

Identify and quantify single-provider dependencies across critical functions. Document tested exit strategies for each critical ICT provider. Prepare the Annex III concentration risk report for supervisory submission.

Supplier Shield: concentration risk reports aligned to EBA/ESMA guidance; Annex III export format.
5

Sustain ongoing oversight and supervisory evidence

Maintain continuous monitoring of all critical providers. Update the Register of Information as relationships evolve. Produce board-level and regulator-ready reports on your ICT third-party posture.

Supplier Shield + Acuna GRC: automated review cycles, real-time OSINT signals, and Aiko AI (Acuna's built-in compliance assistant) for on-demand questions about your third-party posture.

§ Acuna GRC

DORA, GDPR, and ISO 27001 in one control. No duplicate work.

Supplier Shield is the TPRM module inside Acuna GRC. Your ICT vendor register connects directly to your broader risk register, data protection framework, multi-framework control mapping, and internal audit workflows. One platform, Swiss-hosted, covering 50+ GRC frameworks including DORA, NIS2, GDPR, ISO 27001, and SOC 2.

§ FAQ

Common questions about DORA

What is DORA in one sentence?

DORA is the EU regulation that requires financial entities to prove they can prevent, withstand, and recover from ICT disruption, including disruption caused by critical third-party providers.

Who must comply with DORA?

DORA applies to credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, AIFMs, UCITS management companies, crypto-asset service providers, and others listed in Art. 2. Swiss-headquartered groups with EU-regulated entities are in scope for those entities. Microenterprises (fewer than 10 staff, under €2M turnover) may use the simplified ICT risk framework under Art. 4.

When did DORA become applicable?

DORA entered into application on 17 January 2025. National competent authorities began requesting Register of Information submissions and evidence of ICT third-party governance shortly after. Institutions still presenting policy drafts rather than operational evidence are behind the supervisory curve.

What does DORA require for third-party risk?

Articles 28 to 44 require: a documented ICT third-party risk policy, a Register of Information submitted annually to your NCA, structured pre-contract due diligence (Art. 28(4)), mandatory contractual provisions for critical or important ICT services (Art. 30, detailed in ESA RTS JC 2023/84), concentration risk assessment and monitoring (Art. 29), exit strategies for critical providers (Art. 32), and adapted governance when a provider is designated a Critical ICT Third-Party Service Provider (Art. 31, 33–44).

What are the mandatory contractual provisions under DORA Art. 30?

DORA Art. 30 requires that contracts for critical or important ICT services include: a complete description of the service and SLAs, data location and accessibility clauses, audit and access rights for the firm and its competent authority, security and resilience obligations, incident reporting and cooperation requirements, sub-contracting disclosure and approval rights, business continuity cooperation, and termination and exit support provisions. The ESAs published the detailed RTS on contractual requirements (JC 2023/84) specifying what each element must cover in practice.

What are Critical ICT Third-Party Service Providers (CTPPs), and do they affect us?

ESAs (EBA, EIOPA, ESMA) jointly designate certain ICT providers as CTPPs and subject them to direct supervisory oversight. Major cloud hyperscalers (AWS, Microsoft Azure, Google Cloud) are among those being assessed for designation. If a CTPP is in your Register of Information, you must adapt your governance: the CTPP oversight framework (Art. 33–44) introduces additional obligations around monitoring, reporting, and contractual cooperation. Financial entities should flag every provider in their register that has received or is under assessment for CTPP designation.

What is the Register of Information and how is it submitted?

The Register of Information is a structured inventory of all ICT contractual arrangements, the ICT services provided, the functions they support, and the full sub-contracting chain. Financial entities must submit it annually to their NCA. EBA and ESMA published the final ITS (EBA/GL/2024/02) specifying the exact data fields and Annex III template format required for submission. Supplier Shield exports the Register directly in the Annex III format.

Do we need to tier ICT vendors by criticality?

Yes. DORA requires firms to classify each ICT provider by criticality (critical, important, or standard) based on business impact, substitutability, data sensitivity, and concentration exposure. Criticality tier determines due diligence depth, contractual provision requirements, monitoring frequency, and the exit strategy obligations that apply.

What are the enforcement consequences for non-compliance?

DORA does not set harmonised EU-level fines equivalent to GDPR's 4% of global turnover. Instead, enforcement is delegated to national competent authorities, which may impose administrative sanctions under their own national frameworks. Supervisory findings in DORA reviews (inadequate Registers of Information, missing contractual provisions, undocumented exit strategies) can lead to remediation orders, supervisory letters, and reputational consequences that affect licence conditions. The oversight framework for CTPPs includes the Joint Oversight Network (JON), where ECB, EBA, EIOPA, and ESMA coordinate enforcement.

We already have a vendor management programme under EBA outsourcing guidelines. What changes under DORA?

DORA replaces the EBA Guidelines on Outsourcing Arrangements (GL/2019/02) for ICT-related services and adds material obligations: the Register of Information replaces outsourcing registers with a more structured format and mandatory annual NCA submission; the Art. 30 contractual provisions are more detailed than the outsourcing guidelines required; concentration risk assessment (Art. 29) is now a formal, documented, and reported obligation; and exit strategies must be documented and periodically tested, not just planned. Existing outsourcing registers are a starting point, but almost all firms require material remediation to meet DORA.

How does DORA relate to GDPR and NIS2?

DORA focuses on ICT operational resilience for financial entities. GDPR governs personal data protection. NIS2 governs cybersecurity for essential and important entities across sectors. A financial institution subject to DORA may also be subject to GDPR and, depending on jurisdiction, NIS2. The overlapping control obligations (particularly around ICT vendor contracts) can be mapped to shared controls in Acuna GRC so that one assessment satisfies multiple frameworks simultaneously.

How does Supplier Shield support DORA implementation?

Supplier Shield is the TPRM module inside Acuna GRC. It covers the Art. 28–44 obligations: structured vendor register in Annex III format, OSINT-based pre-assessment, Art. 30 contractual gap analysis per contract, concentration risk monitoring and reporting, exit strategy management, and continuous oversight with automatic review triggers. Acuna GRC covers the broader ICT risk management framework (Art. 5–16) and multi-framework control mapping across DORA, GDPR, and ISO 27001.

Your DORA ICT third-party register, structured and supervisor-ready.

Book a focused session with our team. We will map your current ICT third-party posture to Articles 28 to 44 and show you exactly where Supplier Shield closes the gaps.