Every financial entity in scope (banks, insurers, investment firms, payment institutions) must implement structured, auditable third-party risk governance under Articles 28 to 44. This is the operational guide, and where Supplier Shield and Acuna GRC fit into your compliance programme.
§ What is DORA
DORA is the EU regulation that standardises digital operational resilience across the financial sector. It requires firms to prove they can prevent, withstand, contain, and recover from ICT disruption, including disruption caused by the third-party providers they depend on for critical services.
DORA entered into application on 17 January 2025. National competent authorities (ECB, BaFin, AMF, ACPR, DNB, FMA, and others) are now requesting Registers of Information and ICT third-party risk evidence. Policy drafts are no longer sufficient. Auditable implementation is what supervisors expect to see.
In scope
§ Five pillars
DORA is structured around five pillars. Supplier Shield and Acuna GRC focus primarily on Pillar 4 (ICT third-party risk management), while the broader Acuna GRC platform covers Pillars 1 and 2.
Maintain a documented ICT risk management framework within the entity's overall governance structure, covering risk identification, protection, detection, response, and recovery.
Acuna GRCClassify, log, manage, and report major ICT-related incidents to competent authorities within strict timelines. Early warning within 24 hours, full report within 72 hours.
Acuna GRCRun regular digital operational resilience testing programmes, including threat-led penetration testing (TLPT) for significant institutions designated by supervisors.
Implement strategy, governance, and continuous oversight of ICT providers. Maintain the Register of Information, enforce contractual provisions, monitor concentration risk, and hold exit strategies.
Supplier ShieldParticipate voluntarily in cyber threat intelligence sharing arrangements with other financial entities and relevant authorities to strengthen sector-wide resilience.
§ Art. 28–44 in detail
These are the specific obligations in Articles 28 to 44 that ECB, BaFin, AMF, ACPR, DNB, and other competent authorities verify in supervisory reviews, on-site inspections, and annual Register of Information submissions.
Define and maintain a documented ICT third-party risk policy. Build and maintain a Register of Information covering every ICT contractual arrangement, the functions supported, the systems involved, and the full sub-contracting chain. The Register is submitted annually to your NCA in the EBA/ESMA Annex III template format.
Before onboarding any ICT provider, conduct structured due diligence proportionate to the criticality of the service. Assess the provider's security controls, operational resilience, financial stability, and sub-contracting arrangements. Results must be documented and retained as evidence.
Assess and monitor concentration risk: identify where a single provider supports multiple critical or important functions, analyse geographic concentration, and evaluate substitutability. Where replacement within a reasonable timeframe is not possible, the risk must be escalated and documented. Firms with CTPPs in their register face heightened scrutiny.
Contracts with providers of critical or important ICT services must include: full service description and SLAs, data location and accessibility clauses, audit and access rights for the firm and competent authorities, security and resilience obligations, incident reporting requirements, sub-contracting disclosure and approval rights, business continuity cooperation, and documented termination and exit support terms. The ESA RTS on contractual requirements (JC 2023/84) specifies the content expected for each element.
EBA, EIOPA, and ESMA jointly designate providers as CTPPs and subject them to direct supervisory oversight. If a provider in your Register is designated CTPP (major cloud hyperscalers including AWS, Microsoft Azure, and Google Cloud are among those being assessed), you must adapt your governance, escalate monitoring intensity, and ensure your contractual arrangements cover the additional CTPP oversight obligations.
For every critical ICT provider, document and periodically test an exit strategy covering: service substitution options, data portability and migration, transition timelines, and continuity of operations during transition. Exit strategies must be reviewed annually and reassessed when the provider receives CTPP designation, following an incident, or when a material change in the contractual arrangement occurs.
Maintain a documented ICT risk management framework embedded in overall governance, with board-level accountability. Cover identification, protection, detection, response, and recovery. The framework must be reviewed at least annually and after significant ICT incidents or major changes.
§ How the platform covers DORA
Supplier Shield is the TPRM module inside Acuna GRC. Together they cover the ICT third-party obligations and the broader ICT risk management framework that DORA requires.
Import your existing ICT supplier list, classify each provider by criticality (critical, important, or standard), document sub-contracting chains, and map which functions and systems each contract supports. Export the completed Register in the Annex III format expected for annual NCA submission. Fields align to the ITS published in EBA/GL/2024/02.
Before a due diligence questionnaire is even sent, Supplier Shield scans each ICT provider externally: DNS hygiene, TLS configuration, breach exposure, and threat intelligence signals. Each provider receives a composite A–F grade that updates automatically. Your team starts due diligence with external posture already quantified, not with a blank questionnaire sent into silence.
Structured checklists verify the mandatory DORA contractual provisions per critical ICT contract: service description, SLA, data location, audit rights, incident obligations, sub-contracting disclosure, exit support, and continuity cooperation. Aligned to the ESA RTS on contractual requirements (JC 2023/84). Gaps surface into a remediation queue with owner assignments and deadlines.
Identify where a single ICT provider supports multiple critical or important functions. Track geographic concentration and substitutability ratings per provider. Where a CTPP is in your register, flag the heightened monitoring obligation automatically. Generate the concentration risk data your team needs for the annual supervisory submission.
For each critical ICT provider, document service substitution options, data portability and migration approach, transition timelines, and continuity obligations during transition. Supplier Shield tracks review dates and triggers reassessment when a provider receives CTPP designation, following an incident, or when a material contractual change is logged.
The DORA Art. 30 contractual provisions, GDPR Art. 28 data processing agreements, and ISO 27001:2022 clauses 5.19–5.22 (supplier relationships) govern the same underlying vendor relationship. In Acuna GRC, one vendor record maps to all three frameworks simultaneously. Your ICT register and your data protection register are the same record. No duplicate questionnaires, no conflicting evidence.
Full platform overview: Acuna GRC cloud platform
§ Implementation roadmap
A practical sequence for financial entities building or maturing their DORA third-party risk programme, from initial inventory to continuous supervisory evidence.
Create a complete Register of Information covering all ICT providers, services, systems they touch, and the owners responsible. Map sub-contracting chains and fourth-party dependencies.
Classify each provider as critical, important, or standard based on business criticality, data sensitivity, substitutability, and concentration exposure. Criticality tier drives due diligence depth and monitoring frequency.
Assess security and resilience controls against DORA requirements. Verify that each critical ICT contract includes the mandatory Art. 30 provisions as specified in the ESA RTS (JC 2023/84). Assign remediation owners and deadlines for every gap identified.
Identify and quantify single-provider dependencies across critical functions. Document tested exit strategies for each critical ICT provider. Prepare the Annex III concentration risk report for supervisory submission.
Maintain continuous monitoring of all critical providers. Update the Register of Information as relationships evolve. Produce board-level and regulator-ready reports on your ICT third-party posture.
§ Acuna GRC
Supplier Shield is the TPRM module inside Acuna GRC. Your ICT vendor register connects directly to your broader risk register, data protection framework, multi-framework control mapping, and internal audit workflows. One platform, Swiss-hosted, covering 50+ GRC frameworks including DORA, NIS2, GDPR, ISO 27001, and SOC 2.
§ Resources
From regulatory overview to live controls and audit evidence, these pages cover the full implementation journey.
§ FAQ
DORA is the EU regulation that requires financial entities to prove they can prevent, withstand, and recover from ICT disruption, including disruption caused by critical third-party providers.
DORA applies to credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, AIFMs, UCITS management companies, crypto-asset service providers, and others listed in Art. 2. Swiss-headquartered groups with EU-regulated entities are in scope for those entities. Microenterprises (fewer than 10 staff, under €2M turnover) may use the simplified ICT risk framework under Art. 4.
DORA entered into application on 17 January 2025. National competent authorities began requesting Register of Information submissions and evidence of ICT third-party governance shortly after. Institutions still presenting policy drafts rather than operational evidence are behind the supervisory curve.
Articles 28 to 44 require: a documented ICT third-party risk policy, a Register of Information submitted annually to your NCA, structured pre-contract due diligence (Art. 28(4)), mandatory contractual provisions for critical or important ICT services (Art. 30, detailed in ESA RTS JC 2023/84), concentration risk assessment and monitoring (Art. 29), exit strategies for critical providers (Art. 32), and adapted governance when a provider is designated a Critical ICT Third-Party Service Provider (Art. 31, 33–44).
DORA Art. 30 requires that contracts for critical or important ICT services include: a complete description of the service and SLAs, data location and accessibility clauses, audit and access rights for the firm and its competent authority, security and resilience obligations, incident reporting and cooperation requirements, sub-contracting disclosure and approval rights, business continuity cooperation, and termination and exit support provisions. The ESAs published the detailed RTS on contractual requirements (JC 2023/84) specifying what each element must cover in practice.
ESAs (EBA, EIOPA, ESMA) jointly designate certain ICT providers as CTPPs and subject them to direct supervisory oversight. Major cloud hyperscalers (AWS, Microsoft Azure, Google Cloud) are among those being assessed for designation. If a CTPP is in your Register of Information, you must adapt your governance: the CTPP oversight framework (Art. 33–44) introduces additional obligations around monitoring, reporting, and contractual cooperation. Financial entities should flag every provider in their register that has received or is under assessment for CTPP designation.
The Register of Information is a structured inventory of all ICT contractual arrangements, the ICT services provided, the functions they support, and the full sub-contracting chain. Financial entities must submit it annually to their NCA. EBA and ESMA published the final ITS (EBA/GL/2024/02) specifying the exact data fields and Annex III template format required for submission. Supplier Shield exports the Register directly in the Annex III format.
Yes. DORA requires firms to classify each ICT provider by criticality (critical, important, or standard) based on business impact, substitutability, data sensitivity, and concentration exposure. Criticality tier determines due diligence depth, contractual provision requirements, monitoring frequency, and the exit strategy obligations that apply.
DORA does not set harmonised EU-level fines equivalent to GDPR's 4% of global turnover. Instead, enforcement is delegated to national competent authorities, which may impose administrative sanctions under their own national frameworks. Supervisory findings in DORA reviews (inadequate Registers of Information, missing contractual provisions, undocumented exit strategies) can lead to remediation orders, supervisory letters, and reputational consequences that affect licence conditions. The oversight framework for CTPPs includes the Joint Oversight Network (JON), where ECB, EBA, EIOPA, and ESMA coordinate enforcement.
DORA replaces the EBA Guidelines on Outsourcing Arrangements (GL/2019/02) for ICT-related services and adds material obligations: the Register of Information replaces outsourcing registers with a more structured format and mandatory annual NCA submission; the Art. 30 contractual provisions are more detailed than the outsourcing guidelines required; concentration risk assessment (Art. 29) is now a formal, documented, and reported obligation; and exit strategies must be documented and periodically tested, not just planned. Existing outsourcing registers are a starting point, but almost all firms require material remediation to meet DORA.
DORA focuses on ICT operational resilience for financial entities. GDPR governs personal data protection. NIS2 governs cybersecurity for essential and important entities across sectors. A financial institution subject to DORA may also be subject to GDPR and, depending on jurisdiction, NIS2. The overlapping control obligations (particularly around ICT vendor contracts) can be mapped to shared controls in Acuna GRC so that one assessment satisfies multiple frameworks simultaneously.
Supplier Shield is the TPRM module inside Acuna GRC. It covers the Art. 28–44 obligations: structured vendor register in Annex III format, OSINT-based pre-assessment, Art. 30 contractual gap analysis per contract, concentration risk monitoring and reporting, exit strategy management, and continuous oversight with automatic review triggers. Acuna GRC covers the broader ICT risk management framework (Art. 5–16) and multi-framework control mapping across DORA, GDPR, and ISO 27001.
Book a focused session with our team. We will map your current ICT third-party posture to Articles 28 to 44 and show you exactly where Supplier Shield closes the gaps.