Written by Burcu Cachia, Risk Officer at Finance Incorporated Limited

DORA as a New Operational Reality

The Digital Operational Resilience Act (DORA) marks a significant shift in how EU financial institutions are expected to manage information and communications technology (ICT) and third-party risk. Oftentimes they heavily depend on third-party providers when it comes to sourcing data storage, software services, and infrastructure and cybersecurity tools, among others. As these services are all interconnected, a single outage or breach from one provider may result in system-wide disruption, impacting core processes, company and customer data, which is why DORA requires financial institutions to have rigid oversight procedures when working with third-party providers.

Rather than treating ICT outsourcing as a procurement or IT issue, DORA embeds ICT third-party risk directly into the operational resilience and governance framework of regulated financial entities. This means the question is no longer which systems are outsourced — but how deeply those dependencies are understood, controlled, and governed.

For banks, payment institutions, investment firms, insurers, and other regulated financial organizations operating in the EU, ICT third-party risk is now a core supervisory focus area, with clear accountability at board and senior management level.

While this measure strengthens the overall resilience posture of the financial sector, it also introduces a more demanding operating environment. Institutions are now expected to maintain deeper visibility and control over increasingly complex digital dependencies that, in many cases, were never fully mapped before.

Third-Party Risk Management: What Actually Changes

From Outsourcing Lists to Dependency Management

Under DORA, institutions must move beyond traditional outsourcing registers and adopt a full ICT dependency mapping approach. This includes not only direct ICT vendors, but also third-party services supporting critical or important financial functions, such as:

• Cloud infrastructure providers supporting banking and payment operations (IaaS, PaaS, SaaS)
• Financial data hosting and processing services
• Core banking, trading, treasury, and payment software providers
• Subcontracted ICT service chains supporting regulated financial services

The key shift is clear: regulators are not only focused on who you engage as a contractor. They are focused on the operational dependencies created through external ICT providers and the digital service chains that support critical financial functions. From a resilience perspective, this is a meaningful improvement — it encourages institutions to develop a far more complete and realistic picture of their true dependency landscape. At the same time, it increases the complexity of maintaining accurate inventories and understanding end-to-end service ownership across multiple layers of providers.

Register of Information (RoI): More Than a Compliance Exercise

The Register of Information (RoI) is one of the most operationally important elements of DORA for financial institutions. It requires firms to maintain a structured and continuously updated view of all ICT third-party arrangements supporting regulated financial operations.

In practice, the RoI serves three core functions:

• Supervisory oversight of ICT dependencies across financial institutions
• Identification of sector-wide concentration risks in financial services infrastructure
• Assessment of Critical ICT Third-Party Providers (CTPPs) supporting the financial sector

For institutions, this means vendor data quality and ICT asset transparency become directly regulatory-relevant. A register that is incomplete, inaccurate, or poorly maintained is not simply an administrative gap — it is a supervisory risk.

Contracting Requirements: Higher Standards Across the Board

DORA significantly raises expectations for ICT third-party contracts. Institutions must ensure their agreements include enforceable clauses covering:

• Audit and access rights for regulators and financial institutions
• Data security, availability, and integrity requirements
• Sub-outsourcing controls and transparency obligations
• Business continuity and operational resilience commitments
• Clearly defined exit and termination strategies for critical ICT services

Meeting these requirements demands much closer alignment between risk, legal, procurement, and IT functions than traditional outsourcing models typically allowed. For many institutions, the implementation of DORA implies that for many institutions, existing contract libraries will need to be revisited.

Key Risk Themes for EU Financial Institutions

ICT Concentration Risk in Financial Sector Cloud Services

One of the most structurally significant risks under DORA is ICT concentration risk. Many EU financial institutions rely on a limited number of global cloud and technology providers. This creates a pattern that regulators now treat as a systemic concern:

• Multiple institutions depend on the same underlying infrastructure providers
• A single disruption can produce sector-wide operational impact
• Substitutability during genuine crisis scenarios is severely limited

From a supervisory perspective, this is now formally recognised as a systemic operational risk factor — not simply a firm-level vendor management issue.

Sub-Outsourcing and Extended Service Chains

Modern ICT services are rarely delivered directly by a single provider. DORA explicitly addresses this through requirements on sub-outsourcing transparency and control. Institutions are expected to understand and manage not only their direct vendors, but the extended chain of service providers supporting critical functions. This materially increases the need for robust due diligence processes and sustained ongoing monitoring capabilities across multiple service layers.

Operational Impact on Financial Institutions

Higher Governance and Coordination Requirements

DORA increases the level of internal coordination required across functions that have not traditionally operated in close alignment:

• Risk Management
• IT and Information Security
• Procurement
• Legal and Compliance

ICT third-party risk is no longer a siloed function. It is a cross-organisational governance responsibility, and institutions that continue to manage it as a purely technical or procurement matter will struggle to meet the standard DORA sets.

Incident Reporting and Resilience Testing

Financial institutions must also comply with stricter requirements for:

• Classification and reporting of major ICT incidents
• Structured reporting timelines to regulators
• Operational resilience testing, including advanced scenarios such as Threat-Led Penetration Testing (TLPT)

This effectively transforms operational resilience from a reactive capability to a continuously tested control environment — a meaningful change from how most institutions have historically approached the subject.

Risk Function Perspective

From a risk management perspective, DORA fundamentally changes the nature of ICT third-party risk oversight. The key implications are:

• Continuous monitoring replaces periodic vendor assessments
• Stronger emphasis on dependency mapping and concentration analysis
• Increased importance of scenario-based risk assessment
• Greater board-level visibility of ICT risk exposure
• Integration of ICT risk into enterprise risk appetite frameworks

In effect, ICT third-party risk becomes a strategic risk discipline — one that sits alongside credit, market, and liquidity risk in terms of governance expectations — rather than a compliance requirement managed at an operational level.

Regulatory Technical Standards (RTS): Turning Principles into Practice

The Regulatory Technical Standards (RTS), developed by the European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority, European Insurance and Occupational Pensions Authority), define how DORA requirements are to be implemented in practice. They provide detailed requirements for:

• ICT risk management frameworks
• Incident classification and reporting thresholds
• Contractual standards for ICT third-party arrangements
• Oversight of critical ICT third-party providers
• Resilience testing methodologies, including TLPT

For institutions, the RTS effectively translate DORA’s principles into operationally enforceable expectations. Understanding the specific technical standards relevant to your activities — and stress-testing your current frameworks against them — is an essential step in building a credible DORA compliance programme.

DORA represents a structural shift in the way ICT and third-party risk is managed across the EU financial sector. It moves institutions from fragmented outsourcing oversight to a fully integrated ICT resilience and dependency governance model.

For financial institutions, the challenge is not only compliance — it is the ability to build sustainable governance structures that can manage increasingly complex and interconnected digital ecosystems over the long term. The best positioned institutions under DORA will be those that treat this not as a regulatory exercise, but as an opportunity to develop genuinely stronger operational foundations.