EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

Third-party ICT risk under DORA: contracts, register and oversight

Adopted 2026-06-28 · ≈ 1 min read · Dirk Baaijen

DORA sets requirements for ICT outsourcing: mandatory contract clauses, a register of information on all ICT providers, and an EU oversight framework for ICT providers designated as critical.

Short answer: DORA treats outsourced ICT risk as your own risk. You must include mandatory contract clauses with ICT providers, keep a register of information on all contractual arrangements, and account for an EU oversight framework for ICT providers designated as critical (CTPPs).

Contractual requirements

Contracts with ICT providers must contain core terms: service description and data-processing locations, access, inspection and audit rights, security and availability levels, cooperation during incidents, exit strategies and support on termination. Heavier requirements apply to services supporting critical or important functions. Assess concentration risk before signing.

The register of information

You maintain a register of information on all contractual arrangements for ICT services, at entity, sub-consolidated and consolidated level. Supervisors request this register periodically (annually). The register is also your own steering instrument: it makes dependencies and concentration visible.

Oversight of critical providers

Large, systemically relevant ICT providers (think of some cloud and data providers) may be designated critical by the ESAs. They are subject to a direct EU oversight framework with a designated lead overseer. This does not relieve you of your own responsibility, but adds a supervisory layer over the chain.

Lees ook: DORA guide and Resilience testing and TLPT.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2022/2554/oj
    Regulation (EU) 2022/2554 (DORA), Chapter V — management of ICT third-party risk and oversight framework for critical ICT providers.
  2. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience-dora
    ESAs — ITS for the register of information and RTS on contractual requirements.

Share on LinkedIn

Read next

U

DORA register of information: what must it contain?

DORA requires financial entities to maintain a register of information on all contractual arrangements for ICT services, at entity, sub-consolidated and consolidated level. Supervisors request it annually; it also feeds the designation of critical ICT providers.

U

Does my firm fall under DORA?

DORA applies to an exhaustively listed set of financial entities — from banks and insurers to payment institutions, crypto providers and their critical ICT providers. Small, non-interconnected entities may use a simplified framework. This explainer helps you determine whether you are in scope.

W

AI and digital rules for the financial sector — overview

One entry point for banks, insurers and fintech: which AI and digital rules affect your institution — from DORA and the AI Act to credit scoring, AML and insurance — each with a source-traceable file and the financial scan.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.