Overview

DORA's Third-Party Framework

Articles 28 to 44 of DORA establish the most comprehensive regulatory framework for ICT third-party risk management in EU financial services. The regulation recognises that modern financial entities depend heavily on external ICT service providers for critical operations, and that this dependency creates risks that must be managed systematically.

The framework covers the entire lifecycle of ICT third-party relationships. It starts with the requirement to maintain a complete Register of Information on all ICT arrangements (Art. 28(3)). It then sets out obligations for pre-contract due diligence, mandatory contractual clauses (Art. 30), ongoing monitoring, concentration risk assessment (Art. 29), sub-outsourcing oversight (Art. 29(2)), and exit strategy planning (Art. 28(8)). For the most systemically important providers, it establishes a direct EU-level oversight regime through the Critical ICT Third-Party Provider (CTPP) designation (Art. 31-44).

This is not a light-touch regime. DORA's third-party requirements go significantly further than previous EU financial sector rules on outsourcing. The shift from guidelines to binding regulation, the structured data requirements of the Register of Information, and the introduction of direct oversight for CTPPs represent a step change in how ICT provider relationships are governed.

Art. 28

Provider Register and Due Diligence

Art. 28 is the foundation of DORA's third-party framework. It requires financial entities to manage ICT third-party risk as an integral part of their overall ICT risk management framework. This means treating provider relationships not as procurement items but as risk-bearing dependencies that require active governance.

The centrepiece obligation under Art. 28(3) is the Register of Information. Every financial entity must maintain a structured register of all contractual arrangements with ICT third-party service providers, in the format defined by ITS 2024/2956. The register must be kept up to date at all times and submitted to the NCA on request. The first submission deadline was 30 April 2025. For a detailed guide on building and maintaining your RoI, see our Register of Information guide.

Before entering into any arrangement with an ICT provider that supports a critical or important function (CIF), the entity must conduct a thorough risk assessment. This includes evaluating the provider's ability to meet the contractual requirements, assessing the impact of the arrangement on the entity's operational resilience, and determining whether the arrangement introduces unacceptable concentration risk. Art. 28(4) requires that these assessments are documented and available for supervisory review.

Art. 28(5) requires the management body to be informed at least annually about the risks identified from ICT third-party arrangements, including any new arrangements, the results of risk assessments, and the status of concentration risk. This is not a delegable obligation. The management body must have direct visibility of third-party ICT risk.

Art. 30

Contractual Requirements

Art. 30 sets out the mandatory contractual clauses that must be included in all ICT third-party arrangements supporting critical or important functions. These clauses are not optional and cannot be waived, even where the provider has significant bargaining power.

Art. 30(2) Mandatory Clauses for CIF Arrangements
Clear description of the ICT services provided, including service levels, performance targets, and quality metrics Art. 30(2)(a)
Specification of where data will be processed and stored, including any restrictions on cross-border transfers Art. 30(2)(b)
Provisions on data availability, accessibility, integrity, security, and recovery in the event of a service disruption Art. 30(2)(c)
Unrestricted rights of audit and inspection by the entity, its auditors, and its competent authority Art. 30(2)(d)
Obligation to notify the entity without undue delay of any ICT incident affecting the contracted services Art. 30(2)(e)
Obligation to participate in and cooperate with the entity's digital resilience testing programme Art. 30(2)(f)
Termination rights and adequate transition periods, including data portability and migration assistance Art. 30(2)(g)
Notification requirements before sub-contracting any part of the service, with the right to object Art. 30(2)(h)

For existing contracts that pre-date DORA, entities should conduct a gap analysis against Art. 30(2) and negotiate amendments where clauses are missing. For new contracts, these clauses should be included from the outset. Contract templates and clause tracking are available in DORA GRC's provider management module.

Art. 29

Concentration Risk Assessment

Art. 29 requires financial entities to assess the concentration risk arising from their ICT third-party arrangements. Concentration risk occurs when an entity depends too heavily on a single provider, or a small number of providers, for services that support critical or important functions.

The assessment should consider several dimensions. How many critical functions depend on a single provider? Could the provider be substituted, and how quickly? What is the geographic concentration of data processing? What is the provider's financial stability and market position? What would happen if the provider experienced a major disruption, went bankrupt, or ceased operations in the EU?

Concentration risk is not limited to direct provider relationships. Art. 29(2) requires entities to consider the sub-outsourcing chains beneath their direct providers. If multiple providers ultimately depend on the same sub-contractor for a critical component (for example, a shared cloud infrastructure provider), the entity has an indirect concentration risk that must be identified and managed.

The results of the concentration risk assessment must be reported to the management body at least annually under Art. 28(5). Where unacceptable concentration is identified, the entity should develop mitigation strategies, which may include identifying alternative providers, diversifying arrangements across providers, or strengthening exit plans. For a broader view of DORA compliance requirements across all five pillars, see our complete guide.

Art. 29(2)

Sub-Outsourcing Chains

DORA requires financial entities to look beyond their direct provider relationships and understand the full chain of sub-outsourcing. When your cloud provider uses a different company for data centre operations, and that company uses another for network connectivity, each link in the chain represents a dependency that could affect your operational resilience.

Art. 29(2) specifically requires entities to assess the risks arising from sub-outsourcing arrangements where the sub-contracted service supports a critical or important function. This means you need to know who your providers' sub-contractors are, what services they provide, where they are located, and whether they can be substituted.

Contractual clauses under Art. 30(2)(h) require providers to notify the entity before sub-contracting any part of the service, and the entity must have the right to object. In practice, maintaining visibility of sub-outsourcing chains requires ongoing engagement with providers and structured data collection.

The Register of Information must capture the full sub-outsourcing chain for each arrangement, including sub-contractor identification (LEI, name, jurisdiction), the sub-contracted services, and whether those services support a CIF. This data feeds into both the concentration risk assessment and the NCA submission.

Art. 28(8)

Exit Strategies

Art. 28(8) requires financial entities to develop and maintain exit strategies for all ICT third-party arrangements that support critical or important functions. An exit strategy is a documented plan for how the entity would transition away from a provider if the relationship had to end, whether due to contract termination, provider failure, regulatory action, or a decision to change providers.

The exit strategy must be realistic and actionable. It should address data migration (how data would be extracted, where it would go, and how long it would take), service continuity during the transition period, the identification of alternative providers or in-house capabilities, the resources required for migration, and the expected timeline. The strategy should be reviewed periodically and updated when circumstances change.

Exit strategies are particularly important for arrangements that involve critical functions and where the provider has a high degree of market power or where substitutability is limited. If the concentration risk assessment identifies a provider that would be difficult to replace, the exit strategy must address this explicitly.

DORA GRC includes an exit plan module that links exit strategies to the provider register, the contract register, and the concentration risk dashboard. Each exit plan records the transition approach, alternative providers, timeline, and resource requirements, and is tracked alongside the contractual arrangement it relates to.

Art. 31–44

Critical ICT Third-Party Providers (CTPPs)

Articles 31 to 44 establish a direct EU-level oversight framework for ICT service providers designated as Critical ICT Third-Party Providers (CTPPs). This is a significant innovation in EU financial regulation: for the first time, technology companies that serve the financial sector are subject to direct regulatory oversight, not just indirectly through the financial entities they serve.

The ESAs (EBA, ESMA, EIOPA) designate CTPPs based on the systemic importance of the services they provide. The criteria include the number and type of financial entities that depend on the provider, the criticality of the functions supported, and the degree to which the provider could be substituted. Once designated, a Lead Overseer is appointed from among the ESAs to exercise oversight powers.

The Lead Overseer can conduct inspections, issue recommendations, and require CTPPs to take specific actions to address identified risks. If a CTPP fails to comply with recommendations, the Lead Overseer can require financial entities to partially or fully suspend the use of that provider's services. This gives the oversight framework real enforcement teeth.

For financial entities, the CTPP framework has practical implications. You should monitor which of your providers are designated (or likely to be designated) as CTPPs. You should factor CTPP status into your concentration risk assessments. And you should be prepared for Lead Overseer engagement, which may include requests for information about your use of the CTPP's services.

For a detailed walkthrough of DORA's five pillars and how they interconnect, see our DORA compliance guide. To evaluate where your organisation stands, try the free DORA assessment.

Frequently asked questions

Third-Party Risk Management FAQ

What is DORA third-party risk management?
DORA third-party risk management refers to the requirements in Articles 28-44 of EU Regulation 2022/2554 for how financial entities manage risks arising from their use of ICT third-party service providers. It covers the full lifecycle of provider relationships: maintaining a Register of Information on all ICT arrangements, conducting pre-contract due diligence for providers supporting critical functions, including mandatory contractual clauses under Art. 30(2), assessing concentration risk across the provider base, monitoring sub-outsourcing chains, maintaining exit strategies, and engaging with the CTPP oversight framework. These requirements apply to all financial entities in scope of DORA, proportionate to their size and risk profile.
What contractual clauses does DORA require?
Art. 30(2) requires contracts with ICT providers supporting critical or important functions to include mandatory clauses covering: clear service level descriptions with performance targets, data processing and storage locations, data availability and security provisions, unrestricted audit and inspection rights for the entity and its competent authority, incident notification obligations, participation in resilience testing, termination rights with adequate transition periods including data portability, and sub-contracting notification requirements with the right to object. These clauses are mandatory and cannot be waived. For existing contracts that pre-date DORA, entities should conduct a gap analysis and negotiate amendments where clauses are missing.
What is a CTPP under DORA?
A CTPP (Critical ICT Third-Party Provider) is an ICT service provider designated by the European Supervisory Authorities (ESAs) as systemically important to the EU financial sector. The designation is based on the number and type of financial entities that depend on the provider, the criticality of the functions supported, and the degree to which the provider could be substituted. Once designated, a Lead Overseer is appointed from among the ESAs with powers to conduct inspections, issue recommendations, and require corrective action. If a CTPP fails to comply, the Lead Overseer can require financial entities to suspend use of the provider's services. Financial entities should monitor which providers are designated as CTPPs and factor this into their concentration risk assessments and exit planning.
How do I assess ICT concentration risk?
ICT concentration risk assessment under Art. 29 requires evaluating the degree to which your critical or important functions depend on a single provider or a small group of providers. Key dimensions to assess include: how many CIFs each provider supports, whether the provider can be substituted and how quickly, geographic concentration of data processing, the provider's financial stability, and what would happen if the provider failed or its services were unavailable. You must also consider indirect concentration through sub-outsourcing chains, where multiple providers may depend on the same underlying sub-contractor. The assessment should be reported to the management body at least annually and should inform exit strategy planning. DORA GRC includes a concentration risk dashboard that visualises these dependencies automatically from your provider and contract data.