The ICT Third-Party Risk domain under the DORA Lens evaluates whether external ICT service providers are governed as critical components of operational resilience. This domain determines whether financial entities can withstand, supervise, and disengage from third-party ICT dependencies without disrupting critical or important functions.
In the ECIL, third-party ICT risk is fundamentally resilience risk, not merely procurement risk. DORA requires organizations to demonstrate active control over dependency decisions and maintain viable fallback options under stress conditions.
Purpose of This Domain
Identification & Classification
Critical ICT third-party providers must be systematically identified and classified based on their role in supporting critical or important functions.
Proportional Governance
Risks introduced by external providers must be governed proportionally to their criticality and potential impact on operational resilience.
Contractual Controls
Contractual and operational controls must be established to support resilience objectives and enable supervisory oversight.
Exit Feasibility
Exit strategies and substitution plans must be feasible and tested under stress to prevent dependency lock-in.
DORA fundamentally evaluates dependency control and substitutability, not vendor trust or relationship quality. The regulation requires financial entities to demonstrate they can maintain operational resilience even when critical third-party relationships fail or must be terminated.
Identification of Critical ICT Third Parties
This capability area examines whether the organization maintains complete visibility into which ICT providers support critical or important functions. Without accurate identification, resilience oversight becomes impossible.
Financial entities must maintain a comprehensive understanding of their ICT service provider ecosystem, including direct providers, subcontractors, and fourth parties that may introduce hidden dependencies.
Key Requirements
Comprehensive inventory of all ICT service providers
Mapping of providers to critical or important functions
Risk-based classification using defined criticality criteria
Clear assignment of ownership for third-party relationships
Documentation of dependency chains and subcontracting arrangements
Regulatory Focus
Unknown dependencies represent a fundamental gap in resilience oversight. Supervisors expect financial entities to demonstrate complete visibility into ICT dependencies that could impact critical operations.
This capability area focuses on whether ICT third-party risks are systematically assessed before and during engagement. DORA requires risk-based due diligence that extends beyond traditional security assessments to evaluate operational survivability under disruption.
Pre-Onboarding
Risk-based due diligence prior to engagement, including assessment of provider resilience capabilities and security posture
Risk Analysis
Comprehensive evaluation of provider resilience, considering concentration risk, geographic dependencies, and substitutability
Risk Decision
Formal risk acceptance or mitigation decisions with executive oversight and documented rationale
Due diligence under DORA must evaluate whether the provider can maintain service continuity under stress, whether alternative providers exist, and whether the organization could transition away if necessary. This assessment should consider the provider's own third-party dependencies, business continuity arrangements, and historical incident response performance.
This capability area evaluates whether contracts with ICT third parties enforce resilience expectations and enable control under disruption. Contracts must go beyond steady-state service level agreements to address incident response, recovery obligations, and supervisory access rights.
Service Definition
Clear specification of services, dependencies, subcontracting arrangements, and service locations
Resilience Standards
Explicit security, availability, and recovery requirements aligned with organizational risk tolerance
Incident Obligations
Detailed incident notification, cooperation, and escalation requirements with defined timeframes
Oversight Rights
Contractual rights for audit, inspection, supervisory access, and information sharing
Contracts must enable the organization to maintain control during disruptions, not just during normal operations. This includes rights to information, ability to conduct or commission audits, and mechanisms to enforce remediation when deficiencies are identified. Supervisory authorities expect these provisions to be contractually enforceable, not merely aspirational.
This capability area examines whether ICT third-party risk is continuously monitored throughout the relationship lifecycle. Third-party risk profiles evolve due to provider changes, market conditions, technological shifts, and emerging threats.
Financial entities must establish structured oversight processes that provide early warning of deteriorating provider resilience, unauthorized changes to service delivery, or emerging concentration risks.
Periodic reassessment of provider risk profiles
Monitoring of incidents, outages, and service disruptions
Oversight of subcontracting changes and fourth parties
Performance tracking against contractual commitments
This capability area focuses on whether the organization can disengage from or substitute providers without experiencing service collapse. Operational resilience requires the practical ability to leave a relationship, not merely the theoretical right to do so.
1
Exit Strategy Development
Documented transition plans including triggers, responsibilities, and resource requirements
2
Data Governance
Contractual provisions for data return, secure deletion, and portability in standard formats
3
Concentration Assessment
Analysis of single-provider dependency risk across critical functions
4
Substitution Testing
Validation that alternative providers exist and transitions are feasible under stress
DORA requires financial entities to assess whether critical dependencies on single providers create unacceptable concentration risk. This includes evaluating whether alternative providers exist in the market, whether transitions can occur within acceptable timeframes, and whether the organization retains sufficient knowledge to manage such transitions. Exit and substitution plans must be tested, not merely documented.
ICT third-party risk must be managed through risk-based, lifecycle-oriented processes with contractual enforceability and supervisory auditability. DORA emphasizes dependency control and exit feasibility.
NIS2 Alignment
NIS2 supply-chain security expectations complement DORA's focus on ICT dependencies, requiring entities to manage security risks throughout the supply chain and maintain incident response capabilities.
ISO/IEC 27001
ISO/IEC 27001 supplier relationship controls provide the foundational framework for managing information security risks in third-party relationships, supporting DORA compliance objectives.
SOC 2 Assurance
SOC 2 reports provide independent assurance over service organization controls, offering evidence of provider security and availability controls to support due diligence and ongoing oversight.
Financial entities should leverage existing regulatory and assurance frameworks to build comprehensive ICT third-party risk programs that satisfy multiple regulatory requirements while avoiding duplicative effort.
Evidence supporting this domain must demonstrate active dependency governance, not merely the presence of contracts or policies. Supervisors expect financial entities to show how they make and monitor decisions about critical ICT dependencies.
Required Evidence Categories
Dependency Inventory
Complete ICT third-party inventories with criticality classifications and function mappings
Assessment Records
Due diligence reports, risk assessments, and approval documentation
Contract Documentation
Contracts containing resilience clauses, SLAs, and supervisory access provisions
Oversight Evidence
Monitoring reports, incident records, and exit planning documentation
Supervisory Focus Areas
Supervisors will examine whether financial entities have visibility into dependency decisions and maintain viable fallback options. They expect evidence of tested exit plans, not theoretical substitution possibilities.
Common Failure Patterns
Critical services dependent on single providers without alternatives
Contracts lacking enforceable resilience terms
Untested or absent exit and substitution plans
Limited visibility into subcontractors and fourth parties
Inadequate monitoring of provider performance and incidents
These failures often result in systemic resilience exposure that becomes apparent only during provider incidents or relationship terminations.
This page provides a comprehensive framework for understanding and implementing ICT Third-Party Risk requirements under DORA. Financial entities should use this guidance to assess their current state, identify gaps, and develop remediation plans.
Resilience Assessment
Evaluate your organization's exposure to ICT dependencies and identify concentration risks that could impact critical operations
DORA Preparation
Prepare for supervisory focus on third-party risk by ensuring evidence demonstrates active governance and exit feasibility
Cross-Function Alignment
Align procurement, legal, risk, and resilience functions around shared third-party risk management objectives
Executive Communication
Explain third-party risk to executive management using the framework and evidence requirements outlined here
ICT Third-Party Risk answers a core DORA question: "Can the organization remain resilient if a critical ICT provider fails?"
By systematically addressing identification, assessment, contracting, monitoring, and exit planning, financial entities can demonstrate to supervisors that they maintain control over critical ICT dependencies and can sustain operations even when third-party relationships fail.