Alle Beiträge

DORA and ICT Third-Party Risk Management (TPRM)

With the Digital Operational Resilience Act (DORA), ICT Third-Party Risk Management (TPRM) has moved into the sharp focus of supervisory authorities more than ever before. Financial institutions today rely heavily on external IT and cloud service providers. This is exactly where DORA comes into play: risks arising from ICT services must be systematically identified, mitigated, and continuously monitored.

Financial institutions are increasingly dependent on external ICT providers such as cloud service providers, SaaS platforms, and managed service providers. Disruptions or security incidents at these third parties can directly impact critical business processes.

DORA therefore requires firms to actively manage third-party risks instead of merely outsourcing them contractually.

Key DORA requirements for ICT third-party risk management

1. Classification of critical and important ICT services

DORA requires a risk-based classification of ICT services to determine which are considered critical or important. This classification depends on the extent to which an ICT service supports critical or important business functions. Business functions are deemed critical if their failure could lead to regulatory breaches, significant financial losses, or major disruptions to business operations.

DORA expects a systematic analysis to identify critical and important business functions. The results must be clearly documented and fully traceable.

2. Risk Assessments and Due Diligence under DORA

Before engaging an ICT service provider, organizations must conduct a structured risk assessment, covering in particular:

  • Information security
  • Business continuity management
  • Concentration risk
  • Conflicts of interest
  • Contractual and regulatory risks
  • Governance and control capabilities
  • Risks arising from ICT subcontracting

For identified risks, appropriate organizational and technical mitigation measures must be defined and implemented.

3. Contractual Requirements for ICT Service Providers

Contracts with ICT third parties must meet minimum DORA requirements, including:

  • Clear description of services
  • Contract start, end, and termination periods
  • Termination rights
  • Rules on ICT subcontracting
  • Mandatory ICT incident notification
  • Audit, access, and information rights
  • Exit and substitution clauses

In practice, many existing contracts do not yet fully comply with these requirements.

4. Full Transparency over ICT Service Providers

Organizations must maintain a complete register (information register) of all ICT third parties and ICT services, including:

  • Business functions and their criticality
  • Information on group entities
  • Contractual details
  • Detailed risk information related to ICT services
  • Subcontractors and supply chains
  • Internal definitions and criteria for ICT third-party risk management

This register must be kept up to date at all times and made available to supervisory authorities and auditors upon request in a prescribed format.

5. Ongoing Monitoring of ICT Third Parties

DORA requires continuous monitoring of ICT third parties, for example through:

  • Regular risk and performance assessments
  • Monitoring and remediation measures in case of underperformance
  • Defined escalation processes

6. Exit and Substitution Strategies

Organizations must be able to demonstrate that they can exit critical ICT services without materially impacting business operations. This includes:

  • Documented exit plans
  • Realistic substitution scenarios
  • Data migration and transition concepts

Typical Challenges in DORA Implementation

In practice, organizations often face:

  • Lack of transparency across ICT supply chains
  • Siloed processes between IT, procurement, risk, legal, and compliance
  • High manual documentation effort
  • Legacy contracts that are not DORA-compliant

Best Practices for DORA-Compliant Third-Party Risk Management

An effective ICT Third-Party Risk Management framework under DORA is:

  • Integrated into ISMS, BCM, and enterprise TPRM
  • Tool-supported and automated
  • Transparent and auditable

This approach enables sustainable compliance and audit readiness.

Conclusion: DORA as an Opportunity for Stronger Resilience

DORA elevates ICT Third-Party Risk Management to a core pillar of digital operational resilience. Organizations that establish transparency early, manage risks in a structured manner, and actively monitor their supply chains will not only meet regulatory requirements but also strengthen their long-term operational stability.

With Leno TPRM, you implement a comprehensive software solution for outsourcing management and third-party risk management – AI-powered, user-friendly, and always up to date.

👉 Next Post

Get to know Leno

Book a demo
Book a meeting today to discover Leno.

How can we help? Contact us.

Visit our Trust Center
CompanyCareerInsight
Contact us
© 2025 LeanMind. All rights reserved.