Regulatory Compliance

EU’s DORA transforms third-party risk management into a regulatory imperative with critical ICT provider oversight

Wednesday, 10 December 2025 7:44AM UTC

The Digital Operational Resilience Act (DORA) has elevated third-party risk management from best practice to a binding requirement across the EU financial sector, with new oversight on critical ICT providers reshaping compliance and supplier oversight standards.

The Digital Operational Resilience Act (DORA) has recast third‑party risk management from a best practice into a binding regulatory backbone for financial entities across the EU, placing the management of ICT third‑party providers at the centre of operational resilience obligations. According to the original report, Articles 28–44 set out firms’ duties to integrate ICT third‑party risk into their overall ICT risk frameworks, retain ultimate responsibility for regulatory compliance when outsourcing, and apply proportionate controls to suppliers that support critical functions. ^[1]^[4]

Regulatory detail has been fleshed out by the European Supervisory Authorities (EBA, EIOPA and ESMA) through Regulatory Technical Standards that specify ICT risk‑management frameworks, incident classification, templates for supplier information and contractual expectations. Industry guidance places particular emphasis on pre‑contractual due diligence, ongoing monitoring, audit rights and clear termination and exit arrangements to limit legal and operational spill‑over from supplier failure. Firms are expected to demonstrate these controls in line with accepted audit standards and to document risk‑based audit frequencies. ^[1]^[6]

Practical implementation coalesces around a repeatable lifecycle: identify and map ICT assets and service dependencies; tier suppliers by criticality; perform rigorous due diligence; embed contractual safeguards and audit rights; test recovery and transition plans regularly; and maintain a single source of truth for responsibilities, reporting and incident communication. The original report sets out a six‑step framework that mirrors this lifecycle and stresses that disruption testing should replicate realistic cyber scenarios with regulatory reporting obligations , notably the 72‑hour window for major ICT incidents. ^[1]^[6]^[7]

Organisational culture and governance are central. DORA expects senior‑level accountability, cross‑department collaboration between procurement, TPRM, business continuity and risk teams, and the embedding of operational resilience into procurement and onboarding decisions. Operational resilience is presented not as a one‑off compliance exercise but as an ongoing programme of resilience testing, staff education and continuous vendor performance oversight. Industry advisors say such cultural shifts are as important as technical controls. ^[1]^[6]^[7]

A material escalation in supervision arrived on 18 November 2025 when the three European Supervisory Authorities published a list of designated critical ICT third‑party providers under DORA. The designation follows a criticality assessment based on financial entities’ registers of information and gives supervisory authorities enhanced oversight powers over providers deemed systemic to the EU financial sector’s stability. The ESAs have also been mandated to pursue international cooperation arrangements and to report periodically on third‑country engagement, recognising the global footprint of many ICT suppliers. This supervisory step materially raises the bar for providers and obliges financial firms to prioritise segregation of Critical ICT Third‑Party Providers (CTPPs) in their vendor tiering and monitoring regimes. ^[2]^[3]^[5]

For financial institutions the immediate implications are concrete: update contractual terms and termination clauses; strengthen audit, testing and exit planning for CTPPs; escalate due diligence and continuous monitoring for high‑criticality suppliers; and ensure internal reporting and incident playbooks align with regulator expectations. Industry data and advisory publications highlight that firms which mapped assets, implemented attack surface management and conducted regular recovery exercises were materially better prepared for the supervisory scrutiny DORA now enables. ^[1]^[6]^[7]

Vendors and platform providers are positioning services to meet demand. The company claims its vendor risk platforms can automate vendor tiering, DORA mapping to standards such as NIST CSF and ISO 27001, and provide continuous monitoring and reporting. Firms should treat such vendor claims with editorial distance and validate them as part of procurement and due diligence, while also recognising that third‑party tooling can materially accelerate compliance workflows when matched to internal governance and testing programmes. ^[1]

##Reference Map:

^[1] (UpGuard blog) - Paragraph 1, Paragraph 3, Paragraph 4, Paragraph 6, Paragraph 7
^[4] (Digital‑Operational‑Resilience‑Act.com Article 28) - Paragraph 1
^[6] (PwC publication) - Paragraph 2, Paragraph 3, Paragraph 4
^[7] (Accesa article) - Paragraph 4, Paragraph 6
^[2] (EBA press release) - Paragraph 5
^[3] (ESMA press release) - Paragraph 5
^[5] (Digital‑Operational‑Resilience‑Act.com Article 44) - Paragraph 5

Source: Noah Wire Services

More on this

https://www.upguard.com/blog/meeting-third-party-risk-requirements-of-dora - Please view link - unable to able to access data
https://www.eba.europa.eu/publications-and-media/press-releases/european-supervisory-authorities-designate-critical-ict-third-party-providers-under-digital - On 18 November 2025, the European Supervisory Authorities (EBA, EIOPA, and ESMA) published a list of designated critical ICT third-party providers under the Digital Operational Resilience Act (DORA). This designation is a significant step in implementing the DORA oversight framework, aiming to enhance the operational resilience of the EU's financial sector by ensuring that critical ICT service providers meet appropriate risk management and governance standards.
https://www.esma.europa.eu/press-news/esma-news/esma-designates-critical-ict-third-party-providers-under-digital-operational-resilience-act - The European Supervisory Authorities (EBA, EIOPA, and ESMA) have designated critical ICT third-party providers under the Digital Operational Resilience Act (DORA). This designation process involved collecting data from financial entities' Registers of Information and conducting a detailed criticality assessment in cooperation with Competent Authorities across the EU. The aim is to ensure that critical ICT service providers have appropriate risk management and governance frameworks to support the operational resilience of the financial sector.
https://www.digital-operational-resilience-act.com/Article_28.html - Article 28 of the Digital Operational Resilience Act (DORA) outlines the general principles for managing ICT third-party risk. It mandates that financial entities integrate ICT third-party risk management into their overall ICT risk management framework. The article emphasizes the importance of financial entities remaining fully responsible for compliance with all obligations under DORA and applicable financial services law, even when using ICT services provided by third parties.
https://www.digital-operational-resilience-act.com/Article_44.html - Article 44 of the Digital Operational Resilience Act (DORA) addresses international cooperation on ICT third-party risk. It allows the European Supervisory Authorities (EBA, ESMA, and EIOPA) to conclude administrative arrangements with third-country regulatory and supervisory authorities to foster international cooperation. The article also mandates the ESAs to submit a joint confidential report every five years to the European Parliament, Council, and Commission, summarizing discussions with third-country authorities on ICT third-party risk and its implications for financial stability.
https://www.pwc.com/mt/en/publications/technology/dora.html - PwC's publication on the Digital Operational Resilience Act (DORA) provides an overview of the regulation's five-pillar framework, which includes ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. The publication emphasizes the importance of DORA in helping firms ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats, thereby enhancing the operational resilience of the financial sector.
https://www.accesa.eu/resources/prioritising-third-party-risk-management-under-dora - Accesa's article discusses the significance of prioritizing third-party risk management under the Digital Operational Resilience Act (DORA). It highlights the growing reliance of financial institutions on third-party ICT service providers, such as cloud services and fintech partnerships, and the associated risks. The article underscores the need for stringent oversight to ensure that these providers meet high cybersecurity and resilience standards, thereby enhancing the operational resilience of the financial sector.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 10

Notes: The narrative is current, published on December 1, 2025, and addresses recent developments in DORA compliance. No evidence of recycled content or republishing across low-quality sites was found. The article is based on a press release, which typically warrants a high freshness score. No discrepancies in figures, dates, or quotes were identified. No similar content appeared more than 7 days earlier. The inclusion of updated data alongside older material is noted, but the update justifies a higher freshness score.

Quotes check

Score: 10

Notes: No direct quotes were identified in the narrative. The content appears to be original or exclusive.

Source reliability

Score: 10

Notes: The narrative originates from UpGuard, a reputable organisation known for its expertise in cybersecurity and risk management. This enhances the credibility of the report.

Plausibility check

Score: 10

Notes: The claims made in the narrative are plausible and align with current developments in DORA compliance. The report includes specific factual anchors, such as dates and references to regulatory bodies, which support its credibility. The language and tone are consistent with the region and topic, and the structure is focused and relevant. No excessive or off-topic detail was noted, and the tone is appropriately formal for a corporate communication.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative is current, original, and originates from a reputable organisation. The claims are plausible, supported by specific factual anchors, and presented in a consistent and formal tone. No significant credibility risks were identified.

Digital Operational Resilience Act
third-party risk management
EU regulation