The Third-Party Tangled Web

DORA's third-party requirements extend to every ICT service provider you use. Cloud hosting. Software vendors. Payment processors. Data analytics platforms. Managed security services. Every vendor supporting your operations falls within scope if they handle your data or support your infrastructure. 17% of organizations cite vendor due diligence and risk assessments as their primary DORA challenge5. And the complexity has increased. The European Supervisory Authorities designated Critical Third-Party Providers (CTPPs) in July 2025, bringing major technology vendors under direct EU oversight for the first time. For financial institutions, this creates a multi-tiered vendor landscape requiring different management approaches:

• Critical Third-Party Providers (CTPPs) are subject to direct regulatory oversight
• Providers supporting your Critical Important Functions, requiring enhanced oversight
• Other providers require proportionate risk assessment

DORA Article 28 requires a comprehensive register of all ICT third-party arrangements, documenting: identity and location, services provided and which CIFs they support, data location and processing details, contractual arrangements including exit strategies, subcontracting relationships, and criticality assessment. According to the Association for Financial Markets in Europe (AFME), the third-party register emerged as "one of the top implementation challenges consistently reported" given its large volume of data fields and breadth of required information.

The operational reality of third-party monitoring

Third-party risk under DORA isn't about achieving a perfect vendor portfolio - that's impossible. It's about establishing proportionate, continuous oversight that provides genuine visibility into where your operational resilience depends on external parties. Your vendor's failure becomes your regulatory problem. Accountability flows upward, not outward.