← Back to all briefings

Policy · Credibility 94/100 · · 2 min read

Policy Briefing — September 8, 2025

Eight months into the Digital Operational Resilience Act, EU supervisors are demanding Article 28 ICT third-party registers and harmonised incident evidence ahead of Q4 2025 reviews.

Executive briefing: The Digital Operational Resilience Act (DORA) has applied to EU financial entities since January 17, 2025. By September, competent authorities are benchmarking banks, insurers, payment institutions, and investment firms on their maintenance of the Article 28 register that lists every information and communication technology (ICT) third-party provider. Entities must also file major incident reports using the forthcoming European Supervisory Authorities’ taxonomy, with 24-hour initial notices and final reports due within one month. Supervisors are beginning horizontal reviews, so operations, risk, and procurement teams must demonstrate consistent data quality and escalation discipline.

Key compliance checkpoints

  • Register completeness. Ensure each ICT arrangement is classified by service type, criticality, location, subcontracting chain, and exit strategy, as Articles 28 and 30 demand.
  • Incident playbooks. Align severity thresholds with the joint ESA final draft regulatory technical standards and test clock-start triggers for availability, integrity, confidentiality, or authenticity impacts.
  • Board oversight. Present quarterly dashboards showing concentration risk metrics, contractual remediation progress, and incident trends to the management body as required by Article 5.

Operational priorities

  • Data integration. Feed procurement, risk, and service management systems into a master register to avoid gaps or stale entries when regulators request exports.
  • Testing cadence. Document advanced threat-led penetration testing (TLPT) plans and ensure critical third parties participate ahead of the 2025-2026 testing cycle.
  • Exit readiness. Rehearse contingency plans for critical providers, including playbooks for invoking termination rights or switching to alternate suppliers within required timeframes.

Enablement moves

  • Deploy automated controls to monitor SLA breaches, security incidents, and unresolved audit findings across critical providers.
  • Align contract templates with Article 30 clauses covering access, audit, subcontracting, and cooperative testing commitments.

Sources

Zeph Tech consolidates ICT third-party registers, automates ESA incident reporting, and orchestrates remediation workflows across financial entities.

  • Financial regulation
  • Operational resilience
  • Third-party risk
Back to curated briefings