← Back to all briefings
Policy 5 min read Published Updated Credibility 50/100

Policy Briefing — September 9, 2025

Supervisors preparing Q4 DORA inspections want proof that ICT third-party registers, criticality scores, and exit strategies satisfy Articles 28 and 30 across EU financial groups.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Digital Operational Resilience Act (DORA) has applied since 17 January 2025. Article 28 now requires banks, insurers, and other financial entities to maintain a comprehensive register of all ICT third-party service providers, capturing services consumed, data classifications, geographic locations, and subcontracting arrangements. Supervisory authorities are requesting evidence of criticality assessments, contractual minimums, and documented exit plans as they prepare thematic reviews for late 2025.

Key governance checkpoints

  • Inventory completeness. Reconcile procurement, security, and architecture records to ensure every ICT dependency appears in the DORA register, including shadow IT and intra-group shared services.
  • Criticality scoring. Apply Article 28(3) criteria to classify services as critical or important, linking each to resilience requirements, testing cadences, and incident thresholds.
  • Contract validation. Confirm agreements incorporate mandatory clauses on availability, integrity, confidentiality, location of data, and unrestricted access for competent authorities.

Operational priorities

  • Exit strategy rehearsal. Produce scenario-based exit and transition plans for critical providers, including timelines, resource estimates, and fallback tooling.
  • Incident integration. Ensure third-party incident reporting flows into DORA Article 19 incident classification and notification processes within the mandated timelines.
  • Board reporting. Prepare quarterly dashboards for management bodies summarizing concentration risk, remediation progress, and upcoming supervisory requests.

Enablement moves

  • Align the DORA register taxonomy with existing supplier risk tools to avoid double maintenance.
  • Conduct tabletop exercises with procurement, legal, and technology risk teams to validate end-to-end response when a critical provider fails.

Sources

Zeph Tech readies financial institutions for DORA supervisory reviews by industrializing ICT third-party registers, criticality scoring, and exit strategy playbooks.

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Operational resilience
  • Third-party risk
  • Financial services
  • EU regulation
Back to curated briefings