Policy Briefing — September 9, 2025
Supervisors preparing Q4 DORA inspections want proof that ICT third-party registers, criticality scores, and exit strategies satisfy Articles 28 and 30 across EU financial groups.
Executive briefing: The Digital Operational Resilience Act (DORA) has applied since 17 January 2025. Article 28 now requires banks, insurers, and other financial entities to maintain a comprehensive register of all ICT third-party service providers, capturing services consumed, data classifications, geographic locations, and subcontracting arrangements. Supervisory authorities are requesting evidence of criticality assessments, contractual minimums, and documented exit plans as they prepare thematic reviews for late 2025.
Key governance checkpoints
- Inventory completeness. Reconcile procurement, security, and architecture records to ensure every ICT dependency appears in the DORA register, including shadow IT and intra-group shared services.
- Criticality scoring. Apply Article 28(3) criteria to classify services as critical or important, linking each to resilience requirements, testing cadences, and incident thresholds.
- Contract validation. Confirm agreements incorporate mandatory clauses on availability, integrity, confidentiality, location of data, and unrestricted access for competent authorities.
Operational priorities
- Exit strategy rehearsal. Produce scenario-based exit and transition plans for critical providers, including timelines, resource estimates, and fallback tooling.
- Incident integration. Ensure third-party incident reporting flows into DORA Article 19 incident classification and notification processes within the mandated timelines.
- Board reporting. Prepare quarterly dashboards for management bodies summarizing concentration risk, remediation progress, and upcoming supervisory requests.
Enablement moves
- Align the DORA register taxonomy with existing supplier risk tools to avoid double maintenance.
- Conduct tabletop exercises with procurement, legal, and technology risk teams to validate end-to-end response when a critical provider fails.
Sources
- Regulation (EU) 2022/2554 (DORA)
- Joint ESA guidelines on ICT third-party risk
- ECB supervisory expectations on DORA readiness
Zeph Tech readies financial institutions for DORA supervisory reviews by industrializing ICT third-party registers, criticality scoring, and exit strategy playbooks.