DORA for ICT Providers: Third-Party Risk and Incident Reporting
Since January 2025, DORA applies in the financial sector, with consequences for every supplier. What the register of information, reporting chains and the first critical designations mean.
DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), has applied to the European financial sector since 17 January 2025. Since 19 November 2025, oversight has become concrete: the European Supervisory Authorities EBA, EIOPA and ESMA published the first official list of 19 ICT third-party providers designated as critical, among them AWS, Google Cloud, Microsoft, Oracle, SAP, IBM and Deutsche Telekom. The list is updated annually.
The instinctive reaction of many IT providers is: this does not concern me, I am not a bank. That is a fallacy. DORA travels down the supply chain.
Why the regulation reaches every supplier
Financial entities carry the risk of their ICT outsourcing themselves and must manage it demonstrably. By 30 April 2025 they had to report their register of information, a complete record of all contractual arrangements with ICT third-party providers. With that, every outsourcing is visible to the regulator, including those to non-critical providers.
Whatever obligations the financial entity carries, it passes on contractually to its providers. In practice, financial customers now demand:
- DORA-compliant contract clauses with clear performance, security and termination terms.
- Audit and access rights, so that the customer and the regulator can inspect.
- Transparency over sub-outsourcing, that is, who else sits behind the provider.
- Reporting chains for incidents, fast enough for the financial customer to meet its own deadlines.
- Exit and continuity plans, along with evidence from resilience testing.
Incident reporting is a chain, not a form
For major ICT incidents, DORA requires staggered reporting: an initial notification within a few hours of classification, an intermediate report and a final report within one month. For suppliers this means: the incident must not only be detected internally, the financial customer must be informed in time to keep its own regulatory clock. Whoever reports too late or too vaguely endangers the customer’s compliance, and with it the business relationship.
Designated critical means direct oversight
Whoever is named a critical ICT third-party provider falls under the direct oversight of a lead overseer at EU level. Because the list is updated annually, the designation is not a static state: whoever is not listed today may be listed as their importance to the financial sector grows.
What makes sense now
For ICT providers with financial customers, it pays to review your own contracts for DORA clauses, document sub-outsourcing cleanly, and rehearse incident reporting so that the chain up to the financial customer holds within hours. In our Datargo Monitor module, monitoring, an incident engine and an append-only audit trail interlock so that the evidence for such reporting chains can be produced. The point itself, though, is independent of any tool, namely to document your own resilience so that the financial customer can rely on it.
DORA is not a banking topic alone. It is the requirement your financial customers now pass on to you.