TL;DR The Digital Operational Resilience Act (Regulation EU 2022/2554) has been applicable since January 2025 and requires financial institutions to manage ICT third-party providers in a structured way. How to assess vendors, which contract clauses are mandatory, what belongs in the ICT register, and what happens with "critical" vendors.

Who DORA applies to

DORA applies to nearly all financial entities in the EU:

  • - Credit institutions (including small savings banks and cooperative banks)
  • - Investment firms, crypto-asset service providers
  • - Insurance and reinsurance undertakings
  • - Payment and e-money institutions
  • - Investment-fund management companies
  • - Data reporting service providers (trading venues, valuation services)

In Germany, BaFin is the national supervisor. The European Supervisory Authorities (ESAs) maintain the register of critical third-party providers and can directly oversee them.

Why third parties are the DORA risk

In practice, financial institutions rarely deliver their full IT stack themselves. Cloud providers, core-banking providers, compliance SaaS, market-data suppliers, identity services, AI-model providers. Each can disrupt the bank's operations. DORA turns these dependencies into a regulated obligation.

Key DORA articles on third-party risk:

  • - Article 28: General principles for ICT third-party risk management
  • - Article 29: Pre-contractual risk assessment
  • - Article 30: Mandatory contract clauses
  • - Articles 31-44: Oversight framework for critical ICT third-party providers

Closing or renewing ICT contracts in 2026 without DORA clauses risks supervisory findings, and in repeat cases up to forced contract termination.

Vendor assessment before contract

Article 29 requires a systematic pre-assessment. Items that belong in any vendor review:

  1. 1. Service criticality. What function is being outsourced? Which business processes depend on it? What damage results from failure?
  2. 2. Concentration risk. How many of our ICT services already run through this vendor? How many of our competitors also? Are there cluster risks (e.g. two hyperscalers owned by the same group)?
  3. 3. Geography and law. Where is data processed, where stored? Which legal regime applies in disputes? Third-country jurisdiction risks, EU data-protection regime, all relevant.
  4. 4. Sub-contractor chain. Who are our vendor's vendors? DORA covers the whole chain, not just the first contract partner.
  5. 5. Security maturity. Certifications (ISO 27001, SOC 2 Type II), penetration-test reports, vulnerability management, incident history.
  6. 6. Financial stability. Vendor going-concern risk: insolvency risk, ownership structure, exit strategy.
  7. 7. Exit capability. How do we get out of the contract? Data portability, transition periods, reversibility.

This assessment must be documented, approved by the board, and updated at regular intervals.

Mandatory contract clauses per Article 30

DORA lists what must be in every ICT contract. Highlights:

  • - Full service description including all functions and service levels
  • - Geography of data processing with mandatory prior notice on changes
  • - Data protection, availability, integrity requirements
  • - Audit and inspection rights for the financial institution AND the supervisor
  • - Cooperation obligations on security incidents with clear deadlines
  • - Training and awareness obligations for the vendor
  • - Obligation to participate in DORA Threat-Led Penetration Tests (TLPT)
  • - Exit strategy with transferable data in standardised formats
  • - Termination rights on serious violations
  • - Stricter requirements for critical or important functions

Existing contracts must adopt these clauses on renewal or amendment. Transitional provisions give limited room, but in 2026 the transition is over.

The ICT register

Every financial institution must maintain an ICT third-party register and provide it to BaFin on request. Contents:

  • - Vendor identification (name, location, legal form, LEI)
  • - Service description and criticality classification
  • - Contract data, term, renewal options
  • - Sub-contractor chain
  • - Geography of data processing
  • - Risk assessment with update date
  • - Vendor concentration metrics

Many financial institutions still work with Excel lists. That will not survive DORA. Audit-ready means a versioned ICT repository with role permissions, change logging, and automated supervisory-reporting capability.

Critical ICT third-party providers

Vendors above a certain size and market penetration can be classified by the EU as critical ICT third-party providers. They then come under direct EU oversight by the ESAs. For affected financial institutions this means:

  • - Additional reporting and cooperation duties
  • - Possibility of supervisory orders directly against the vendor
  • - Limited contractual freedom on clauses for service levels, audit rights and exit

The first lists of critical vendors will be published 2025/2026. Anyone running on the large hyperscalers should watch them.

Typical gaps in practice

Three recurring patterns in DORA advisory work:

  • - Contracts adjusted too late. Old cloud contracts often run 3-5 years and do not contain DORA clauses. The "only applies at renewal" argument is risky, as BaFin can also require adjustments.
  • - Concentration risk underestimated. Three different SaaS providers all run on the same hyperscaler. If the hyperscaler fails, all three are gone. Diversified on paper, not in reality.
  • - AI vendors not in the register. LLM APIs, AI compliance tools, language models for customer service: all ICT third-party providers under DORA. If AI services are not in the register, there is a gap.

How GermanAI Defense supports

We support financial institutions in building DORA-compliant third-party governance: vendor assessment per Article 29, contract-clause templates per Article 30, ICT register design and maintenance, preparation for TLPT (Threat-Led Penetration Testing). Our own AI and cloud services under German law, in sovereign infrastructure in Frankfurt, with ISO/IEC 27001:2022 as the foundation.

→ More on our GRC and compliance services: germanaidefense.com/grc