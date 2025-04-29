DORA establishes technical requirements for financial entities and ICT providers across four domains:

ICT risk management and governance

Incident response and reporting

Digital operational resilience testing

Third-party risk management

A fifth domain covers information sharing, which is encouraged but not compulsory unlike the other four domains.

Financial entities in scope for DORA are expected to take an active role in managing ICT third-party risk. When outsourcing critical and important functions, financial entities are expected to negotiate specific contractual arrangements regarding exit strategies, audits and performance targets for data accessibility, integrity and security, among other things. Entities are not permitted to contract with ICT providers who cannot meet these requirements. The ECB and national competent authorities are empowered to suspend or terminate contracts that do not comply. The European Commission is exploring the possibility of drafting standardized contractual clauses that entities and ICT providers can use to help ensure that their agreements comply with DORA.

Financial entities also need to map their third-party ICT dependencies and are required to help ensure their critical and important functions are not unduly concentrated with a single provider or small group of providers.

Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs. The European Commission is still developing the criteria for determining which providers are critical. Those that meet the standards will have one of the ESAs assigned as a lead overseer. In addition to enforcing DORA requirements on critical providers, lead overseers are empowered to forbid providers from contracting with financial firms or other ICT providers that do not comply with DORA requirements.