DORA Third-Party ICT Risk: What Your Supplier Contracts Must Include

The Digital Operational Resilience Act devotes an entire pillar — Pillar 4 — to ICT third-party risk management. For Irish financial entities, this is one of the most operationally demanding aspects of DORA compliance, and one where the Central Bank of Ireland is paying close attention.

This guide explains what Pillar 4 requires, what must be in your supplier contracts under the DORA Regulatory Technical Standards, and how to build a practical third-party risk management programme.

Why DORA Focuses on Third-Party ICT Risk

Financial services firms are increasingly dependent on ICT third-party providers — cloud platforms, managed security services, data analytics providers, payment processors, and core banking software vendors. The concentration of the sector around a small number of critical providers (AWS, Microsoft Azure, Google Cloud) has created systemic risk that regulators cannot ignore.

DORA Article 28 requires financial entities to maintain a register of all ICT third-party arrangements, assess the risk of each, apply enhanced requirements to critical or important functions, and ensure their contracts contain specific provisions.

Classifying Your ICT Third-Party Arrangements

DORA requires financial entities to distinguish between:

Critical or important functions — ICT services that support functions where disruption would materially impact the financial entity's ability to operate, meet regulatory obligations, or protect clients. Cloud providers hosting core systems, payment processing platforms, cybersecurity monitoring services.

Other ICT arrangements — services that are important but where disruption would have limited impact. Less critical SaaS tools, non-core data services.

Contracts supporting critical or important functions are subject to the full DORA contractual requirements. Other arrangements have lighter obligations but must still be documented in the third-party register.

What Must Be in Your Contracts: The DORA Requirements

DORA Article 30 and the associated Regulatory Technical Standards (Commission Delegated Regulation 2024/1773) specify the minimum contractual provisions for ICT arrangements supporting critical or important functions:

1. Description of services A clear description of all services and functions provided, including sub-outsourcing arrangements — where the ICT provider uses its own third parties to deliver part of the service.

2. Locations of data processing Where data will be processed and stored, including any cross-border transfers and the countries involved.

3. Data protection provisions Provisions ensuring the financial entity retains full ownership of its data and can access, recover, and return it on termination.

4. Availability, authenticity, integrity and confidentiality Contractual commitments on the security of data and systems, including encryption standards, access controls, and security monitoring.

5. Service levels Defined availability, performance, and capacity levels — with measurable targets and consequences for failure to meet them.

6. Audit rights The financial entity's right to audit the ICT provider directly, or to accept third-party audit reports (ISAE 3402, SOC 2 Type II, ISO 27001 audit reports) in lieu of direct audit.

7. Incident notification obligations The ICT provider must notify the financial entity promptly of any ICT incident that may affect the services provided. The notification timeline should align with DORA's requirements for your own incident reporting.

8. Termination and exit Provisions covering the conditions under which the contract can be terminated, transition assistance obligations, and data return and deletion on exit.

9. Sub-outsourcing Whether sub-outsourcing is permitted, the conditions that apply, and notification requirements when material sub-outsourcing arrangements change.

The ICT Third-Party Register

DORA Article 28(3) requires all financial entities to maintain a register of information on all contractual arrangements with ICT third-party service providers. This register must be available to competent authorities on request and must be updated when arrangements change.

The register must include: name of provider, services provided, function classification (critical/important or other), data locations, contract start and end dates, and any sub-outsourcing arrangements.

What the Central Bank Expects

The CBI has integrated DORA into its supervisory framework and has been clear that regulated firms are expected to be compliant. CBI inspections have focused on whether firms have completed the contract review process and updated agreements with ICT providers to meet DORA Article 30 requirements.

Priority should be given to contracts with the ICT providers supporting your most critical functions — if these predate DORA's January 2025 application date and have not been reviewed since, they are likely non-compliant.

How ShieldIQ Supports DORA Pillar 4

ShieldIQ's DORA compliance module covers all five pillars including Pillar 4 third-party risk. The vendor risk module allows you to maintain your ICT third-party register, send security questionnaires aligned to DORA requirements, track contract compliance, and link third-party risks to your broader DORA posture.

Run a free DORA assessment to see your third-party risk management posture →