DORA’s fourth pillar — ICT third-party risk (Art. 28–44) — is where most financial entities feel the regulation in practice, because almost everyone outsources something. Two obligations dominate the day-to-day: maintaining a Register of Information on every ICT contract, and putting the right contractual clauses in place. This guide breaks both down. For how DORA relates to NIS2, see DORA vs NIS2.
TL;DR
- Outsourcing never transfers responsibility — you stay fully accountable (Art. 28(1)(a)).
- Keep a Register of Information on all ICT contracts (Art. 28(3)).
- Contracts need minimum clauses for every service (Art. 30(2)) and extra clauses for critical or important functions (Art. 30(3)).
- “Critical or important function” is a defined term (Art. 3(22)) — it is the trigger for the heavy regime.
- Reporting timelines are set at EU/national level — first national submissions to the ESAs were due by 30 April 2025.
The principle: you remain accountable (Art. 28)
DORA’s starting point is blunt: an entity that uses ICT third parties “remains fully responsible” for compliance at all times (Art. 28(1)(a)). Proportionality applies (Art. 28(1)(b)), but the duties are real: adopt a third-party risk strategy including a policy on ICT services supporting critical or important functions (Art. 28(2)); run a pre-contractual assessment — criticality, due diligence, concentration risk, conflicts of interest (Art. 28(4)); contract only with providers meeting appropriate information-security standards (Art. 28(5)); secure audit and termination rights (Art. 28(6)–(7)); and maintain documented, tested exit strategies for critical-or-important services (Art. 28(8)).
The Register of Information (Art. 28(3))
You must maintain and keep updated — at entity, sub-consolidated and consolidated levels — a register of all contractual arrangements for ICT services from third-party providers. Key features:
- Distinguish contracts that support critical or important functions from those that do not.
- Report annually to your competent authority on new arrangements, provider categories, contract types, and the services/functions involved.
- Provide it on request — the full register or requested sections — to the authority.
- Inform the authority in advance of planned arrangements that support a critical or important function, or when a function becomes one.
The European Supervisory Authorities issued standardised templates (Implementing Technical Standards) for the register, so the format is harmonised across the EU. Practically, the register is also the single hardest data-collection exercise in DORA: it forces an accurate, structured inventory of every ICT dependency — which is exactly why starting early matters.
Contractual clauses: Art. 30(2) vs Art. 30(3)
DORA distinguishes two tiers of mandatory contract content. Getting this distinction right is essential — applying the heavy list to every contract over-burdens you, while applying only the light list to a critical service leaves you non-compliant.
| Art. 30(2) — every ICT contract | Art. 30(3) — critical/important functions (in addition) |
|---|---|
| Clear description of services; subcontracting conditions | Full SLAs with precise quantitative & qualitative targets |
| Data processing/storage locations; notice of change | Provider notice of any development materially impacting the service |
| Availability, integrity, confidentiality of data | Duty to implement & test business-continuity plans |
| Access, recovery and return of data on exit/insolvency | Full participation in the entity’s threat-led penetration testing (TLPT) |
| Service-level descriptions; incident assistance | Unrestricted access, inspection and audit rights (entity, third party, authority) |
| Cooperation with authorities; termination & notice rights | Exit strategy with an adequate mandatory transition period |
For micro-enterprises, some audit rights under Art. 30(3) may be delegated to an independent third party. DORA also encourages use of standard contractual clauses developed by public authorities (Art. 30(4)).
“Critical or important function” is the trigger (Art. 3(22))
This is a defined legal term, not a loose synonym for “important”: a function whose disruption would materially impair the entity’s financial performance, or the soundness/continuity of its services, or its continued compliance with authorisation conditions. The classification is the hinge of the whole pillar — it switches on Art. 30(3) clauses, the exit-strategy duty (Art. 28(8)), advance notification, and heightened concentration-risk assessment (Art. 29). Classify your functions deliberately and document the reasoning.
Critical third-party providers (Art. 31+)
Separately, the ESAs designate certain ICT providers as critical third-party providers (CTPPs) at EU level, placing them under direct oversight by a Lead Overseer (EBA, ESMA or EIOPA). Note: you do not designate your supplier as critical — that is an EU-level determination based on systemic impact and substitutability. Your job is to manage concentration risk; the CTPP designation is external.
Deadlines — read the fine print
DORA itself (Art. 64) made the regulation applicable from 17 January 2025, but the register’s submission dates come from EU/national decisions, not the regulation’s text. Under a joint ESA decision of 8 November 2024, national competent authorities had to submit collected registers to the ESAs by 30 April 2025, with a reference date of 31 March 2025; national authorities set their own upstream collection deadlines. Treat the “30 April 2025” figure as an operational, authority-level date — the deadline imposed on your entity is set by your national authority. For Belgium, confirm the current timetable with the NBB/FSMA.
A pragmatic starting plan
- Inventory every ICT contract — this is the register’s backbone and the longest task.
- Classify functions as critical/important or not, with documented reasoning (Art. 3(22)).
- Gap-check contracts against Art. 30(2) and, where relevant, Art. 30(3); plan renegotiations.
- Write exit strategies for critical-or-important services and test them.
- Populate the ESA template and align with your authority’s reporting timetable.
General information based on Regulation (EU) 2022/2554, not legal advice; level-2 standards and reporting dates evolve — verify specifics with the NBB/FSMA. ICTLAB helps Belgian financial entities build the register, classify functions and remediate contracts — see our cybersecurity services or talk to our team.