Risk

Third-Party Risk Management

The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.

Third-party risk management has become one of the most critical aspects of compliance for financial institutions. DORA dedicates an entire pillar (Articles 28-44) to managing ICT third-party risk, reflecting the financial sector's increasing dependence on external technology providers including cloud services, SaaS platforms, and managed security services.

Key requirements include maintaining a comprehensive register of all ICT third-party service providers, conducting pre-contractual risk assessments, including mandatory contractual provisions (data location, audit rights, exit strategies), ongoing monitoring of provider performance and risk levels, and developing exit strategies for critical providers.

DORA also introduces a novel oversight framework for critical ICT third-party service providers (CTPPs). The European Supervisory Authorities can designate certain providers as critical and subject them to direct oversight, including the power to conduct inspections and impose penalties. This represents a significant expansion of regulatory reach into the technology supply chain.

Learn More

Discover how Matproof can help you achieve Third-Party Risk Management compliance.

View framework page

Third-Party compliance by city

Frankfurt Munich Berlin Hamburg Düsseldorf Stuttgart Cologne

Related Terms

DORA (Digital Operational Resilience Act)

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

Supply Chain Security

The management of cybersecurity risks throughout the supply chain, including all third-party vendors, software providers, and service partners. Both DORA and NIS2 mandate supply chain security measures to protect against cascading failures and targeted attacks.

Vendor Risk Assessment

A structured evaluation of the security posture and compliance status of third-party vendors before and during a business relationship. DORA Article 28 mandates specific due diligence requirements for ICT service providers used by financial entities.

ICT Risk Management

The process of identifying, assessing, and mitigating risks associated with information and communication technology systems. Under DORA, financial entities must maintain a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery.

Related Articles

What Happens If Your Financial Institution Fails a DORA Audit?

In the rapidly evolving European financial services landscape, the Digital Operational Resilience Act (DORA) is a game-changer, heralding a new era of stringent regulatory oversight

DORA Incident Reporting Timeline: The 4-Hour, 24-Hour, and 1-Month Rules

The DORA framework, aimed at bolstering the digital operational resilience of financial institutions within the European Union, stipulates specific timelines for incident reporting

The DORA Register of Information: How to Build and Maintain It

In the compliance world, a common misconception prevails: exhaustive documentation is the key to meeting regulatory demands

DORA vs ISO 27001: Which Framework Does Your Financial Institution Need?

Step 1: Open your ICT provider register. If you don't have one, that's your first problem

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.