← All guides
DORA10 min read14 July 2026

DORA Art. 28 ICT Third-Party Register: What Financial Entities Must Build (And What NCAs Are Checking)

DORA Article 28 requires all financial entities to maintain a comprehensive ICT third-party provider register and submit it to their NCA. This guide covers the mandatory fields, criticality assessment methodology, Art. 30 contractual provisions, and what's being flagged in NCA examinations.

DORA and ICT third-party risk: the core obligation

The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) applies to the full range of EU financial entities — banks, payment institutions, investment firms, insurance undertakings, UCITS managers, AIFMs, CCPs, trading venues, and more. DORA entered application on 17 January 2025.

Article 28 creates a comprehensive ICT third-party risk management obligation, including the requirement to maintain a register of information on all contractual arrangements with ICT third-party service providers (ICT TPSPs). This register must be submitted to the entity's National Competent Authority (NCA) annually.

This isn't a lightweight vendor list. The register is a structured, machine-readable dataset with specific mandatory fields defined by the joint ESA Regulatory Technical Standard (RTS) on register of information.

What the register must contain

The DORA RTS on register of information specifies the required fields for each ICT third-party arrangement. Key fields include:

  • Provider identification: legal name, LEI (Legal Entity Identifier), registered country, parent entity (if applicable)
  • ICT service description: type of ICT service, business function supported, criticality designation
  • Data and processing: data stored/processed (categories), data locations (country, data centre, cloud region), sub-contractor details
  • Contractual details: contract start date, end date / notice period, renewal schedule, governing law and jurisdiction
  • Sub-contractors: identification of all sub-contractors providing material ICT services in the chain (Art. 28(2) obligation)
  • Criticality status: whether the ICT TPSP is designated critical for the entity

The register must cover all ICT services — not just cloud, not just outsourcing. Legacy on-premise providers, network connectivity suppliers, data feed providers, and software vendors are all in scope if they provide ICT services that support business functions.

Scope trap: intra-group arrangements

One of the most common DORA register gaps in NCA examinations: intra-group ICT service arrangements. Article 28(1) is explicit — the register obligation applies to all ICT third-party arrangements, including where the ICT service provider is in the same group. Intra-group ICT providers must appear in the register. If your group has a shared IT services entity providing infrastructure to regulated entities, it needs to be registered and assessed for criticality.

Criticality assessment — Art. 28(4) criteria

DORA Art. 28(4) requires entities to assess and designate which ICT TPSPs are critical. The assessment must consider:

  • Substitutability: how quickly can the service be replaced? Is there a viable alternative? What is the exit complexity?
  • Systemic importance: does the ICT service support a critical or important function? What is the operational impact of failure?
  • Concentration risk: is the entity (or the sector) overly dependent on this provider? Does multiple reliance on the same provider or provider group create systemic risk?
  • Cross-border dependencies: does the service involve cross-border data flows that complicate substitution?

Critical ICT TPSP designations must be documented with assessment rationale and made available to the NCA. The list of critical ICT TPSPs must be included in the register of information submission.

DORA Art. 30 — mandatory contractual provisions

For arrangements with critical ICT TPSPs, DORA Art. 30(2) mandates 11 specific contractual provisions. These must be included in or appended to the written contractual arrangement. Missing provisions are a direct DORA violation:

  1. (a) Service description and quality SLAs — clear description of ICT services, minimum performance levels
  2. (b) Data locations — where data is stored and processed, right to object to changes
  3. (c) Applicable law and jurisdiction — governing law must be specified
  4. (d) Performance monitoring — provisions enabling the entity to monitor ongoing performance
  5. (e) Audit and inspection rights — entity and its NCA must have explicit right to audit/inspect
  6. (f) Incident reporting — ICT TPSP must notify the entity of incidents affecting ICT service delivery
  7. (g) Business continuity obligations — BCPs/DRPs with specified RTO/RPO targets
  8. (h) Data portability and interoperability — supports exit and migration to alternative provider
  9. (i) Sub-contractor change notification — entity must be notified of material sub-contractor changes
  10. (j) Termination rights for DORA non-compliance — entity must be able to terminate if ICT TPSP breaches DORA obligations
  11. (k) Exit assistance and transition period — ICT TPSP must cooperate during exit, providing adequate transition support

For non-critical ICT TPSPs, Art. 30(4) provides simplified obligations — but basic service description, applicable law, and termination rights are still required.

Legacy contract remediation

Many financial entities entered DORA application date (January 2025) with legacy contracts that lacked the Art. 30 mandatory provisions. DORA does not grandfather existing contracts, but NCAs have generally taken a proportionate approach to remediation timelines for legacy arrangements — provided entities have a documented remediation plan and are making progress.

The recommended approach: categorise all existing contracts by criticality, prioritise Art. 30 gap remediation for critical ICT TPSP agreements first, and set a clear timeline for non-critical contract updates. Document the plan and make it available to your NCA.

Concentration risk — Art. 29

Article 29 requires entities to identify and manage ICT concentration risk — both at entity level and sector level. The Joint Committee of ESAs (EBA, ESMA, EIOPA) has focused significant attention on cloud service provider (CSP) concentration. The top three hyperscalers (AWS, Microsoft Azure, Google Cloud) collectively provide ICT services to the majority of EU financial entities. This systemic dependency is on regulators' radar.

Practical steps: quantify your dependency on each ICT TPSP as a percentage of critical/important function coverage. Identify scenarios where loss of a single provider would impair multiple critical functions. Document your multi-vendor and exit strategy — even if you cannot realistically move away from a hyperscaler in the short term, the strategy and exit plan must exist.

CTPP oversight framework — Art. 31–44

Where an ICT TPSP has been designated a Critical ICT Third-Party Provider (CTPP) by the Joint Committee of ESAs, that provider enters a formal EU oversight programme led by a Lead Overseer (EBA, ESMA, or EIOPA depending on the CTPP's primary service sector). Financial entities are not directly supervised under this regime — it's the CTPP that faces oversight — but entities should:

  • Track which of their ICT TPSPs have been designated CTPPs under Art. 31
  • Respond to Lead Overseer information requests routed through the entity
  • Monitor and implement any recommendations arising from CTPP oversight that affect contractual terms

What NCAs are checking

Based on early DORA examination activity, common register findings include:

  • Incomplete registers — key ICT providers missing, particularly software-as-a-service tools and network providers
  • Missing intra-group entries — entities treating group IT services as out of scope
  • No criticality assessment rationale — designating providers as non-critical without documented methodology
  • Missing Art. 30 provisions in critical contracts — particularly audit rights and exit assistance
  • Sub-contractor chain not mapped — Art. 28(2) sub-contractor identification not completed
  • NCA submission format non-compliant — not matching the machine-readable RTS template

Build your DORA ICT register assessment

ComplyKit's free DORA ICT Third-Party Register assessment tool covers all 42 register compliance items across 6 categories: register structure and mandatory fields, criticality assessment and CTPP designation, Art. 30 contractual provisions, ongoing monitoring and due diligence, ICT resilience integration, and governance and NCA reporting. The generated report includes Art. 30 provision-by-provision analysis, a remediation roadmap, and NCA submission readiness guidance.