The EU Digital Operational Resilience Act regulates the operational resilience of financial entities against ICT risks, with particularly prescriptive expectations around ICT third-party risk management (Art. 28) and contractual arrangements (Art. 30).

DORA applies to a wide range of financial entities in the EU and imposes a structured framework covering governance, risk management, incident reporting, operational resilience testing, third-party risk and information sharing. Unlike NIS2, DORA is highly prescriptive on the mechanics.

Art. 28 requires a structured ICT third-party register, classification of criticality, explicit risk assessments and exit strategies. Art. 29 covers concentration risk. Art. 30 defines the minimum contractual provisions that every ICT contract of record must include.

For the selection of ICT providers, DORA effectively requires an auditable decision memo per critical vendor. The memo must be producible on demand during supervisory review. Decision Readiness Score and structured vendor comparison were designed with exactly this evidence expectation in mind.

DORA ICT risk management

Related terms