DORApp Blog
DORA Fundamentals

DORA Vendor Management for Third-Party Providers (2026 Guide)

M
ByMatevž Rostaher

Three weeks before a supervisory meeting, your procurement lead sends you the “vendor list.” It is a spreadsheet with 60 suppliers, no clear service taxonomy, and no mapping to critical business functions. Your IT risk team has a different list pulled from IAM and AP systems. Legal has contract folders, but not a single view of which agreements include DORA-ready audit rights. This is the operational reality behind dora vendor management in many EU-regulated financial entities.

DORA, the Digital Operational Resilience Act, has applied since January 2025. It expects you to manage ICT third-party risk as a controlled lifecycle: pre-contract due diligence, contractual safeguards, ongoing monitoring, incident handling, and exit planning. The focus is not only on “big cloud providers.” It is also on managed services, software vendors, data feeds, and any provider supporting ICT services that underpin your regulated activities.

This guide connects the DORA requirements in Articles 28 to 44 to practical provider management controls you can evidence to auditors and your National Competent Authority. If you need a refresher on scope and structure, start with what is dora.

Table of Contents

  • What DORA requires for third-party provider management
  • Build an ICT provider inventory you can defend
  • Risk-classify providers and map them to critical functions
  • Register of Information: what to capture and how to keep it auditable
  • Pre-contract due diligence: what a DORA-aligned vendor questionnaire should cover
  • Contract controls you need before you sign and when you renew
  • Monitoring and oversight: what regulators expect to see
  • Concentration risk, sub-outsourcing, and exit planning
  • How to evidence DORA vendor management in an audit
  • Where Dorapp fits in a DORA third-party risk operating model
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion
  • Regulatory Disclaimer

    • What DORA requires for third-party provider management

    Now, when it comes to ICT third-party risk, DORA is explicit that you remain accountable for the resilience of outsourced ICT services. DORA Article 28 establishes the principle that outsourcing does not transfer responsibility. DORA Articles 29 to 44 then build a full framework covering governance, pre-contract analysis, contractual content, oversight, and an EU-level oversight regime for critical ICT third-party service providers.

    Think of it this way: regulators are not asking whether you have “vendors.” They are asking whether you can continuously identify which ICT third-party services could disrupt your operations, verify the contractual rights needed to control those risks, and demonstrate that you monitor performance and resilience in practice.

    If your organization still treats third-party risk as a procurement checklist, it is worth re-reading how DORA positions the topic in the broader regulation. The article dora regulation explained is a useful reference point when you need to align stakeholders on why DORA’s expectations go beyond standard outsourcing policy.

    For a more focused view of the third-party pillar, see dora third party risk.

    Build an ICT provider inventory you can defend

    What many compliance teams overlook is that you cannot implement DORA vendor management without first agreeing what “provider” means in your institution. DORA focuses on ICT third-party service providers and ICT services that support business functions. Your inventory has to reflect that framing, not just a list of legal entities paid through accounts payable.

    In practice, this means your provider inventory typically needs to unify at least four data sources: procurement and contracts, CMDB or service catalog, security tooling (SSO, EDR, CASB), and business ownership. If these sources disagree, your “register” will not survive scrutiny.

    Define the unit of management: legal entity, service, or both

    Regulatory evidence works better when you manage both the provider and the services delivered. A single provider may deliver multiple services with very different risk profiles, for example, an HR SaaS tool and a privileged access managed service. DORA vendor management becomes operationally usable when you can assign risk, controls, and monitoring at the service level, then roll up to provider-level concentration and dependency views.

    Establish a consistent ICT service taxonomy

    Consider this: two teams can describe the same arrangement differently, “cloud hosting,” “managed platform,” “outsourced IT,” or “SaaS.” A stable taxonomy enables consistent contractual clauses, monitoring requirements, and incident triggers. It also helps you interpret whether a supplier is acting as a dora ict service provider for the purposes of your internal governance and your register of information.

    Risk-classify providers and map them to critical functions

    The reality is that DORA expects proportionality, but it also expects you to prove you applied it. That usually means you need a repeatable classification method for ICT third-party services, linked to your critical or important functions and your ICT risk management framework.

    DORA vendor management typically becomes defensible when you can answer these questions quickly, with evidence: Which providers support critical functions? Which services have privileged access? Which arrangements would cause a material operational disruption if they failed for 24 hours? Which services process regulated data sets or personal data?

    A practical classification model often combines:

  • Business criticality: linkage to critical functions, client impact, and recovery time objectives.
  • Information security impact: confidentiality, integrity, availability, and whether the provider has privileged access.
  • Operational substitutability: feasibility of exit and portability, including data and configuration portability.
  • Provider-specific factors: financial stability, geographic dependencies, and sub-outsourcing complexity.

    • From an operational standpoint, the strongest implementations embed this classification into onboarding and renewal workflows, not as a one-off assessment. It is also where third-party risk intersects with incident response. If a provider supports a critical function, you likely need tighter triggers and faster internal escalation to meet major incident timelines under DORA. If you want to align this linkage, see incident report.

    Register of Information: what to capture and how to keep it auditable

    Here’s the thing: many institutions assume the “vendor register” is just an internal hygiene item. Under DORA, the Register of Information becomes a formal supervisory artifact. DORA requires financial entities to maintain a Register of Information on ICT third-party arrangements, and the detailed format and templates are specified through joint Implementing Technical Standards developed by the European Supervisory Authorities, through the Joint Committee of the EBA, ESMA, and EIOPA.

    From a practical standpoint, this is where dora vendor management stops being an internal operating model and becomes a structured data obligation. Supervisors typically care about whether the register is complete, consistent, and current, not only whether it exists.

    What you typically need to capture in the Register of Information

    The exact fields you must populate depend on the applicable ITS and your competent authority’s implementation, but the register usually needs to be able to answer, at minimum, the following questions with traceable data:

  • Which ICT services you receive, and which ICT third-party service provider delivers each service.
  • Which internal business owner is accountable for the service, including the link to the business function supported.
  • Whether the arrangement supports a critical or important function, and the criteria used to classify it.
  • Where the service is provided from, including relevant locations for data processing or storage where applicable.
  • Whether sub-outsourcing is involved, and whether material sub-contractors introduce additional dependencies.
  • Key contractual attributes that affect oversight, auditability, and exit, especially where the service supports a critical or important function.

    • Why “keeping it up to date” is a control, not admin work

    What the regulation actually requires is that your third-party understanding stays aligned to operational reality. The register is typically where gaps surface first: shadow IT services, unmanaged renewals, provider legal entity changes, and sub-outsourcing drift. If you only refresh the register annually, you can end up reporting a dependency picture that is materially outdated.

    In most institutions, the most defensible pattern is to treat the Register of Information as a by-product of operational workflows. New ICT services create new register entries. Renewals trigger updates to service scope, locations, and sub-outsourcing disclosures. Monitoring produces dated evidence points linked back to the service record. This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance.

    Pre-contract due diligence: what a DORA-aligned vendor questionnaire should cover

    Competitor content around “DORA questionnaires” tends to focus on a single document. The reality is that DORA expects you to perform a pre-contract assessment that is proportionate, evidence-based, and tied to your ICT Risk Management Framework. Under DORA Article 28 and DORA Article 29, you typically need to show that you assessed risks before entering or materially changing ICT third-party arrangements, especially where services support critical or important functions.

    Think of it this way: a questionnaire is only useful if it produces decisions and contractual requirements. If it becomes a file attachment with no impact on contracting, onboarding, monitoring, or exit planning, it will not support your DORA narrative in an audit.

    Core domains to cover in a DORA-aligned due diligence pack

    Exact content will vary by service type and criticality, but many financial entities structure pre-contract due diligence around domains that map cleanly into DORA operational obligations:

  • Service scope and dependency mapping: what exactly is being provided, what systems integrate with it, and what the failure modes look like for your institution.
  • Security and resilience controls: baseline control expectations, vulnerability management practices, and how the provider supports your testing and assurance activities.
  • Incident handling and communications: notification lead times, content of incident communications, and how you will obtain the information needed for major ICT-related incident classification and reporting.
  • Operational continuity: backup and recovery design, support response expectations, and how continuity measures are tested and evidenced.
  • Data and location transparency: where data is processed and stored, which locations are used for service delivery, and how changes are communicated.
  • Sub-outsourcing and supply chain: material sub-contractors, the provider’s approval process for sub-outsourcing, and how you obtain updated dependency information.
  • Exit feasibility: portability assumptions, migration support, and practical constraints, including time to exit and cost drivers where relevant.

    • Make procurement steps auditable and repeatable

    People also ask about “steps in vendor management” and “DORA in procurement” for a reason. In mature implementations, procurement is not only a sourcing function. It is the gatekeeper for required evidence and the trigger for creating or updating records in the Register of Information. That usually means you define decision points, such as when a service is classified as supporting a critical or important function, and when legal clause requirements are mandatory versus risk-accepted.

    If you are formalizing your procurement flow, the goal is not to create a heavyweight front door for every ICT service. The goal is a tiered approach: minimum due diligence for low-impact ICT services, and deeper validation and contracting controls for high-impact services. This content is for informational purposes only and does not constitute legal advice. Financial institutions should seek qualified regulatory counsel for institution-specific DORA compliance guidance.

    Contract controls you need before you sign and when you renew

    Here’s the thing: many institutions already have “outsourcing clauses,” but DORA raises the required precision. DORA Article 30 sets out minimum contractual elements for ICT services supporting critical or important functions. Supervisors tend to ask for consistent evidence that these clauses exist and that deviations are risk-accepted with a clear rationale.

    You should expect to operationalize contract controls across three moments: new procurement, renewals, and remediation of legacy contracts. In many organizations, the heavy lift is legacy remediation because the business may resist renegotiation, especially with market-dominant providers.

    Contractual provisions that commonly drive remediation work

    While your legal team will draft the exact language, the operational requirements you typically need to evidence include:

  • Clear description of services, service locations, and data processing and storage arrangements.
  • Security requirements, including ICT security measures and support for testing and assurance activities.
  • Access, audit, and information rights for you and, where applicable, regulators and auditors.
  • Incident notification obligations aligned to your DORA reporting timelines and escalation needs.
  • Rules for sub-outsourcing, including transparency and control over material sub-contractors.
  • Termination rights and exit assistance, including support for portability and business continuity.

    • Align contract obligations with your operating controls

    Contract clauses only help if you can execute them. For example, audit rights should align with an annual assurance plan, and incident notification terms should map to your internal incident triage and classification process. If you are still centralizing DORA policy and training, the broader context in digital operational resilience act dora can help you align legal, risk, and IT leadership on the end-to-end operating model.

    Monitoring and oversight: what regulators expect to see

    DORA vendor management is not a “file and forget” exercise. DORA Article 28 and DORA Article 31 emphasize ongoing monitoring of ICT third-party risk. Supervisors often focus on whether your oversight is continuous, risk-based, and connected to real operational signals.

    Consider this scenario: an investment firm outsources portfolio management systems to a SaaS provider. The provider meets uptime targets, but releases a major platform update without sufficient notice, breaking an API integration. The outage lasts two hours, but it prevents trading and client reporting. If your monitoring only tracks monthly uptime, you miss the operational risk. If you monitor change notifications, integration health, and incident communications, you can manage the risk in a DORA-aligned way.

    In practice, ongoing oversight often includes:

  • Service performance and availability monitoring against business-aligned thresholds.
  • Security assurance evidence such as SOC reports, ISO 27001 certificates, or targeted control attestations, assessed for relevance and scope.
  • Change management expectations, including notice periods for material changes and testing in pre-production where feasible.
  • Regular risk reviews and documented follow-up on issues, exceptions, and remediation actions.

    • Supervisors may also ask how you coordinate oversight between procurement, IT, security, and business owners. The practical expectation is clear roles, documented decisions, and a traceable control loop from identified risk to implemented mitigation.

    Concentration risk, sub-outsourcing, and exit planning

    What many compliance teams overlook is that DORA forces you to address systemic dependency risk, not only the risk within a single contract. DORA Article 29 and the broader third-party framework bring concentration risk and exit planning into scope, particularly where services support critical or important functions.

    Concentration risk is not limited to “one provider.” It can be hidden, for example, when multiple SaaS tools rely on the same hyperscaler region, or when several managed service providers depend on the same sub-contractor for 24/7 SOC services. You need enough visibility into fourth parties to identify these patterns.

    Exit planning is where theory meets execution. A DORA-aligned exit plan should cover data portability, configuration portability, continuity arrangements during migration, and the minimum notice periods you need to avoid operational disruption. For high-impact services, you may also need to test parts of the exit plan, such as restoring from provider-managed backups to your own controlled environment.

    If you are still aligning teams on what constitutes an ICT provider in DORA terms, revisit dora ict service provider and use it as a baseline definition for sub-outsourcing and dependency mapping discussions.

    How to evidence DORA vendor management in an audit

    Auditors and supervisors rarely accept “we have a process” without traceable artifacts. You should plan your evidence as a package that demonstrates control design and control operation. This also reduces internal friction because teams know in advance what must be produced.

    A practical evidence set for dora vendor management often includes:

  • A complete inventory of ICT third-party services with business owners, service descriptions, and criticality ratings.
  • Risk assessments for in-scope providers, with documented approvals and review cycles.
  • Contractual clause mapping for critical or important functions, including exceptions and remediation plans.
  • Ongoing monitoring records, for example quarterly service reviews, KPI reports, and security assurance reviews.
  • Concentration risk analysis, including dependencies on common infrastructure, regions, or sub-contractors.
  • Exit plans for the highest-impact services, including tested elements where feasible.

    • If you are aligning your documentation to the wider DORA narrative for internal governance, it can help to link third-party evidence back to your DORA program materials. Many teams use dora regulation explained as a common reference across compliance, risk, and IT to keep terminology consistent.

    Where Dorapp fits in a DORA third-party risk operating model

    Most institutions do not struggle because they lack intent. They struggle because evidence fragments across tools, and third-party decisions happen in emails and meetings that do not produce audit-ready records. That is where a dedicated DORA compliance platform can support operational discipline.

    Dorapp provides a set of DORA-focused modules and functions published at DORApp Modules and DORApp Functions. In practice, teams typically use purpose-built workflows to maintain an up-to-date third-party register, track review cycles, and centralize evidence for contracts, risk assessments, and monitoring activities. This is often easier to govern than repurposing a generic GRC tool, especially when you need DORA-specific structure and reporting.

    If you are evaluating operating models, a focused demonstration can help you see how a DORA-specific workflow behaves with your real vendor portfolio. You can Book a Demo to walk through third-party controls aligned to DORA Articles 28 to 44, and discuss how you might integrate procurement, IT, and compliance responsibilities without losing traceability.

    Frequently Asked Questions

    Does DORA vendor management apply to all vendors or only ICT providers?

    DORA’s third-party framework targets ICT third-party service providers and ICT services that support your regulated activities. In practice, you start by scoping which suppliers deliver ICT services, including cloud, managed services, software, data feeds, and outsourced IT operations. Non-ICT suppliers may still matter for operational resilience, but they are not the core subject of DORA Articles 28 to 44. The challenge is classification, because many “business” vendors still process data or provide technical platforms. Your inventory and taxonomy should make that distinction auditable.

    What is the most common gap you see in third-party registers under DORA?

    The most common gap is treating the register as a procurement list rather than a service dependency map. Supervisors and auditors typically expect you to show which ICT services each provider delivers, who owns the service internally, where data is stored and processed, and whether the service supports critical or important functions. A second common gap is inconsistent naming and duplicates across systems. If your IT and procurement lists disagree, it becomes difficult to defend completeness and to perform concentration analysis.

    How do we decide which third-party services are “critical or important functions” under DORA?

    DORA uses the concept of critical or important functions to drive stronger controls, especially under DORA Article 30 contractual requirements. Most institutions map providers to critical functions using their existing operational resilience, business continuity, and enterprise risk frameworks, then validate the mapping with business owners. You typically consider client impact, regulatory impact, financial impact, and recovery objectives. The key is repeatability and documentation. You need to show the criteria, the decision, and periodic review, not just an outcome label.

    Which contract clauses create the most friction with major cloud and SaaS providers?

    Audit and access rights, sub-outsourcing transparency, and incident notification timelines frequently create negotiation friction, particularly where providers offer standardized terms. DORA Article 30 raises expectations for contractual clarity, especially for services supporting critical or important functions. Many financial entities handle this with a structured deviation process: identify clause gaps, assess the risk, define compensating controls, and document approvals. Your National Competent Authority may scrutinize how you managed these deviations, especially if the service is high impact.

    Do we need to monitor fourth parties under DORA?

    DORA does not use the term “fourth party” as a primary compliance concept, but it does require you to manage risks arising from sub-outsourcing and ICT supply chains. In practice, that means you need enough visibility into material sub-contractors to identify concentration risk and to enforce contractual and operational controls. For high-impact services, many institutions request sub-contractor lists, material change notifications, and location information. The depth of monitoring is typically risk-based and may vary by service criticality.

    How does DORA vendor management connect to major ICT-related incident reporting?

    Provider incidents often become your incidents, especially if the service supports a critical function or affects client services. If your contracts do not require timely notification and sufficient detail, you may struggle to classify and report within DORA’s required timelines for major ICT-related incidents. Your internal incident procedures should include triggers for provider-originated disruptions, clear escalation routes, and agreed data sharing. If you are refining this linkage, the workflow described in incident report can help structure your internal decision points.

    What should we prepare for the EU oversight framework for critical ICT third-party providers?

    DORA establishes an oversight framework where certain ICT third-party service providers may be designated as critical and overseen at EU level. As a financial entity, your practical task is to understand your dependency footprint and ensure your own governance and contracts support resilience, monitoring, and exit. Even where oversight applies to the provider, supervisors may still test your institution’s ability to manage the relationship. This includes evidence of risk assessment, service monitoring, and concentration risk evaluation across your portfolio.

    How can we operationalize DORA vendor management without overwhelming procurement and the business?

    The sustainable approach is to embed risk-based controls into existing procurement and vendor management touchpoints, then automate evidence capture where possible. Start with a minimum data set for all ICT providers, then apply deeper due diligence and contractual rigor only where services support critical functions or carry high security impact. Align terminology and training across compliance, procurement, IT, and legal. Many teams also maintain a central DORA view of third-party services, which reduces rework during audits and renewals and helps keep ownership clear.

    Is a generic GRC tool sufficient for DORA third-party risk management?

    A generic GRC tool can work if you configure it carefully, maintain a consistent service taxonomy, and enforce structured evidence collection. The trade-off is usually effort and governance overhead, because DORA has specific data and reporting expectations around ICT services, criticality, and contractual elements. Some institutions prefer a dedicated platform designed around DORA’s structure, especially when implementing the full lifecycle across DORA Articles 28 to 44. You can compare the underlying regulatory framing in dora third party risk before deciding on tooling.

    What is the DORA questionnaire for vendors?

    In most institutions, “DORA questionnaire” refers to the evidence set used in pre-contract due diligence for ICT third-party services. DORA does not mandate a single standard questionnaire format, but it expects you to perform risk-based pre-contract assessment and to ensure contractual safeguards and ongoing oversight are aligned to the risks of the arrangement, especially for services supporting critical or important functions under DORA Articles 28 to 30. A defensible approach is to structure questions around DORA-relevant domains, such as incident communications, sub-outsourcing transparency, location dependencies, exit feasibility, and audit and access rights, then tie answers directly to contract requirements and monitoring plans.

    What are the 5 pillars of DORA regulation, and where does vendor management fit?

    DORA is commonly summarized into five pillars: ICT Risk Management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. Vendor management sits primarily in the ICT third-party risk management pillar under DORA Articles 28 to 44, but it also supports your ability to meet incident reporting timelines and to perform resilience testing where you rely on third parties. In practice, vendor management becomes the integration point, because contracts, monitoring, and exit plans determine how much operational control you can exercise during disruptions.

    Why is it important for each financial entity to keep the Register of Information up to date?

    Because the Register of Information is used to demonstrate your current dependency footprint and control coverage for ICT third-party arrangements. If the register is outdated, you may miss concentration risk patterns, misclassify services supporting critical or important functions, or fail to reflect new sub-outsourcing dependencies. Under DORA, competent authorities may test the consistency between your register, your contracts, your monitoring records, and your internal service ownership. Keeping it up to date is typically best achieved by linking register updates to onboarding, renewal, and change management workflows, rather than relying on periodic manual refreshes.

    Which institution oversees DORA, and who should we expect to interact with on third-party topics?

    DORA is an EU regulation, but day-to-day supervision is typically exercised by your National Competent Authority. The European Supervisory Authorities, the EBA, ESMA, and EIOPA, through the Joint Committee, develop Regulatory Technical Standards and Implementing Technical Standards that specify detailed requirements, including for the Register of Information and aspects of third-party oversight. DORA also establishes an EU-level oversight framework for certain critical ICT third-party service providers. In practice, your institution may need to evidence DORA-aligned third-party governance to your competent authority, and your providers may face direct engagement under the EU oversight framework if designated as critical.

    Key Takeaways

  • DORA vendor management is a lifecycle control set under DORA Articles 28 to 44, not a static vendor list.
  • A defensible inventory manages providers and ICT services delivered, mapped to business owners and critical functions.
  • DORA Article 30 contract elements often drive legacy contract remediation and structured exception management.
  • Ongoing monitoring must use operational signals, not only monthly SLA metrics, and must be traceable to actions.
  • Concentration risk and exit planning become auditable when you model sub-outsourcing dependencies and test portability assumptions.

    • Conclusion

    DORA has made ICT third-party risk a board-level resilience topic, and vendor management is where compliance meets day-to-day operational control. If your provider data is fragmented, your contract controls are inconsistent, or oversight is not tied to measurable signals, you will spend audit cycles reconciling spreadsheets instead of improving resilience. The practical path is to standardize your service taxonomy, classify providers in a repeatable way, remediate high-impact contracts, and create an oversight cadence that produces evidence as a by-product of operations.

    If you are evaluating how to operationalize these controls at scale, it can be useful to see how a DORA-specific workflow handles real provider portfolios and evidence requirements. You can explore the Dorapp platform resources at Why DORApp or request a walkthrough via Book a Demo to discuss your third-party operating model with a DORA-focused team.

    Regulatory Disclaimer: This article is provided for informational and educational purposes only. It does not constitute legal advice and should not be relied upon as a substitute for qualified legal or regulatory counsel. DORA compliance obligations vary depending on the nature, scale, and risk profile of each financial entity. Always consult with a qualified legal advisor or compliance professional regarding your specific obligations under the Digital Operational Resilience Act and applicable Regulatory Technical Standards. DORA interpretation and supervisory expectations may evolve as the European Supervisory Authorities, including the EBA, ESMA, and EIOPA, publish additional guidance. This content reflects information available at the time of publication and applies to EU-regulated financial entities as defined under Regulation EU 2022/2554.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.