DORA – Managing of ICT third-party risk

The date for submitting the register of information in 2026 will be announced by the FMA and will be from 16.02.2026 until 13.03.2026.

Competent authorities are required to submit registers of information to the ESAs by 31 March 2026.

Regarding the level of consolidation for reporting, please refer to Article 3 of the Decision concerning the reporting by competent authorities to the ESAs of information necessary for the designation of critical ICT third party service providers. You should also consult the ESA FAQ Reporting of registers of information (RoI) under DORA; questions 4 to 9 are particularly relevant for issues relating to consolidation.

Notes:

• In the case of Austrian groups, foreign subsidiaries in EU States are also to be included.
• Subsidiaries licensed in Austria that belong to groups established in other EU States submit their registers to the parent undertaking in the group, which then submits it to its competent authority. The FMA receives the registers of information from these subsidiaries directly from the ESAs.
• Only financial entities are to be included in the consolidation.
• Every financial entity is only listed once in the reports that are submitted to the ESAs.

An Excel file containing these lists can also be found on the FMA website: Link

Where there are options missing, use the following catch-all category: ‘Non-Life Insurance: All classes, at the choice of the Member States, which shall notify the other Member States and the Commission of their choice’

In this case, not only do you need to fill out sheet B.05.02 (service supply chain), but information about the first external service in a chain must also be entered in sheets B.05.01 and B.07.01 (in the case of critical/material functions).

In this instance, a national code may be used as an exception (see EBA-FAQ #40).

Article 3(22) DORA defines a critical function as follows:

“a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;”

If the subsidiary itself falls within DORA’s scope of application (Article 2 DORA), then all rules apply shall apply to the same extent. Where aspects of the ICT service are for example are outsourced to the parent undertaking (or vice versa) then this triggers it being captured and treated as an internal ICT service provider.

Yes. See also the question “Which service providers support critical or important functions?”

From the FMA’s perspective a risk-based approach is necessary when classifying which service providers support critical or important functions. In line with ESA Q&A 2750 when classifying a service provider, the issue is relevant about whether the disruption of the system or service provider would materially impair the affected function(s) – especially regarding continuity and security.

According to Article 4 (2) DORA the principle of proportionality applies for Chapter III and IV, as where are Chapter V Section I, where stipulated in the relevant rules contained therein. Regarding Article 30(2) (i) DORA, reference is made to Article 13 (6) DORA regarding the participation of ICT third-party service providers in the ICT security awareness programmes and digital operational resilience training. It stipulates that financial entities must include ICT third-party service providers as appropriate in their relevant training programmes. With regard to this rule, financial entities are therefore required to assess the appropriateness of the inclusion of ICT third-party service providers.

In Annex III of the Specification of the Register of Information, consulting contracts are stated as a separate category (explained as ‘Provision of intellectual/ICT expertise services’). Such contracts would also need to be included in this context, provided that a clear link to ICT systems exists.

Where it is clearly apparent from the contract that certain minimum contents of the contract pursuant to Article 30 (2) DORA are not applicable, then these must not be included as separate points in the contract (e.g. omission of the clause about the place of data processing where it is determined that no data is transferred to the consultant).

Where a large amount of these minimum contents appear not to be applicable, this might also form an indication that the specific service is not related to Information and communication technologies (ICT systems).

Here it is necessary to consider how the open source software is obtained. Where other services are linked to it, such as for example ongoing support, advice or similar services, then an ICT service as defined in DORA may exist. If in an extreme case only open source code is obtained, e.g. from a repository, and then used within the entity, then no such service would exist; irrespective this other provisions in DORA (for example ICT systems acquisition, development, and maintenance) may apply accordingly.

Article 30 (3) (e) (ii) DORA states that the contractual agreements on the usage of ICT services to support critical or important functions cover the right to monitor the ICT third-party service provider’s service on a continual basis, including the right to agree on alternative assurance levels if other clients’ rights are affected.

This paragraph must be read in conjunction with Article 30 (3) (e) (i) DORA:

“(i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

ii) the right to agree on alternative assurance levels if other clients’ rights are affected;”

Therefore: in the event that ‘traditional’ audit rights would encroach on the rights of other clients of the service provider due to the specific situation in question, alternative ways may be agreed upon to monitor the service provider’s service.

In relation to the filling of the register of information, the question also arises about whether there is a materiality limit regarding the “supporting” of critical functions. This question has been asked to the ESAs through the Q&A process. There is no specific time frame in this regard, but clarification is expected at European level on this issue.

See DORA Q&A 2999 Link zu externer Seite. Öffnet in neuem Fenster.:

The answer to this question is provided by the European Commission.

The definition of ‘ICT services’ in Article 3(21) of Regulation (EU) 2022/2554 intentionally maintains a broad scope. Recital (35) of Regulation (EU) 2022/2554 indeed clarifies that, with the aim of maintaining a high level of digital operational resilience, the definition of ICT services should be understood in a broad manner to the extent that such services encompass digital and data services provided through ICT systems on an ongoing basis. Therefore, financial entities are responsible for undertaking an assessment on this basis to determine whether the services they rely on are ICT services, as defined under Article 3(21) DORA. Such assessment should be performed taking into account the clarifications from DORA Recital (63), which specifies that DORA should cover a wide range of ICT third-party service providers, including financial entities providing ICT services to other financial entities, and without prejudice to sectoral regulations applicable on regulated financial services.

Financial services may entail an ICT component. In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).

In case the service is provided by a regulated financial entity providing regulated financial services but is unrelated or is independent from such regulated financial services, the service should be considered as an ICT service under Article 3(21) DORA. 

The same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner. 

The clarification about the difference between financial services and ICT services is without prejudice to the requirements applicable to financial entities under DORA, other than the requirements related to ICT third-party risk management.

Disclaimer provided by the European Commission:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.

The assessment and the depth of the assessment is required to take place in a risk-based approach and from the point of view of proportionality. The Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions (Article 30(5) DORA) contains more detailed rules.

While certifications may be taken into account when assessing the suitability of a service provider as a source of information, they are not however a substitute for a service provider assessment.

As stated in the response to the previous question, a certification may not be considered as a substitute for assessing the service provider, and similar a certification may not replace the ongoing (re-)auditing of the service provider. The frequency of ongoing reviews of service providers depends on their criticality and therefore is to be assessed on a case-by-case basis.