DORA has been in force since January 2025, and the grace most teams felt at the start is gone. If you are an EU financial entity, or a technology vendor that serves one, digital operational resilience is now a regulatory obligation with named deadlines, not an internal best practice you get to phase in at your own pace.

The third-party register is the piece that catches teams flat. DORA requires a maintained register of information covering every contractual ICT arrangement: who the provider is, what function it supports, and whether that function is critical. Most firms discover their vendor inventory is a stale spreadsheet on the day a supervisor asks for it, and concentration risk is invisible until it is a finding.

Incident reporting is the second trap. ICT-related incidents have to be classified and reported to the competent authority on a clock, and a major incident carries an initial notification window measured in hours. That deadline does not wait for someone to assemble the facts from chat threads and half-remembered timelines after the fire is out.

Start from a free ICT third-party register template

Cadenio gives you a free workflow template for the DORA register of information, vendor tiering, and incident reporting with the deadline as an SLA. Keep it current because keeping it current is a step.

Start free, no credit card

The fix has the same shape as the rest of compliance. Run it, do not document it. Keep the third-party register as a living intake where every new vendor triggers a tiering and criticality assessment. Run incident response as a workflow with classification built in and the regulatory reporting deadline set as an SLA. Each run becomes the evidence a supervisor asks for, retrievable in one place.

“Run it, do not document it.”

Resilience testing closes the loop. DORA expects regular testing, and for significant entities, threat-led penetration testing. Put the testing cadence on a schedule with sign-off and findings tracked to closure, the same way you would run an internal audit cycle. Untracked findings are how a testing program quietly becomes theater.

Start with the register. You cannot manage concentration risk or report an incident against a vendor you have not catalogued, and the catalogue is the first thing a supervisor will ask to see. Build it once as a workflow, and it stays current because keeping it current is a step, not a quarterly project.

Implementation checklist

Build and maintain a register of information for every ICT contractual arrangement, with provider, function, and criticality.

Tier each ICT provider and flag concentration risk where one provider supports multiple critical functions.

Run incident response as a workflow with built-in classification and the regulatory reporting deadline set as an SLA.

Put resilience testing on a recurring cadence with sign-off and findings tracked to closure.

Confirm critical-provider contracts carry the DORA-required clauses: audit rights, exit strategy, subcontracting.

Start from a free ICT third-party register template

Start free, no credit card

“Run it, do not document it.”

Implementation checklist

Build and maintain a register of information for every ICT contractual arrangement, with provider, function, and criticality.

Tier each ICT provider and flag concentration risk where one provider supports multiple critical functions.

Run incident response as a workflow with built-in classification and the regulatory reporting deadline set as an SLA.

Put resilience testing on a recurring cadence with sign-off and findings tracked to closure.

Confirm critical-provider contracts carry the DORA-required clauses: audit rights, exit strategy, subcontracting.

DORA and third-party ICT risk: resilience as a workflow

Third-Party Risk Assessment

Implementation checklist

Related reading

Learn more

DORA and third-party ICT risk: resilience as a workflow

Third-Party Risk Assessment

Implementation checklist

Related reading

Learn more