The DORA Register of Information Trap

The DORA third-party register is a trap, and most firms are walking into it.
Luis Quintero, Pink and Blue Abstract

The DORA third-party register is a trap, and most firms are walking into it.

Gleb Etinzon, DORA Consultancy.
A boutique consultancy addressing complex regulatory requirements in a pragmatic way. London, UK.

Register or not register is not a question. DORA requires it, and most financial entities have already done so at least once. The results are so poor that none of the regulators has published any meaningful status yet, 15 months since DORA came into force.

The dry-run was a small sample of the in-scope population. 1,039 voluntary participants represent roughly 4–5% of the core DORA universe of approximately 22,000–25,000 entities across credit institutions, insurers, investment firms, payment institutions, and the rest. The 6.5% data-quality pass rate was therefore an early-adopter, best-effort sample — the firms most likely to get it right. It produced 235,000 failed checks across just 947 submissions. Scale that up by 20x and you begin to appreciate the silent operational bet behind the regime.

Yes, the regulator defined a list of 19 Critical ICT Third-Party Providers (CCTPs), and it is a great start. But is it really? The list confirmed everyone's expectations: major cloud providers, major telco suppliers, major consultancy players. I could produce this list without approximately 22,000 financial companies spending any time on their register.

When there are only 19 designated CCTPs out of roughly 15,000 ICT service providers in the financial industry — 0.13% — it also means that 99.87% are not critical in the eyes of the regulator. The supervisor has direct oversight of 0.13% of your third-party universe and is paging Microsoft's Lead Overseer, not your tier-three SaaS vendor. Whatever risk reduction you get from the other 99.87% has to come from your own contract management.

The register you filed is now evidence

The ESAs' own framing is that the Register of Information serves three purposes:

“(1) for financial entities as an internal tool to monitor their ICT third-party risk, (2) for EU competent authorities as a source of information to supervise the management by the financial entities of their ICT third-party risk and (3) for the ESAs as a source of information for the designation of critical ICT third-party service providers (CTPP) which will be subject to their oversight.”

Read that carefully: only purpose (1) is for the firm itself. Purposes (2) and (3) are extractive — the firm builds the register so somebody else can use it. The structural incentive to do (1) properly is therefore weak unless the firm consciously chooses to treat the register as a real risk artefact rather than an annual filing.

Most firms have not made that choice.

You successfully submitted the register, probably leaving the analytical fields — substitutability, alternatives, sub-outsourcing chain — blank or low-quality, and you have already forgotten about it. You can show a populated spreadsheet during an audit. But you are missing, or trying to ignore, the elephant in the room.

Your register is now the legal evidence of your compliance posture. It will be used against you when things go wrong. If your register lists a provider as “non-critical” and that provider then causes a material incident, the gap between your classification and reality becomes the entire story of the enforcement action.

The tail is where the incidents happen

The ESRB's April 2024 report on operational policy tools describes the ION Group ransomware attack of January 2023:

“The disruption is a striking example of how an incident at a relatively little-known third-party provider (albeit one of great significance) can cause major disruption, if that institution provides vital central services through the financial industry's supply chain.”

ION Group is not on the CCTP list. It would not have qualified — too narrow a function, not enough G-SII customers in Europe — and yet 40+ banks, hedge funds and brokerages were left unable to process exchange-traded derivatives trades. The ICBC FS attack later that year has the same shape: a single firm, a niche function, a USD 26 trillion market dislocated, and a USD 9 billion injection from the parent to compensate BNY Mellon for taking over clearing.

Both incidents originated in the long tail — the 99.87% that sits below the CCTP threshold. This is not a coincidence. The designated providers, whatever their other faults, at least have a public addendum, a Lead Overseer, and reputational exposure that forces a baseline of transparency. The undesignated providers are operating with no external pressure whatsoever.

The ESRB is even more explicit about what the regime cannot do. Same report, executive summary:

“Strengthening these [own detection and defence] capabilities is a key component of the significant ongoing efforts made by the EU to implement the Digital Operational Resilience Act (DORA). The ESRB's focus, however, lies in the systemic nature of cyber risk and the financial system's resilience as a whole and addresses response and recovery capabilities (second layer) and the coordination and action capabilities of the authorities (third layer).”

Translation: DORA, including its register apparatus, is the first layer only. The ESRB is openly telling us that the regime does not, by itself, address the cross-firm and cross-jurisdiction recovery and coordination mechanisms that would actually contain a systemic event. The register is a feedstock for designation, not a systemic mitigant. Anyone treating the register as if filing it discharges resilience risk has misread the ESRB's own scope statement.

Did anything actually change?

Based on a large sample of third-party compliance questionnaires I have reviewed over the past year, I can assure you that nothing has happened yet. Your suppliers lied to you before; they lie to you now, and your organisation never actually challenged or tested the real situation.

Do you seriously believe that 600 incidents in Germany are a true reflection of what happens within the landscape of BaFin-overseen German-based entities?

Do you still think that all your suppliers run periodic vulnerability scans per DORA RTS?

Are you sure that all of your critical service providers actually ran end-to-end Business Continuity tests in the last 12 months?

If yes, you do not have any IT suppliers.

If no, the challenge here is the missing opportunity to use your register for its actual purpose — to manage the risk. The suppliers, both designated and undesignated, disclose only what is necessary to keep the contract alive, with the substantive material gated behind sales relationships and shared-responsibility language. Do not forget to review and sign the DORA-specific contract addenda. If your firm has a legacy Enterprise Agreement and has not migrated, it is not getting the required incident notifications.

What to do with the register you already paid for

Populate the fields everyone skipped. The dry run shows systematic avoidance of B_07.01 (substitutability, alternative providers, possibility of reintegration in-house) and B_05.01 (sub-outsourcing chain, ultimate parent undertaking). Doing this properly makes the register a board-grade artefact instead of a regulatory chore. Nobody will check whether your assessment of substitutability is correct — except the enforcement team reviewing your concentration risk after the next outage.

Pressure the non-designated suppliers harder than the designated ones. The 19 CCTPs at least have a public addendum and a Lead Overseer. The other 14,981 are operating with no external pressure, and they are statistically where ICT-related incidents are most likely to originate. The ION and ICBC pattern is not an anomaly; it is the shape of the next incident too.

Check which addenda you actually signed. Google's incident-notification commitment applies only to customers on DORA contract terms. AWS's DORA Financial Services Addendum is opt-in and account-managed. If your firm is on legacy contracts, your supplier's CCTP designation does not protect you the way the press release implies.

Anchor register updates to your own change events. DORA requires annual reporting; resilience requires register entries to update when the contract changes, when a subcontractor changes, and when a service is reclassified as supporting a Critical or Important Function. If you wait for the annual cycle, the register lags reality, and the gap between register and truth is where enforcement finds its examples.

Stop treating the RoI as a template-filling exercise. The supervisor will check the format. Nobody will check whether your assessment of substitutability is correct. That second check is the one that prevents you from having an ION-Group week.

You have already invested an enormous amount of effort, money, and time in creating this register. If you are paying that much, use the resulting data to reduce risk. A companion analysis of what the CCTP designation list itself reveals — and what it obscures — follows in Part 2: The Critical 19.

For help with DORA challenges above, as well as others, please reach out to the team.

Ready to discuss your DORA compliance challenges?

Our team of experienced consultants is here to help.

Get in Touch