DORA consultancy - helping financial institutes across the UK and Europe.

Alexander Ant, Abstract background of bright paints


Third-party Risk research


The European Supervisory Authorities (ESAs), together with the competent authorities (CAs), carried out a joint high-level analysis to get a preliminary overview of the provision of ICT services to the EU financial entities by ICT third-party service providers (TPPs).
The ESAs identified approximately 15,000 ICT TPPs directly serving the 1,600 EU financial entities in the analysis's sample.

TL:DR Financial entities and their IT providers should be worried about highly concentrated and non-substitutable environments. By now, the financial entity should be halfway through identifying those dependencies.

As we know, risk management of ICT TPPs is one of the main pillars of DORA. The financial entities must maintain a register of information on all their contractual arrangements regarding the use of ICT services provided by ICT TPPs. The EU financial entities were given just enough time, two years, to prepare and be fully in compliance with DORA from 17 January 2025.
This regulator’s analysis of the ICT TPPs landscape gives us non-surprising results that suggest that the market is:
  • Highly concentrated, as the most popular ICT TPPs tend to provide services supporting the most significant number of critical financial functions, and these entities are likely to play an essential role in the overall EU financial system.
  • It was highlighted that the ICT services supporting most of these critical financial functions are often non-substitutable.
  • To make matters worse, the results of this exercise indicate a potentially high degree of interconnectedness and interdependencies between ICT TPPs.
For DORA compliance, the Financial entity has to be on top of the game, which means:
  • a complete log of all your ICT TPPs with detailed information on their interconnectedness;
  • clear understanding which TPPs support your critical functions;
  • review and update all ICT TPPs contracts to comply with the new EU requirements;
  • ensure your TPPs are familiar with DORA and on board with the required testing;
  • they are ready to cooperate on the Oversight visits and are familiar with the costs and penalties for non-compliance.
Each of these highlighted areas could be a challenge on its own, both technically and administratively and relationship-wise.


The situation is dire because the Financial Entities clearly underestimate the market interdependencies and concentration of resources outside their control.
Financial entities need to realise that thousands of IT TPPs players are eager to sell to anyone who will buy, and financial entities' compliance is not among the IT suppliers' priorities to reduce risks and improve compliance.
The financial institute MUST have a plan to address DORA requirements, including practical scenarios on how to stress exit from all your critical TPP, review and confirm contracts (which is not trivial), test TPPs business recovery etc, etc.

The IT providers also don’t realise the upcoming challenges appearing shortly. They can expect multiple, often conflicting, requirements from their client base, including contract re-negotiations, additional security requirements, and much more detailed Business Continuity preparedness.

Please get in touch if you require clarification on any DORA requirements on the Risk Management of ICT TPPs.

Would you like to talk about DORA compliance? Contact us.