The enforcement deadline for the Digital Operational Resilience Act (DORA) has now passed, marking a new era of regulatory scrutiny for financial institutions and their ICT service providers. As organisations work to align with DORA’s resilience requirements, a key area of focus is third party risk management, which holds firms accountable for the operational stability of their external vendors.
Failure to comply with these obligations could lead to financial penalties, reputational damage, and increased regulatory oversight. With deadlines for register of information submissions now set, impacted entities must move swiftly to ensure compliance. This blog outlines the latest regulatory expectations across key European jurisdictions and provides guidance on how financial entities can effectively manage third party risk under DORA.
As we have now surpassed the 17 January enforcement deadline for the DORA, organisations must now ensure they can withstand, respond to, and recover from ICT-related disruptions aligned with the specified requirements set out by the act. A central pillar of DORA is third party risk management, holding financial institutions and their service providers accountable for operational resilience. Failure to comply could result in regulatory scrutiny, financial penalties, and reputational damage.
Third party risk management: key requirements and deadlines
The European Banking Authority (EBA) has published Implementing Technical Standards (ITS), which have been adopted and published in the Official Journal of the EU, to guide organisations in completing the register of information as part of their third party obligations. This publication is the key source of information that in-scope entities need to engage with to adequately comply, in conjunction with the master template which has been made available as a supplement. Whilst impacted entities may feel that they now have time to breathe, this is not the case.
Deadline: impacted entities must submit their register of information by April 2025. Despite the time window, regulators expect proactive preparation.
Expectations from European regulators:
Ireland
Regulated by: Central Bank of Ireland (CBI).
Submission window: 1 April to 4 April 2025, via the CBI portal.
Technical requirements: entities submitting the register of information must have a valid LEI code and the third party service providers listed must either have a valid LEI code or an EU code in order for the submission to be validated.
CBI guidance: consult the EBA’s page “Preparations for reporting of DORA registers of information”, when initiating this process.
Submission: when submitting the register financial entities must use a ‘plain-csv’ (xBRL OIM-CSV) file in accordance with EBA taxonomy 4.0 and ensure they follow the system guide to submitting the register to the CBI portal which will be made available in March.
Portal updates: please note that the CBI portal is updating its multi-factor authentication process in March 2025, so users should begin the pre-enrolment process now, in order to avoid any complications around register of information submission dates.
https://www.centralbank.ie/regulation/digital-operational-resilience-act-dora
The Netherlands
Regulated by: Dutch Central Bank (DNB) & The Dutch Authority for the Financial Markets (AFM).
Information request: issued to all AFM-licensed entities subject to DORA in February 2025.
Guidance and tools: AFM will release a submission form soon to facilitate compliance.
Submission format: it is the responsibility of the in-scope entity to transfer the data from their register into the AFM format.
https://www.afm.nl/en/sector/themas/belangrijke-europese-wet–en-regelgeving/dora
https://www.afm.nl/en/sector/themas/belangrijke-europese-wet–en-regelgeving/dora/derde-aanbieders
https://www.dnb.nl/en/sector-information/open-book-supervision/laws-and-eu-regulations/dora/
France
Regulated by: l’Autorité de Contrôle Prudentiel et de Résolution (ACPR) & Autorité des Marchés Financiers (AMF).
Schedule: the schedule for submission of the registers to the AMF and a detailed procedure for submitting via the portal (ROSA) will be made available to in-scope entities in early 2025.
Testing: there will be a test period for submitting registers to help avoid any issues around the deadline.
Formatting: registers will have to be submitted to the AMF in the specified format and structure set out by the European Supervisory Authorities.
https://www.amf-france.org/fr/actualites-publications/dossiers-thematiques/dora
Spain
Regulated by: Comisión Nacional del Mercado de Valores (CNMV).
Submission window: 1 April to 22 April 2025, via the CNMV virtual office in the “Zona Cifradoc” area, with the reference date of the information being 31 March 2025.
Guidance and tools: CNMV have provided a template in excel format to facilitate completion and submission.
Feedback: once submitted through the virtual office the regulator will provide feedback (either rejection: NOK, pending further validation: PEN, or the results of the validation: RES).
https://www.cnmv.es/portal/ciberseguridad?lang=en
https://www.cnmv.es/DocPortal/Ciberseguridad/Comunicacion_registro_proveedores_en.pdf
Luxembourg
Regulated by: Commission de Surveillance du Secteur Financier (CSSF).
Submission window: 1 April to 15 April 2025, via eDesk.
Validation: if errors are detected, financial entities will be invited to correct and re-submit before 30 April.
Formatting: to be submitted in plain CSV format.
https://www.cssf.lu/en/2025/01/entry-in-application-of-dora-regulation-on-17-january-2025/
Key considerations for effective third party risk management
To comply with DORA, financial entities must maintain comprehensive oversight of third party ICT service providers. Some key considerations that in-scope entities should take into account include:
- Third party risk management structure: ensure a framework is in place to oversee ICT service providers, to include risk assessment, contractual obligations, and continuous monitoring of third party resilience. Establish formalised contracts, detailing security requirements, incident reporting, and exit strategies.
- Third and fourth parties: identify and map out the risks associated with third and fourth parties and implement risk controls.
- Register of information: complete the third party register using technical standards, provided templates, and formal guidance from your regulator.
- Contract addendums: revise third party contracts aligned with DORA provisions and ensure clients are notified of the relevant changes.
Conclusion: act now to ensure DORA Compliance
Financial entities must act promptly to meet regulatory expectations. The regulators in Ireland, the Netherlands, France, Spain and Luxembourg are driving a proactive approach, requiring firms to engage with guidance, technical standards and updated submission protocols. Effective third party risk management is not only a regulatory requirement but a cornerstone of operational resilience.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
