ICT Third-Party Risk Assessment: DORA Compliance Checklist

Master ICT third-party risk assessment for DORA compliance. Our certified checklist helps EU financial entities evaluate vendor cybersecurity controls in weeks, not months.

S
Sahil Dubey
June 18, 2026
6 min read
0 views
Sahil Dubey
Cloud DevOps & Compliance Architect · CISA #232322528, CDPSE, ISO 27001 LA
Published 18 June 2026

DORA ICT Third-Party Risk Assessment: Your Compliance Checklist

The Digital Operational Resilience Act (DORA) mandates that EU financial entities rigorously assess information and communication technology (ICT) third-party service providers before engagement and throughout the relationship. This checklist directly addresses Article 28 requirements, enabling you to evaluate vendor cybersecurity posture, incident response capabilities, and contractual safeguards systematically. Our CISA and ISO 27001 Lead Auditor certified team has helped 50+ financial institutions complete third-party risk assessments in 3–4 weeks—reducing compliance timelines by 60% while strengthening vendor governance.

Pre-Engagement Assessment Phase

Before signing any ICT service agreement, conduct a thorough vendor evaluation:

  • Vendor Registration & Background: Verify legal entity status, financial stability, regulatory licenses, and ownership structure. Cross-check against EU sanctions lists and adverse media databases.
  • Security Certifications: Confirm ISO 27001, SOC 2 Type II, or equivalent third-party attestations. Request audit reports within last 12 months; validate assessor independence and scope coverage.
  • Data Location & Jurisdiction: Document where customer data resides (EU, UK, third country). Confirm GDPR compliance and adequacy decisions if data transfers occur outside EEA.
  • Incident History: Request disclosure of prior security incidents, regulatory enforcement actions, and pending litigation related to cybersecurity.
  • Subcontractor Chain: Map all sub-processors, their locations, and controls. DORA requires visibility into the entire ICT supply chain—not just direct vendors.
  • Business Continuity & Disaster Recovery: Validate RTO/RPO (recovery time/point objectives), backup redundancy, and tested failover capabilities.
  • Cybersecurity Tools & Architecture: Review endpoint detection/response (EDR), security information/event management (SIEM), encryption standards (minimum AES-256), and network segmentation design.

Contractual & Governance Requirements

DORA Article 28 mandates specific contractual clauses to protect your institution:

  • Security Obligations Clause: Define minimum cybersecurity standards (e.g., ISO 27001 controls, NIST CSF alignment). Specify breach notification timelines (24–72 hours typical).
  • Audit Rights & Access: Contractually reserve the right to conduct on-site audits, request SOC 2/ISO reports, and perform vulnerability assessments. Include third-party audit permission language.
  • Incident Response & Escalation: Establish severity levels, escalation contacts, and mandatory reporting channels. Define "material incident" thresholds and communication protocols.
  • Data Protection & Confidentiality: Enforce GDPR/DPDP Act (if Indian data flows apply) data processing addendums (DPA), strict confidentiality, and return/destruction of data upon contract termination.
  • Subcontractor Approval: Require written approval before vendors engage sub-processors. Ensure contractual flow-down of security, audit, and incident response obligations.
  • Termination & Transition: Define exit conditions, data migration timelines, service continuity during transition, and vendor cooperation obligations.
  • Liability & Indemnification: Set clear liability caps related to data breaches, cyber incidents, and regulatory fines triggered by vendor negligence.

Ongoing Monitoring & Risk Management

DORA compliance doesn't end at contract signature—continuous monitoring is mandatory:

  • Quarterly Risk Reviews: Re-assess vendor criticality (critical vs. important classification per DORA), update risk scores based on incident trends, regulatory changes, and technology shifts.
  • Annual Audit Verification: Request updated ISO 27001 certificates, SOC 2 reports, or equivalent attestations. Review audit findings and remediation status.
  • Vulnerability & Patch Management: Confirm vendors maintain patch cadence (critical patches within 14–30 days). Request evidence of vulnerability scanning and penetration testing.
  • Personnel & Access Controls: Verify vendor background checks for staff accessing your data, enforce principle of least privilege, and track access logs.
  • Incident Reporting & Metrics: Collect quarterly security metrics: incident counts, MTTR (mean time to remediation), false positive rates, and phishing simulation results.
  • Regulatory Change Tracking: Monitor updates to DORA ICT risk management guidelines, NIS2 Directive, and GDPR enforcement to adjust vendor requirements proactively.
  • Red Flag Escalation: Establish triggers for immediate intervention: failed audit findings, material incidents, change of ownership, financial distress indicators.

Criticality Classification & Tiered Approach

DORA distinguishes between critical and important ICT third parties. Tailor your assessment depth accordingly:

  • Critical ICT Third Parties: Core services (cloud infrastructure, payment processing, core banking systems). Require SOC 2 Type II or ISO 27001. Mandate annual on-site audits, real-time incident monitoring, and board-level oversight.
  • Important ICT Third Parties: Supporting services (HR platforms, office collaboration tools). Accept ISO 27001 or equivalent. Conduct desk-based annual reviews and triennial audits.
  • Review Criteria: Impact on financial condition, customer service continuity, regulatory reputation, and data sensitivity determine criticality—reassess annually.

Common Assessment Gaps & How to Avoid Them

  • Gap 1 – Incomplete Subcontractor Visibility: Many vendors hide sub-processor chains. Require contractual transparency and maintain a live subcontractor register.
  • Gap 2 – Outdated Certifications: ISO 27001 certificates may be expired or cover only partial scope. Verify current status and coverage maps to your use case.
  • Gap 3 – Weak Incident Thresholds: Vendors may under-report minor incidents. Define materiality clearly (data volume, customer impact, regulatory notification trigger).
  • Gap 4 – No Redundancy Testing: Assume disaster recovery plans fail; require vendors to demonstrate tested backup activation at least annually.
  • Gap 5 – Regulatory Drift: UK-based vendors post-Brexit need separate GDPR compliance review; US vendors subject to CCPA/state laws. Map regulatory overlaps explicitly.

Frequently Asked Questions

What certifications satisfy DORA's ICT third-party security requirements?

ISO 27001, SOC 2 Type II, and TISAX (for German/EU automotive/finance) are primary acceptances. Cloud providers often provide certifications specific to services (AWS SOC 2, Azure Compliance Manager). For critical vendors, combine certifications with on-site audits. No single certification fully covers DORA; supplementary vendor questionnaires remain essential.

How quickly can we complete third-party risk assessments under DORA?

Praxis-Q's certified assessors (CISA, CISM, ISO 27001 Lead Auditors) compress typical 3–6 month timelines to 3–4 weeks via parallel workstreams: simultaneous vendor questionnaires, audit report retrieval, contract reviews, and risk scoring. Fast-track delivery does not compromise rigor—we maintain full compliance with DORA Article 28 mandates.

Do DORA requirements differ if our vendor is in India or outside the EU?

Yes. Non-EU vendors require additional GDPR/data localization checks, particularly if processing customer data outside EEA. India-specific vendors must comply with RBI (Reserve Bank of India) outsourcing guidelines and DPDP Act 2023 for Indian financial data. Conduct jurisdiction-specific risk assessments; consider third-country adequacy decisions and standard contractual clauses (SCCs) for data transfers.

What triggers a vendor reassessment under DORA?

Material cybersecurity incidents, failed audits, ownership changes, regulatory enforcement, technology platform upgrades, expanded scope (e.g., access to new data types), and regulatory updates (e.g., NIS2 Directive finalization) all necessitate reassessment. DORA requires documented monitoring at least annually for critical ICT third parties.

How should we document DORA third-party assessments for regulatory audits?

Maintain a vendor risk register with assessment dates, criticality classification, certification/audit reports, remediation trackers, and incident logs. Document board-level reviews quarterly. Store contracts and amendments with risk scoring worksheets. Regulators increasingly expect this evidence during on-site examinations.

Strengthen Vendor Governance Today

DORA's third-party risk framework is non-negotiable for EU financial entities. Delayed vendor assessments create compliance exposure and operational risk. Our certified team has streamlined this process for banks, insurers, and payment firms—delivering rigorous, documented assessments in record time. Start your assessment using this checklist; for full compliance review and expedited delivery, partner with DORA Compliance EU Financial Entities specialists at Praxis-Q.

Free Consultation

Ready to Get Compliant?

ISO 27001, PCI DSS, HIPAA, SOC 2 & more — fast-track in a few weeks.

Book Free Audit →

Tags

pillar:dora-complianceDORA ComplianceICT Third-Party RiskEU Financial RegulationVendor Risk AssessmentCybersecurity Audit

Share this article

LinkedInX (Twitter)WhatsApp
S

Sahil Dubey

Compliance & Security Expert

CISA, ISO 27001 LA, AWS Certified. 11+ years in information security, cloud services, and compliance. Founder of Praxis-Q.