Comparison GuideEU financial sector

DORA vs EBA outsourcing guidelines

Use this comparison to separate binding DORA ICT third-party risk obligations from the older outsourcing-governance baseline that DORA and the register ITS reference.

Focus the gap review on ICT services, critical or important functions, register data, contract clauses, subcontracting chains, exit evidence, incident reporting, and board-level accountability.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA does not merely rename outsourcing governance. It creates directly applicable EU obligations for digital operational resilience and ICT third-party risk in the financial sector. The EBA outsourcing guidelines remain useful as a legacy supervisory baseline for outsourcing records and governance, but DORA adds a broader ICT-service lens, harmonised register templates, mandatory contract content, incident-reporting machinery, and a dedicated oversight framework for critical ICT third-party providers.

Side-by-side comparison

DORA vs EBA outsourcing guidelines: practical compliance differences

Use these rows to decide what can be reused from an EBA-style outsourcing programme and what must be upgraded for DORA ICT third-party risk.

Review all sources
First framework
DORA

A directly applicable EU digital operational resilience regulation for financial entities, with binding ICT risk, ICT third-party risk, register, contract, reporting, testing, and oversight obligations.

Second framework
EBA outsourcing guidelines

A pre-DORA outsourcing-governance baseline referenced by DORA and the register ITS; useful for existing outsourcing evidence, but not a substitute for DORA-specific ICT-service obligations.

Comparison row 1

Scope boundary

DORA

DORA follows ICT services, ICT systems, ICT third-party providers, subcontractors, and ICT services supporting critical or important functions.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

The EBA outsourcing baseline is tied to outsourcing arrangements; DORA treats outsourcing as one way ICT third-party risk can arise, not the full boundary.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Review cloud, SaaS, data, security, resilience, and support services even when procurement did not label the arrangement as outsourcing.

Delegated Regulation (EU) 2024/1773 on ICT third-party contract policySources 1
Comparison row 2

Covered actors

DORA

DORA is a binding EU Regulation for digital operational resilience in the financial sector.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

The EBA outsourcing guidelines are supervisory guidance for outsourcing governance under sector-specific financial-services legislation, as reflected in DORA's references to earlier outsourcing efforts and ESA guidelines.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Do not close a DORA gap by pointing only to guideline compliance. Show the DORA article, RTS, ITS, register field, contract clause, or incident-reporting artifact that now applies.

Implementing Regulation (EU) 2024/2956 on DORA register templatesSources 1
Comparison row 3

Trigger

DORA

DORA defines a critical or important function by material impairment to financial performance, service continuity, soundness, or ongoing compliance if disrupted or defective.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

Legacy outsourcing evidence may include criticality classifications, but it must be retested against DORA's ICT-service and function definition.

Implementing Regulation (EU) 2024/2956 on DORA register templatesSources 1
Operational implication

Attach the critical-or-important-function rationale to each contract, register row, subcontracting decision, exit plan, and incident-impact assessment.

Delegated Regulation (EU) 2024/1773 on ICT third-party contract policySources 1
Comparison row 4

Core obligations

DORA

DORA requires a register of information for contractual arrangements on ICT services, maintained at entity and where relevant sub-consolidated and consolidated levels.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

The register ITS says earlier ESA outsourcing guidelines expected some financial entities to record specific outsourcing information, sometimes in registers.

Implementing Regulation (EU) 2024/2956 on DORA register templatesSources 1
Operational implication

Use the outsourcing inventory as a starting dataset, then reconcile it to DORA templates, identifiers, ICT-service categories, supported functions, and subcontractor records.

Implementing Regulation (EU) 2024/2956 on DORA register templatesSources 1
Comparison row 5

Evidence record

DORA

DORA evidence includes ICT risk framework records, critical-function assessments, register rows, due diligence, contract clauses, subcontractor-chain assessments, access and audit records, exit tests, incident reports, and management-body reviews.

Delegated Regulation (EU) 2024/1773 on ICT third-party contract policySources 1
EBA outsourcing guidelines

EBA-style outsourcing evidence remains useful where it proves governance, criticality, due diligence, register discipline, and contract oversight, but it must be labelled against the DORA requirement it supports.

Implementing Regulation (EU) 2024/2956 on DORA register templatesSources 1
Operational implication

Tag each evidence item by obligation: DORA register, DORA Article 30 contract, subcontracting RTS, incident reporting ITS, or legacy outsourcing governance.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 6

Timing and deadlines

DORA

DORA creates a major ICT-related incident reporting process with initial notification, intermediate report, final report, standard templates, secure channels, and voluntary notification of significant cyber threats.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

The outsourcing baseline is not a substitute for DORA incident reporting, even where a third party performs reporting activity on the financial entity's behalf.

Implementing Regulation (EU) 2025/302 on DORA incident reporting templatesSources 1
Operational implication

Keep outsourcing incident-notification clauses, but operate DORA classification, authority reporting, template, and client-communication processes separately.

Implementing Regulation (EU) 2025/302 on DORA incident reporting templatesSources 1
Comparison row 7

Enforcement

DORA

DORA gives competent authorities register access and creates an oversight framework for critical ICT third-party providers, including possible supervisory follow-up where risks are not addressed.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

EBA outsourcing guidelines support supervisory review of outsourcing governance, but DORA adds specific ICT third-party oversight and harmonised supervisory data.

Regulation (EU) 2022/2554 (DORA)Sources 1
Operational implication

Escalate unresolved DORA gaps through management-body reporting, competent-authority readiness, contract remediation, and provider-risk governance rather than treating them as procurement exceptions.

Delegated Regulation (EU) 2024/1773 on ICT third-party contract policySources 1
Comparison row 8

Overlap and reuse

DORA

DORA requires written contracts for ICT services and minimum provisions covering service description, locations, data protection, access and return of data, service levels, incident assistance, cooperation with authorities, termination, and training participation.

Regulation (EU) 2022/2554 (DORA)Sources 1
EBA outsourcing guidelines

An EBA-style outsourcing contract may contain useful governance clauses, but it is not enough unless it also covers DORA's ICT-service clause set.

Delegated Regulation (EU) 2024/1773 on ICT third-party contract policySources 1
Operational implication

Perform clause-by-clause remediation against DORA Article 30 and the ICT third-party contract-policy RTS.

Regulation (EU) 2022/2554 (DORA)Sources 1
Comparison row 9

Practical decision rule

DORA

DORA requires financial entities to assess risks from subcontracting ICT services supporting critical or important functions, including chain complexity, location, data, concentration, monitoring, access, and termination triggers.

Delegated Regulation (EU) 2025/532 on ICT subcontractingSources 1
EBA outsourcing guidelines

A legacy outsourcing file may identify subcontracting permission, but DORA requires operational visibility into ICT subcontractors that underpin critical or important functions.

Implementing Regulation (EU) 2024/2956 on DORA register templatesSources 1
Operational implication

Require advance notice of material subcontracting changes, a right to approve or object, and termination rights where unapproved or impermissible subcontracting occurs.

Delegated Regulation (EU) 2025/532 on ICT subcontractingSources 1
Practical decision rule

How to decide what to remediate first

  • First, identify every ICT service and whether it supports a critical or important function.
  • Second, reconcile the outsourcing inventory to the DORA register of information templates.
  • Third, remediate contracts for DORA Article 30 clauses, subcontracting controls, access and audit rights, incident assistance, and exit strategies.
  • Fourth, keep incident reporting, subcontracting approvals, exit tests, and management-body reviews as separate DORA evidence even when the same provider is already in an outsourcing register.
Regulation (EU) 2022/2554 (DORA)Sources 1Delegated Regulation (EU) 2024/1773 on ICT third-party contract policySources 2
Section 1

What changed from outsourcing governance to DORA ICT third-party risk

DORA defines ICT third-party risk as ICT risk arising from ICT services provided by third-party providers or their subcontractors, including through outsourcing arrangements. That definition is wider than a traditional outsourcing file because it follows ICT services, data, security, business continuity, incidents, and subcontracting chains.

DORA itself notes that earlier efforts such as the 2019 EBA outsourcing guidelines did not sufficiently address systemic risk from financial-sector exposure to a limited number of critical ICT third-party service providers. Treat the EBA outsourcing file as input evidence, then test whether DORA now requires additional register fields, clauses, reporting steps, or exit evidence.

  • Start with the ICT service and supported function, not the procurement label.
  • Classify whether the ICT service supports a critical or important function under DORA.
  • Check whether the existing outsourcing register can populate the DORA register of information without losing DORA-required ICT-service, function, provider, and subcontractor data.
  • Remediate contracts where legacy outsourcing clauses do not cover DORA access, audit, incident assistance, data-location, subcontracting, and exit requirements.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Defines ICT third-party risk, critical or important functions, and DORA's ICT third-party risk-management obligations.
Section 2

Register of information: reuse the outsourcing inventory carefully

DORA requires financial entities to maintain and update a register of information for all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing arrangements that support critical or important functions from those that do not.

The register ITS explains the link to earlier outsourcing practice: some financial entities were already expected under ESA guidelines to record specific information on outsourcing arrangements, sometimes in register form. DORA turns that history into standardised templates designed for technology-neutral, relational reporting.

  • Keep legacy outsourcing identifiers only if they can be reconciled to DORA contract, provider, function, and ICT-service identifiers.
  • Record direct ICT third-party providers and relevant subcontractors that underpin ICT services supporting critical or important functions.
  • Use the register to evidence supervision readiness: competent authorities can request the full register or specified sections.
  • Do not treat a procurement vendor list as sufficient unless it identifies the ICT service, supported function, contract, provider, and criticality status.
Sources for this answer
Implementing Regulation (EU) 2024/2956 on DORA register templates
Explains the DORA register template design and its relationship to earlier ESA outsourcing-register expectations.
Regulation (EU) 2022/2554 (DORA)
Requires the register of information for contractual arrangements on ICT services provided by ICT third-party providers.
Section 3

Contract and subcontracting remediation priorities

For ICT services, DORA Article 30 sets minimum contractual content. For ICT services supporting critical or important functions, it adds stronger provisions such as full service-level descriptions, notice and reporting obligations, contingency-plan testing, TLPT cooperation, unrestricted access, inspection and audit rights, and exit strategies.

DORA's subcontracting RTS goes further for ICT services supporting critical or important functions or material parts of them. Financial entities must be able to assess whether subcontracting is permitted, whether the provider can identify and notify relevant subcontractors, whether access and inspection rights flow through the chain, and whether material subcontracting changes can be approved, objected to, or used as a termination trigger.

  • Map each legacy outsourcing clause to DORA Article 30 before relying on it.
  • Add data-location, storage-location, incident-assistance, regulator-cooperation, and termination language where missing.
  • For critical or important functions, require subcontractor-chain visibility and material-change notice before changes take effect.
  • Preserve evidence that the financial entity, not the provider, made and approved the risk decision.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Sets DORA contract content, access and audit rights, termination rights, and exit requirements for ICT third-party arrangements.
Delegated Regulation (EU) 2025/532 on ICT subcontracting
Specifies elements to assess when subcontracting ICT services supporting critical or important functions.
Section 4

Evidence that should survive supervisor review

A useful comparison file should show which evidence satisfies DORA and which evidence only shows legacy outsourcing governance. The same contract, risk assessment, or register row can be reused, but only if it contains the DORA-specific fields and approvals.

For reporting, DORA is separate from outsourcing governance. Major ICT-related incidents are reported to competent authorities using DORA's initial notification, intermediate report, and final report structure; outsourcing a reporting task to a third party does not remove the financial entity's responsibility.

  • Keep the critical-or-important-function assessment with the contract and register row.
  • Retain due diligence showing provider suitability, information-security posture, resources, and concentration-risk assessment.
  • Keep access, inspection, audit, service-level, contingency testing, subcontracting approval, and exit-plan evidence together.
  • For incidents, keep classification records, reporting-template submissions, third-party reporter identity if used, root-cause analysis, and client-communication evidence where applicable.
Sources for this answer
Implementing Regulation (EU) 2025/302 on DORA incident reporting templates
Provides the standard forms, templates, and procedures for major ICT-related incident reports and significant cyber-threat notifications.
Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy
Specifies policy requirements for ICT services supporting critical or important functions, including governance, due diligence, monitoring, access, audit, and exit processes.
Recommended next step

Review ICT third-party risk evidence against DORA

Use this comparison to test whether existing outsourcing records cover DORA register data, contract clauses, subcontracting controls, exit plans, incident reporting, and management-body accountability.

Research workflow
Open Research Copilot for DORA

Ask source-linked questions about DORA ICT third-party risk, register templates, critical or important functions, contracts, subcontracting, and incident reporting.

Explore next step
Talk to Sorena
Talk through implementation

Review your DORA outsourcing remediation plan, evidence gaps, and source coverage with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Primary source for DORA ICT third-party risk, register, contract, exit, and reporting obligations.
"Managing of ICT third-party risk"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.