---
title: "DORA vs EBA outsourcing guidelines: ICT third-party risk comparison"
canonical_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines"
source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines"
author: "Sorena AI"
description: "Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "DORA"
  - "EBA outsourcing guidelines"
  - "ICT third-party risk"
  - "register of information"
  - "critical or important functions"
  - "ICT contracts"
  - "subcontracting"
  - "exit strategies"
  - "outsourcing"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# DORA vs EBA outsourcing guidelines: ICT third-party risk comparison

Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.

*Comparison Guide* *EU financial sector*

## DORA vs EBA outsourcing guidelines

Use this comparison to separate binding DORA ICT third-party risk obligations from the older outsourcing-governance baseline that DORA and the register ITS reference.

Focus the gap review on ICT services, critical or important functions, register data, contract clauses, subcontracting chains, exit evidence, incident reporting, and board-level accountability.

DORA does not merely rename outsourcing governance. It creates directly applicable EU obligations for digital operational resilience and ICT third-party risk in the financial sector. The EBA outsourcing guidelines remain useful as a legacy supervisory baseline for outsourcing records and governance, but DORA adds a broader ICT-service lens, harmonised register templates, mandatory contract content, incident-reporting machinery, and a dedicated oversight framework for critical ICT third-party providers.

## DORA vs EBA outsourcing guidelines: practical compliance differences

Use these rows to decide what can be reused from an EBA-style outsourcing programme and what must be upgraded for DORA ICT third-party risk.

- **DORA**: A directly applicable EU digital operational resilience regulation for financial entities, with binding ICT risk, ICT third-party risk, register, contract, reporting, testing, and oversight obligations.
- **EBA outsourcing guidelines**: A pre-DORA outsourcing-governance baseline referenced by DORA and the register ITS; useful for existing outsourcing evidence, but not a substitute for DORA-specific ICT-service obligations.

| Dimension | DORA | EBA outsourcing guidelines | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | DORA follows ICT services, ICT systems, ICT third-party providers, subcontractors, and ICT services supporting critical or important functions. | The EBA outsourcing baseline is tied to outsourcing arrangements; DORA treats outsourcing as one way ICT third-party risk can arise, not the full boundary. | Review cloud, SaaS, data, security, resilience, and support services even when procurement did not label the arrangement as outsourcing. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - DORA definition confirms outsourcing arrangements are included within ICT third-party risk.<br>[Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports assessing ICT services supporting critical or important functions by service, location, data, concentration, and transferability factors. |
| Covered actors | DORA is a binding EU Regulation for digital operational resilience in the financial sector. | The EBA outsourcing guidelines are supervisory guidance for outsourcing governance under sector-specific financial-services legislation, as reflected in DORA's references to earlier outsourcing efforts and ESA guidelines. | Do not close a DORA gap by pointing only to guideline compliance. Show the DORA article, RTS, ITS, register field, contract clause, or incident-reporting artifact that now applies. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - DORA recital source identifying the earlier EBA outsourcing guidelines as an effort to address outsourcing before DORA.<br>[Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Shows how DORA standardises register data beyond earlier outsourcing-register practice. |
| Trigger | DORA defines a critical or important function by material impairment to financial performance, service continuity, soundness, or ongoing compliance if disrupted or defective. | Legacy outsourcing evidence may include criticality classifications, but it must be retested against DORA's ICT-service and function definition. | Attach the critical-or-important-function rationale to each contract, register row, subcontracting decision, exit plan, and incident-impact assessment. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Defines critical or important functions for DORA scoping.<br>[Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Shows register data must distinguish functions and ICT services for monitoring.<br>[Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Requires a methodology for determining which ICT services support critical or important functions. |
| Core obligations | DORA requires a register of information for contractual arrangements on ICT services, maintained at entity and where relevant sub-consolidated and consolidated levels. | The register ITS says earlier ESA outsourcing guidelines expected some financial entities to record specific outsourcing information, sometimes in registers. | Use the outsourcing inventory as a starting dataset, then reconcile it to DORA templates, identifiers, ICT-service categories, supported functions, and subcontractor records. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Requires the register of information and competent-authority access to it.<br>[Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Identifies the relational keys used to link register data. |
| Evidence record | DORA evidence includes ICT risk framework records, critical-function assessments, register rows, due diligence, contract clauses, subcontractor-chain assessments, access and audit records, exit tests, incident reports, and management-body reviews. | EBA-style outsourcing evidence remains useful where it proves governance, criticality, due diligence, register discipline, and contract oversight, but it must be labelled against the DORA requirement it supports. | Tag each evidence item by obligation: DORA register, DORA Article 30 contract, subcontracting RTS, incident reporting ITS, or legacy outsourcing governance. | [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports evidence for governance, due diligence, monitoring, independent review, audit plan inclusion, and management-body reporting.<br>[Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Supports reuse of earlier outsourcing-register information where it can be reconciled to DORA register templates.<br>[Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Makes the financial entity responsible for DORA compliance even when ICT services or reporting tasks are outsourced. |
| Timing and deadlines | DORA creates a major ICT-related incident reporting process with initial notification, intermediate report, final report, standard templates, secure channels, and voluntary notification of significant cyber threats. | The outsourcing baseline is not a substitute for DORA incident reporting, even where a third party performs reporting activity on the financial entity's behalf. | Keep outsourcing incident-notification clauses, but operate DORA classification, authority reporting, template, and client-communication processes separately. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Requires reporting of major ICT-related incidents and permits voluntary notification of significant cyber threats.<br>[Implementing Regulation (EU) 2025/302 on DORA incident reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Specifies template stages and secure electronic channels for DORA reporting. |
| Enforcement | DORA gives competent authorities register access and creates an oversight framework for critical ICT third-party providers, including possible supervisory follow-up where risks are not addressed. | EBA outsourcing guidelines support supervisory review of outsourcing governance, but DORA adds specific ICT third-party oversight and harmonised supervisory data. | Escalate unresolved DORA gaps through management-body reporting, competent-authority readiness, contract remediation, and provider-risk governance rather than treating them as procurement exceptions. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Explains that earlier outsourcing efforts did not fully address systemic ICT third-party concentration risk.<br>[Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Requires management-body policy review and reporting lines for ICT third-party contract governance. |
| Overlap and reuse | DORA requires written contracts for ICT services and minimum provisions covering service description, locations, data protection, access and return of data, service levels, incident assistance, cooperation with authorities, termination, and training participation. | An EBA-style outsourcing contract may contain useful governance clauses, but it is not enough unless it also covers DORA's ICT-service clause set. | Perform clause-by-clause remediation against DORA Article 30 and the ICT third-party contract-policy RTS. | [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Adds enhanced contract requirements for ICT services supporting critical or important functions.<br>[Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Requires the policy to cover contractual clauses, mutual obligations, access to information, inspection, exit, and termination processes. |
| Practical decision rule | DORA requires financial entities to assess risks from subcontracting ICT services supporting critical or important functions, including chain complexity, location, data, concentration, monitoring, access, and termination triggers. | A legacy outsourcing file may identify subcontracting permission, but DORA requires operational visibility into ICT subcontractors that underpin critical or important functions. | Require advance notice of material subcontracting changes, a right to approve or object, and termination rights where unapproved or impermissible subcontracting occurs. | [Delegated Regulation (EU) 2025/532 on ICT subcontracting](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Supports approval, objection, and termination mechanics for material subcontracting changes.<br>[Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Requires recording subcontractors that effectively underpin ICT services supporting critical or important functions or material parts of them. |

Sources for Scope boundary - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Defines ICT services, ICT third-party risk, and critical or important functions.
  - Quote: "ICT third-party risk"

Sources for Scope boundary - EBA outsourcing guidelines:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - DORA definition confirms outsourcing arrangements are included within ICT third-party risk.
  - Quote: "including through outsourcing arrangements"

Sources for Scope boundary - operational implication:

- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports assessing ICT services supporting critical or important functions by service, location, data, concentration, and transferability factors.
  - Quote: "type of ICT services"

Sources for Covered actors - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary binding source for DORA's digital operational resilience framework.
  - Quote: "digital operational resilience for the financial sector"

Sources for Covered actors - EBA outsourcing guidelines:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - DORA recital source identifying the earlier EBA outsourcing guidelines as an effort to address outsourcing before DORA.
  - Quote: "EBA Guidelines on outsourcing of 2019"

Sources for Covered actors - operational implication:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Shows how DORA standardises register data beyond earlier outsourcing-register practice.
  - Quote: "standard templates should be designed"

Sources for Trigger - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Defines critical or important functions for DORA scoping.
  - Quote: "critical or important function"

Sources for Trigger - EBA outsourcing guidelines:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Shows register data must distinguish functions and ICT services for monitoring.
  - Quote: "function identifier"

Sources for Trigger - operational implication:

- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Requires a methodology for determining which ICT services support critical or important functions.
  - Quote: "methodology for determining"

Sources for Core obligations - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Requires the register of information and competent-authority access to it.
  - Quote: "register of information"

Sources for Core obligations - EBA outsourcing guidelines:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Explains prior ESA outsourcing-register expectations and the DORA register-template design.
  - Quote: "outsourcing risk management"

Sources for Core obligations - operational implication:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Identifies the relational keys used to link register data.
  - Quote: "contractual arrangement reference numbers"

Sources for Evidence record - DORA:

- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports evidence for governance, due diligence, monitoring, independent review, audit plan inclusion, and management-body reporting.
  - Quote: "approval, management, control, and documentation"

Sources for Evidence record - EBA outsourcing guidelines:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Supports reuse of earlier outsourcing-register information where it can be reconciled to DORA register templates.
  - Quote: "data quality principles"

Sources for Evidence record - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Makes the financial entity responsible for DORA compliance even when ICT services or reporting tasks are outsourced.
  - Quote: "remain fully responsible"

Sources for Timing and deadlines - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Requires reporting of major ICT-related incidents and permits voluntary notification of significant cyber threats.
  - Quote: "Reporting of major ICT-related incidents"

Sources for Timing and deadlines - EBA outsourcing guidelines:

- [Implementing Regulation (EU) 2025/302 on DORA incident reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Explains third-party reporting and the standard DORA reporting template structure.
  - Quote: "outsourced their reporting obligation"

Sources for Timing and deadlines - operational implication:

- [Implementing Regulation (EU) 2025/302 on DORA incident reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Specifies template stages and secure electronic channels for DORA reporting.
  - Quote: "secure electronic channels"

Sources for Enforcement - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Sets competent-authority access to registers and oversight mechanisms for critical ICT third-party providers.
  - Quote: "critical ICT third-party service providers"

Sources for Enforcement - EBA outsourcing guidelines:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Explains that earlier outsourcing efforts did not fully address systemic ICT third-party concentration risk.
  - Quote: "not sufficiently addressed by Union law"

Sources for Enforcement - operational implication:

- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Requires management-body policy review and reporting lines for ICT third-party contract governance.
  - Quote: "reporting lines to the management body"

Sources for Overlap and reuse - DORA:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Sets the minimum contractual provisions for ICT service arrangements.
  - Quote: "Key contractual provisions"

Sources for Overlap and reuse - EBA outsourcing guidelines:

- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Requires the policy to cover contractual clauses, mutual obligations, access to information, inspection, exit, and termination processes.
  - Quote: "contractual clauses on mutual obligations"

Sources for Overlap and reuse - operational implication:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Adds enhanced contract requirements for ICT services supporting critical or important functions.
  - Quote: "supporting critical or important functions"

Sources for Practical decision rule - DORA:

- [Delegated Regulation (EU) 2025/532 on ICT subcontracting](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Specifies DORA assessments and contract conditions for subcontracting ICT services supporting critical or important functions.
  - Quote: "identify all subcontractors"

Sources for Practical decision rule - EBA outsourcing guidelines:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Requires recording subcontractors that effectively underpin ICT services supporting critical or important functions or material parts of them.
  - Quote: "long or complex chains of subcontracting"

Sources for Practical decision rule - operational implication:

- [Delegated Regulation (EU) 2025/532 on ICT subcontracting](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Supports approval, objection, and termination mechanics for material subcontracting changes.
  - Quote: "approve or object to the changes"

### How to decide what to remediate first

- First, identify every ICT service and whether it supports a critical or important function.
- Second, reconcile the outsourcing inventory to the DORA register of information templates.
- Third, remediate contracts for DORA Article 30 clauses, subcontracting controls, access and audit rights, incident assistance, and exit strategies.
- Fourth, keep incident reporting, subcontracting approvals, exit tests, and management-body reviews as separate DORA evidence even when the same provider is already in an outsourcing register.

Sources for the practical decision rule:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary source for DORA ICT third-party risk, register, contract, exit, and reporting obligations.
  - Quote: "Managing of ICT third-party risk"
- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports prioritising governance, due diligence, monitoring, independent review, access, audit, exit, and termination controls.
  - Quote: "approval, management, control, and documentation"

## What changed from outsourcing governance to DORA ICT third-party risk

DORA defines ICT third-party risk as ICT risk arising from ICT services provided by third-party providers or their subcontractors, including through outsourcing arrangements. That definition is wider than a traditional outsourcing file because it follows ICT services, data, security, business continuity, incidents, and subcontracting chains.

DORA itself notes that earlier efforts such as the 2019 EBA outsourcing guidelines did not sufficiently address systemic risk from financial-sector exposure to a limited number of critical ICT third-party service providers. Treat the EBA outsourcing file as input evidence, then test whether DORA now requires additional register fields, clauses, reporting steps, or exit evidence.

- Start with the ICT service and supported function, not the procurement label.
- Classify whether the ICT service supports a critical or important function under DORA.
- Check whether the existing outsourcing register can populate the DORA register of information without losing DORA-required ICT-service, function, provider, and subcontractor data.
- Remediate contracts where legacy outsourcing clauses do not cover DORA access, audit, incident assistance, data-location, subcontracting, and exit requirements.

Sources for this answer:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Defines ICT third-party risk, critical or important functions, and DORA's ICT third-party risk-management obligations.

## Register of information: reuse the outsourcing inventory carefully

DORA requires financial entities to maintain and update a register of information for all contractual arrangements on the use of ICT services provided by ICT third-party service providers, distinguishing arrangements that support critical or important functions from those that do not.

The register ITS explains the link to earlier outsourcing practice: some financial entities were already expected under ESA guidelines to record specific information on outsourcing arrangements, sometimes in register form. DORA turns that history into standardised templates designed for technology-neutral, relational reporting.

- Keep legacy outsourcing identifiers only if they can be reconciled to DORA contract, provider, function, and ICT-service identifiers.
- Record direct ICT third-party providers and relevant subcontractors that underpin ICT services supporting critical or important functions.
- Use the register to evidence supervision readiness: competent authorities can request the full register or specified sections.
- Do not treat a procurement vendor list as sufficient unless it identifies the ICT service, supported function, contract, provider, and criticality status.

Sources for this answer:

- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Explains the DORA register template design and its relationship to earlier ESA outsourcing-register expectations.
- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Requires the register of information for contractual arrangements on ICT services provided by ICT third-party providers.

## Contract and subcontracting remediation priorities

For ICT services, DORA Article 30 sets minimum contractual content. For ICT services supporting critical or important functions, it adds stronger provisions such as full service-level descriptions, notice and reporting obligations, contingency-plan testing, TLPT cooperation, unrestricted access, inspection and audit rights, and exit strategies.

DORA's subcontracting RTS goes further for ICT services supporting critical or important functions or material parts of them. Financial entities must be able to assess whether subcontracting is permitted, whether the provider can identify and notify relevant subcontractors, whether access and inspection rights flow through the chain, and whether material subcontracting changes can be approved, objected to, or used as a termination trigger.

- Map each legacy outsourcing clause to DORA Article 30 before relying on it.
- Add data-location, storage-location, incident-assistance, regulator-cooperation, and termination language where missing.
- For critical or important functions, require subcontractor-chain visibility and material-change notice before changes take effect.
- Preserve evidence that the financial entity, not the provider, made and approved the risk decision.

Sources for this answer:

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Sets DORA contract content, access and audit rights, termination rights, and exit requirements for ICT third-party arrangements.
- [Delegated Regulation (EU) 2025/532 on ICT subcontracting](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Specifies elements to assess when subcontracting ICT services supporting critical or important functions.

## Evidence that should survive supervisor review

A useful comparison file should show which evidence satisfies DORA and which evidence only shows legacy outsourcing governance. The same contract, risk assessment, or register row can be reused, but only if it contains the DORA-specific fields and approvals.

For reporting, DORA is separate from outsourcing governance. Major ICT-related incidents are reported to competent authorities using DORA's initial notification, intermediate report, and final report structure; outsourcing a reporting task to a third party does not remove the financial entity's responsibility.

- Keep the critical-or-important-function assessment with the contract and register row.
- Retain due diligence showing provider suitability, information-security posture, resources, and concentration-risk assessment.
- Keep access, inspection, audit, service-level, contingency testing, subcontracting approval, and exit-plan evidence together.
- For incidents, keep classification records, reporting-template submissions, third-party reporter identity if used, root-cause analysis, and client-communication evidence where applicable.

Sources for this answer:

- [Implementing Regulation (EU) 2025/302 on DORA incident reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Provides the standard forms, templates, and procedures for major ICT-related incident reports and significant cyber-threat notifications.
- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Specifies policy requirements for ICT services supporting critical or important functions, including governance, due diligence, monitoring, access, audit, and exit processes.

*Recommended next step*

*Placement: before sources*

## Review ICT third-party risk evidence against DORA

Use this comparison to test whether existing outsourcing records cover DORA register data, contract clauses, subcontracting controls, exit plans, incident reporting, and management-body accountability.

- [Open Research Copilot for DORA](/solutions/research-copilot.md): Ask source-linked questions about DORA ICT third-party risk, register templates, critical or important functions, contracts, subcontracting, and incident reporting.
- [Talk through implementation](/contact.md): Review your DORA outsourcing remediation plan, evidence gaps, and source coverage with Sorena.

## Primary sources

- [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary source for DORA ICT third-party risk, register, contract, exit, and reporting obligations.
  - Quote: "Managing of ICT third-party risk"
- [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Requires recording subcontractors that effectively underpin ICT services supporting critical or important functions or material parts of them.
  - Quote: "long or complex chains of subcontracting"
- [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports prioritising governance, due diligence, monitoring, independent review, access, audit, exit, and termination controls.
  - Quote: "approval, management, control, and documentation"
- [Delegated Regulation (EU) 2025/532 on ICT subcontracting](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Supports approval, objection, and termination mechanics for material subcontracting changes.
  - Quote: "approve or object to the changes"
- [Implementing Regulation (EU) 2025/302 on DORA incident reporting templates](https://eur-lex.europa.eu/eli/reg_impl/2025/302/oj/eng?ref=sorena.io) - Specifies template stages and secure electronic channels for DORA reporting.
  - Quote: "secure electronic channels"

## Related Topic Guides

- [DORA Critical or Important Functions: mapping ICT dependencies and evidence](/artifacts/eu/digital-operational-resilience-act/critical-and-important-functions.md): How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
- [DORA deadlines and compliance calendar for financial entities](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
- [DORA ICT Third-Party Contract Remediation Workflow](/artifacts/eu/digital-operational-resilience-act/contract-remediation-workflow.md): A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
- [DORA ICT Third-Party Contracts FAQ](/artifacts/eu/digital-operational-resilience-act/faq/ict-third-party-contracts.md): What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
- [DORA ICT third-party risk and contract clauses guide](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
- [DORA incident classification forms: criteria, fields, and reporting clocks](/artifacts/eu/digital-operational-resilience-act/incident-classification-forms.md): Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
- [DORA incident clock workflow: classification, reports, deadlines, and evidence](/artifacts/eu/digital-operational-resilience-act/incident-clock-workflow.md): Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
- [DORA major ICT incident reporting: classification, reports, and timing](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
- [DORA major ICT incident thresholds: what triggers reporting?](/artifacts/eu/digital-operational-resilience-act/faq/major-incident-thresholds.md): FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
- [DORA Register of Information FAQ: ICT Third-Party Arrangements](/artifacts/eu/digital-operational-resilience-act/faq/register-of-information.md): FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
- [DORA Register of Information Import and Build Workflow](/artifacts/eu/digital-operational-resilience-act/roi-import-and-build-workflow.md): Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
- [DORA Register of Information Template: ICT Provider Fields and Evidence](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
- [DORA TLPT selection: who can be required to test?](/artifacts/eu/digital-operational-resilience-act/faq/tlpt-selection.md): FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
- [DORA vs ISO 22301: ICT resilience and business continuity compared](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-22301.md): Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
- [DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
- [DORA vs NIS2: financial-sector obligations, overlap, and evidence](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
- [DORA vs PSD2 incident reporting: major ICT and payment incidents](/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting.md): Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
- [EU DORA Applicability Test for Financial Entities and ICT Providers](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
- [EU DORA Compliance Checklist for Financial Entities](/artifacts/eu/digital-operational-resilience-act/checklist.md): A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
- [EU DORA Compliance Obligations and Evidence Guide](/artifacts/eu/digital-operational-resilience-act/compliance.md): A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
- [EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence](/artifacts/eu/digital-operational-resilience-act/faq.md): Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
- [EU DORA ICT risk management control baseline](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
- [EU DORA ICT subcontracting chain controls for critical functions](/artifacts/eu/digital-operational-resilience-act/subcontracting-chain-controls.md): DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
- [EU DORA penalties and fines: enforcement powers and limits](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
- [EU DORA Register of Information Data Model: templates, fields, and evidence](/artifacts/eu/digital-operational-resilience-act/register-of-information-data-model.md): Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
- [EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk](/artifacts/eu/digital-operational-resilience-act/requirements.md): A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
- [EU DORA Scope and Covered Entities: financial entities and ICT providers](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
- [EU DORA Scope and Proportionality Workflow](/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow.md): Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
- [EU DORA testing and TLPT readiness guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
- [EU DORA TLPT eligibility workflow for financial entities](/artifacts/eu/digital-operational-resilience-act/tlpt-eligibility-workflow.md): Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
- [EU DORA TLPT Runbook: scope, providers, reports, and remediation](/artifacts/eu/digital-operational-resilience-act/tlpt-runbook.md): Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
- [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md): A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
- [How to build a DORA register of information](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines