The Digital Operational Resilience Act has been directly applicable across the EU since January 17, 2025, and the supervisory framework operated by ESMA, EBA, and EIOPA is now producing the first substantive views of how the regulation is being implemented in practice. The ICT third-party risk management obligations in Chapter V are where most financial entities are spending operational attention in 2026, particularly the requirements around critical ICT third-party providers and the register of information. This post is a working summary for in-scope financial entities navigating the second year of DORA application.
The framing point worth restating: DORA is a regulation, not a directive, which means it applies directly across the EU with limited member state variation. The technical standards published by the European Supervisory Authorities provide the operational detail, and the supervisory practice is converging around them. The 2026 enforcement reality is meaningfully tighter than the early 2025 transition period.
What does the register of information actually require?
Article 28(3) requires financial entities to maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The implementing technical standards specify 15 templates covering everything from the entity hierarchy and the contract terms to the substitutability of the provider and the functions supported. The register must be submitted to the competent authority annually and made available on request.
The register is harder than it first appears because the granularity expected is substantial. Each contractual arrangement is decomposed into the specific ICT services covered, the functions those services support, and the criticality of those functions to the financial entity's operations. A single large vendor relationship may produce dozens of register entries depending on the breadth of services. Financial entities that submitted minimal registers in the 2025 cycle have been receiving supervisory follow-up asking for the missing detail.
How does the critical ICT third-party provider regime work?
The Commission designates critical ICT third-party providers based on criteria in Article 31, considering systemic impact on financial entities, criticality of services provided, and substitutability. Designated providers fall under direct oversight by the lead overseer, with powers to request information, conduct investigations, and issue recommendations. The first designations occurred in late 2025, and the oversight engagement with designated providers began in 2026.
For financial entities, the practical implication is that the use of critical ICT third-party providers comes with specific contractual and operational expectations. Concentration risk in the use of a single critical provider must be assessed and documented. Exit strategies must be in place and tested. The financial entity remains responsible for the resilience of its outsourced functions even where the provider is under direct oversight, which means the entity's own due diligence and monitoring obligations are not reduced by the designation.
What do the contractual arrangements need to contain?
Article 30 specifies the minimum contractual terms for arrangements supporting critical or important functions, and the regulatory technical standard fills in the detail. The contract must include the complete description of services, locations where data is processed, service levels with quantitative and qualitative performance targets, incident reporting obligations, audit and access rights, exit strategies, and termination rights. For arrangements supporting non-critical functions, a reduced set of mandatory terms applies.
Renegotiating existing contracts to meet the DORA terms has been one of the largest operational programs in financial services across 2025 and 2026. The audit and access rights and the incident reporting obligations are the terms that providers have most often pushed back on, and the contractual negotiations have surfaced significant differences between what providers were willing to commit to and what DORA requires. Financial entities that did not start renegotiations in 2024 have generally been working through the backlog throughout 2025 and into 2026.
How does ICT incident reporting interact with the supply chain?
Article 19 requires reporting of major ICT-related incidents within tight timelines: an initial notification as soon as possible after classification as major, an intermediate report within 72 hours, and a final report within one month. The classification criteria in the regulatory technical standard cover impact on clients, geographic spread, duration, criticality, and data losses. Incidents originating in the ICT supply chain are explicitly in scope and are reported on the same timeline.
The operational reality is that supply chain incidents are often discovered later than direct incidents, and the 24-hour clock for initial notification starts on classification rather than occurrence. Financial entities have been investing in continuous monitoring of their critical ICT third-party providers and software supply chain to compress the discovery-to-classification interval. Real-time visibility into supplier security posture and dependency vulnerabilities is the practical control that supports the reporting obligation, and the entities that have invested in it are operating with substantially less reporting friction than those that have not.
How Safeguard Helps
Safeguard provides the visibility and evidence streams that DORA Chapter V expects. Continuous SBOM generation supports the register of information by giving financial entities a current view of the software components underlying their critical and important functions. Griffin AI's reachability analysis sharpens incident classification by identifying which dependency vulnerabilities actually affect production paths, which is the basis for the major incident determination under Article 19. Policy gates enforce supply chain controls at the CI stage with operating effectiveness evidence for supervisory review. TPRM scoring of ICT third-party providers and dependencies feeds the concentration risk assessment, and zero-CVE base images materially reduce the supply chain risk the resilience program has to manage day to day.