DORA requires financial entities to govern ICT third-party risk. Suppliers therefore need consistent, current and shareable evidence that shows how the service is controlled.
ICT governance and accountability
Include policies, roles, metrics and escalation processes. The customer needs to understand who makes decisions, how changes are approved and how risks are monitored.
Incidents, continuity and testing
Prepare incident management procedures, sample notifications, continuity test results and improvement plans. Evidence should show both documentation and execution.
Subcontractors and outsourcing chain
List critical subcontractors, data location, contractual controls and periodic review processes. For cloud or managed services, clarify shared responsibilities and SLAs.
Recommended pack structure
- Executive summary for procurement and risk owners.
- DORA control register with evidence mapping.
- Incident and business continuity reports.
- Critical subcontractor register.
- Open remediation with status and target date.