DORA and Third-Party Risk: Regulators Are Watching. Are You Ready?

Thomas Murray experts have presented at multiple events, along with national competent authorities (the regulators), where they have explicitly highlighted ICT third-party risk as a supervisory priority for 2026. Regulators aren’t just ticking compliance boxes, they’re looking at how financial entities identify, assess, monitor, and manage risks from their ICT third parties and ensure resilience of their operations.

The regulatory expectation is unambiguous: Financial entities must fundamentally strengthen their processes around third-party risk management, moving beyond traditional third-party management approaches to embrace comprehensive operational resilience frameworks.

The problem with ‘once-and-done’ assessments

Typically, third-party risk processes within financial entities have relied heavily on annual or biannual due diligence cycles. These exercises were usually based on self-attestations, point-in-time documentation reviews, and questionnaire responses. While valuable, this approach has a fundamental shortcoming: It only captures a snapshot in time, often long after a risk has materialised.

Think about what this means in practice. You assess a critical cloud provider in January, and they’re assessed as low risk. Then, in March, they suffer a data breach. In June, they're acquired by a larger firm and, by September, key personnel have left and their security posture has deteriorated.

Yet the official risk assessment still shows ‘low risk’ from 10 months ago.

The case for continuous, dynamic monitoring

A pivot to continuous monitoring leverages multiple data sources to maintain real-time visibility into third-party risk postures:

• Cyber threat intelligence integration: By incorporating external threat intelligence feeds, financial entities can immediately identify when a critical service provider appears in data breach databases, when vulnerabilities are discovered in their technology stack, or when they become targets of threat actor campaigns. This intelligence provides early warning signals that static assessments would miss entirely.
• Security posture monitoring: Continuous external scanning capabilities can track changes in a configuration like exposed databases, certificate expirations, vulnerable services, or compromised credentials appearing on the dark web. These indicators provide objective, real-time data on a third party’s cyber hygiene.
• Automated alert mechanisms: Rather than waiting for scheduled reviews, automated alerting can immediately flag significant changes in risk profile, allowing risk teams to take proactive action before incidents occur.

This shift from periodic assessment to continuous monitoring aligns perfectly with DORA's emphasis on operational resilience - the ability to prevent, respond to, recover from, and learn, from ICT disruptions on an ongoing basis.

A critical milestone: Preparing for the 2026 Register of Information:

One of the most operationally significant requirements of DORA is the Register of Information (RoI), which financial entities must submit in Q1 2026.

The 2025 submission represented their first attempt at comprehensive documentation of their ICT third-party landscape. Meanwhile, the 2026 submission presents both a challenge and an opportunity.  

Financial entities must now establish robust processes to:

• Review previous submissions: Systematically analyse the 2025 Register of Information to identify gaps, inconsistencies, or areas requiring clarification, based on initial regulatory feedback.
• Identify additions and changes: Track all new ICT service provider relationships established during 2025, modifications to existing contracts, terminated services, and any changes in criticality classifications.
• Refine categorisations: Reassess which arrangements are supporting critical or important functions (CIF) or changes to CIF, applying lessons learned from the first submission cycle, and ensuring alignment with supervisory expectations that have evolved throughout 2025.
• Ensure data quality standards: Meet the stringent data quality requirements mandated by regulators, including accuracy, completeness, consistency, and timeliness of information.

The challenge many entities face is that their current systems and processes weren't designed for this level of granular, dynamic tracking. Spreadsheets and manual processes that may have sufficed for the initial submission will not scale for ongoing maintenance and annual updates.

Building for continuous third-party risk management and compliance

The intersection of continuous monitoring requirements and annual reporting obligations demands a more sophisticated approach:

• A centralised TPRM platform as a single source of truth.
• Automated data collection workflows that run throughout the year.
• Direct integration with threat intelligence sources.
• Change management processes that capture updates in real time.
• Complete audit trails for regulatory examinations.

Conclusion

The convergence of explicit regulatory prioritisation of ICT third-party risk, the need for continuous monitoring and proactive risk management, and the deadline for Register of Information submissions, creates a compelling case for transformation.

Entities making this transition now aren't just ticking compliance boxes, they're building proactive risk-based operational resilience. They're getting early threat warnings, reducing exposure, and building stronger relationships with the technology partners their operations depend on. 

Thomas Murray's DORA managed services offer enhanced digital operational resilience

We deliver expert-led solutions and comprehensive support for financial institutions navigating DORA compliance. 

Book a consultation