Who is an ICT third-party service provider under DORA?

A company that provides a financial entity with digital and data services through ICT systems on an ongoing basis: hosting and cloud, software vendors, market-data providers, managed services, and so on. ICT services provided by intra-group operators are also in scope.

Home › Register of Information › ICT third-party providers

DORA · ICT providers

ICT third-party providers: who to declare

Q: Do I declare all providers or only the critical ones?

All of them. The register lists every arrangement with an ICT third-party service provider, whether or not it supports a critical or important function. Criticality drives the level of assessment, not inclusion.

Q: Do I have to declare a provider's subcontractors?

The ICT service supply chain must be recorded in template B_05.02, which links each provider to its relevant subcontractors. A provider often relies on others, which must be mapped.

The question everyone hesitates on when filling in the register: who counts as an ICT provider, do you declare all of them, and how far up the subcontracting chain do you go? Answers.

In short — In the DORA register you must declare all arrangements with ICT third-party service providers — not only those tied to a critical function. Each provider is identified by a valid LEI (template B_05.01) and its subcontracting chain is mapped in B_05.02.

On this page

Who is in scope
Declare all, not just critical
Subcontracting
The provider's LEI
Where to declare them
FAQ

Who is an ICT third-party service provider

A company that provides, on an ongoing basis, digital and data services through ICT systems. In practice: hosting and cloud, software vendors (PMS/OMS, core banking, business tools), market-data providers, managed services, cybersecurity, connectivity… ICT services provided by an intra-group operator are also in scope.

Declare all of them — not just the critical ones

This is the most common scoping mistake. The register lists every arrangement with an ICT third-party service provider, whether or not it supports a critical or important function.

Criticality decides the level of requirements, not whether the provider appears in the register.

In other words: a small, non-critical SaaS still gets its own line. What changes for a critical service is the additional assessment (template B_07.01).

How far to go: the supply chain

A provider almost always relies on others (a vendor hosted on a cloud, itself relying on a datacentre…). DORA requires mapping this ICT supply chain in template B_05.02: it links each provider to its relevant subcontractors. It's often the most laborious part — and the most often forgotten.

The LEI: friction point #1

Each provider must be identified by a valid LEI (or an admitted identification code where applicable), active in the GLEIF database. A missing, lapsed or mistyped LEI is a classic rejection cause. Plan ahead: some foreign providers or small vendors don't have a LEI readily available.

Where to declare them in the register

B_05.01 — identification and details of each provider (including the LEI);
B_05.02 — the subcontracting chain;
B_02.02 — the link between the arrangement, the provider and the function supported;
B_03.02 — the providers that are signatories to the arrangements.

Overview: the 15 templates of the register · full method: how to fill in your register.

Check your providers before you submit

DoraReady checks LEI validity, the consistency between providers, arrangements and the supply chain, among the EBA's 116 validation rules, and generates the xBRL-CSV package. Everything runs in your browser: your list of providers never leaves your machine.

Run the free diagnostic

Frequently asked questions

Do I declare all providers?

Yes: every arrangement with an ICT third-party provider, critical or not. Criticality drives the assessment (B_07.01), not inclusion.

And the subcontractors?

The supply chain is recorded in B_05.02, which links each provider to its relevant subcontractors.

A provider without a LEI — what do I do?

A valid LEI is expected to identify providers; plan for the cases without one (foreign providers, small vendors) since a missing or lapsed LEI is a common rejection cause.

Does DoraReady guarantee acceptance?

No. It reduces the risk of technical rejection by checking the file before submission; it does not replace the regulator's review and does not guarantee acceptance.

← The complete DORA register guide · Lire en français →