The Digital Operational Resilience Act (DORA) applies to all financial companies in the EU since January 2025. Articles 28-44 regulate ICT third-party risk management — with far-reaching consequences for the entire financial sector.
What does DORA specifically require?
DORA Art. 28-44 requires financial companies to maintain: a complete register of all ICT third-party providers, risk-based contractual requirements, continuous monitoring of critical providers, exit strategies for critical ICT services and reporting obligations for ICT incidents involving third parties.
DORA distinguishes between regular and critical ICT third-party providers. Critical providers are subject to direct supervision by European financial supervisory authorities (ESAs).
Meeting DORA requirements with 360TPRM
360TPRM supports financial companies in implementing DORA requirements: automatic ICT third-party register, continuous cyber intelligence monitoring, contractual minimum requirements as checklist, incident tracking with third-party reference and complete audit trail documentation.
All DORA-relevant activities are documented completely in 360TPRM and can be exported for supervisory authorities at any time.
FAQ
DORA compliance with 360TPRM
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo →