The Digital Operational Resilience Act (DORA) is now a reality for financial institutions and their service providers. In 2026, the focus will shift to the practical implementation of third-party risk management at financial institutions, as BaFin will conduct its first rigorous and data-driven review of information registers (German only) to assess the completeness, consistency, and auditability of the reported data.
Financial Institutions: From Scope to Robust Management
DORA significantly tightens the requirements for managing third-party risks. What matters is not just who provides a service, but what risk that service poses to the institution and how consistently that risk is managed.
Eva Willnecker, Managing Security Consultant at usd, has many years of project experience in third-party risk management and supported numerous institutions with implementation in 2025:
“Many companies first had to clarify: Who are our service providers, and which of them actually fall under DORA? This was not a simple process, but a multi-step one that began with the institution-specific identification of critical or important functions.”
An up-to-date and comprehensive register of service providers forms the basis of any DORA implementation. Financial institutions must continuously identify relevant service providers, consistently assess their criticality, and maintain this information in a structured manner within a register. As of January 17, 2025, financial firms are required to maintain an official information register and submit it regularly to the competent national supervisory authority. An updated version must be submitted to BaFin between March 9 and March 30, 2026.
Third-Party Risk Management Does Not End with the Submission of the Information Register
Submitting the information register does not mean the work is done. On the contrary, this marks the beginning of the phase in which institutions must demonstrate their third-party risk management in day-to-day operations. Regulators and auditors expect transparent processes, sound decisions, and consistent documentation. These requirements must be implemented consistently throughout the entire lifecycle of a service.
What matters now:
Drafting Clear and Robust Contracts
Contracts must clearly define which services are to be provided and what rights the institution requires, for example with regard to audits, access paths, subcontracting arrangements, or locations. Equally important are practical exit provisions that actually work in an emergency.
Managing Risks in Day-to-Day Operations
Third-party risks are constantly evolving. Financial institutions therefore need established processes to promptly capture new insights and feed them back into the risk management process. It is essential that assessments and decisions are properly documented and reflected in ongoing management activities.
Planning Risk-Based Audits
A risk-based audit design clearly defines when a self-assessment is sufficient to review a service provider and when more in-depth audits are required, for example through an on-site audit. It is crucial that both the rationale and the audit depth are aligned with the underlying risk. Where technically and organizationally feasible, institutions may also benefit from consolidating audits to reduce duplication of effort and ensure consistent usability of results.
Ensuring Reporting Channels and Documentation
Handling security incidents requires clear responsibilities, defined reporting channels, and robust documentation. Only when these processes function effectively in day-to-day operations can institutions meet their reporting obligations in a timely and complete manner.
Maintaining Proportionality, Especially for Smaller Providers
Since not every service provider has comprehensive compliance structures in place, a pragmatic, risk-based approach is required. This allows requirements to be implemented in a targeted way: for critical providers through focused supplier audits, and for others through compliance questionnaires or self-assessments.
Conclusion: Greater Resilience through Structure and Consistency
2026 marks the transition from "preparing for DORA" to "demonstrably living DORA". Third-party risk monitoring becomes a core operational activity. Maintaining clean registers, drafting clear contracts, and managing audits in a risk-oriented manner are essential. Institutions that consistently document decisions and can demonstrate effective day-to-day management are significantly better positioned for audits and supervisory reviews.
Would you like to further refine your third-party risk management under DORA, or do you have specific questions? Our experts can help you develop practical, risk-based approaches. Feel free to contact us.
