Written by: Jakub Pietroszek, Partnership Manager, Digital Colliers
DORA has been in force since 17 January 2025. That's not a soft date. Your national competent authority can already ask for your ICT third-party register, and they're starting to. The uncomfortable thing most mid-market banks are finding out right now is that the register isn't a document. It's a live feed. And nobody in the building has been treating it that way.
If you're in a bank compliance, procurement, or IT seat and you clicked through from the LinkedIn post, this is the longer version.
What DORA actually asks you to prove
Strip the regulation down and there are really four things you have to show:
- A complete register of every ICT third-party service supporting a critical or important function.
- Contractual terms that meet the Article 30 requirements, including exit, audit rights, sub-outsourcing, and incident cooperation.
- An incident classification and reporting process that can move within the required windows.
- Threat-led penetration testing for the entities in scope, and evidence you're acting on the findings.
Item one sounds like paperwork. It isn't. The register has to cover direct providers, sub-outsourcers, the function they support, the data categories involved, the country the processing happens in, and the criticality tier. Most mid-market banks I talk to can produce three of those columns cleanly. The fourth, usually sub-outsourcers or actual data-processing location, is where they stall.
Why the register is really a live feed
A vendor register you update once a year is not a DORA register. It's a snapshot. DORA assumes the truth changes constantly, because it does. Your SaaS core banking provider signs a new sub-processor. Your fraud analytics vendor moves a workload from Frankfurt to Dublin. Your KYC vendor gets acquired. Each of those is a register event, not an annual review event.
The operators handling this well have wired the register into the systems that already know when things change. Contract management for new signatures. The CMDB for what's actually running. The IAM system for who has access to what. When you rely on a quarterly email to procurement asking "anything new?", you're going to fail the auditor question that starts with "show me the delta since".
Who owns which piece
DORA cuts across three functions that don't usually share a spreadsheet. That's the root cause of most of the pain.
- Legal owns the contract clauses and the exit terms. They know which vendors have the Article 30 language and which don't.
- Procurement owns the vendor list, the tiering, and the renewal calendar. They know who's paid and how much.
- IT and security own what's actually running, what data flows where, and the patch state. They know that only about 3 to 5% of disclosed vulnerabilities get patched within 30 days across the industry, and they can tell you honestly whether their vendors do better.
None of those three owns the register end to end. The banks that will pass the first serious DORA review have named a single accountable owner and given them read access into all three systems. The ones that haven't are still running a working group.
The auditor questions that cut across all of it
Here's the shape of what a supervisor will actually ask. Not the regulation text, the questions.
- Show me every critical function and the ICT providers supporting it. Now show me the sub-providers.
- For vendor X, when did the contract last change, and does it include the DORA clauses?
- For incident Y from last quarter, walk me through the classification decision and the reporting timeline.
- Show me a vendor you exited in the last twelve months and prove the data was returned or destroyed.
- Which of your critical vendors have you tested in the last year, and what did you do with the findings?
Every one of those questions crosses at least two of legal, procurement, and IT. If your answer involves three people getting on a call to reconcile spreadsheets, you already know the finding.
Where to actually start
If you're behind, don't start with the register template. Start with one critical function, pick the top five vendors supporting it, and try to answer the five auditor questions above for just those five. You'll find your gaps in a week. Then decide whether the fix is process, tooling, or a real owner. Usually it's all three, in that order.

