DORA requires a register of ICT third parties, how do I support that?
DORA obliges financial entities to maintain a live register of all ICT third-party providers, distinguishing critical from non-critical services. For SMB vendors that means tight data delivery to customers.
Try this first
- 1Per service deliver at minimum: your entity data (name, KvK, LEI if available), service description, data and staff location, sub-providers and concentration with other vendors.
- 2Mark whether your service is critical or important to the customer. The classification is theirs, but your input on outage impact helps.
- 3Align contracts to DORA requirements: incident notification windows, audit rights, exit plan, data portability, sub-outsourcing rules. Many financial customers send DORA addenda.
- 4Build a change process. Changing a sub-processor, hosting country or security baseline must reach the customer's register in time.
- 5Test a DORA incident scenario with a major customer once. It exposes where reporting and channels fall short.
When to bring us in
If your service is marked critical for multiple financial entities, you will not solve the extra expectations alone. Bring in a DORA specialist.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.