DORA third-party ICT risk — the documentation half, automated.

What DORA requires in third-party risk

DORA (Regulation EU 2022/2554) entered force across EU financial entities in January 2025. Articles 28-30 cover the third-party ICT risk pillar:

• Article 28 — general principles: financial entities must manage ICT third-party risk as an integral component of their overall risk management framework.
• Article 29 — register of contractual arrangements: financial entities must maintain a register of all ICT third-party service contracts, with subcontractor visibility.
• Article 30 — key contractual provisions: ICT contracts must include specified terms covering monitoring, audit rights, exit strategies, and subprocessor management.

The continuous-monitoring expectation is what's new for many financial entities — DORA doesn't accept annual vendor review as sufficient evidence.

Where Thorgate fits

Thorgate addresses the documentation-evidence side of the DORA third-party risk pillar:

Continuous document evidence per ICT third-party provider. Privacy policy, DPA, subprocessor list, security/trust page — fetched daily with full version history. The contemporaneous record DORA expects for ongoing monitoring.

Subprocessor (subcontractor) visibility. Article 29 requires visibility into subcontractor chains; Article 30 requires contractual provisions for subcontracting. Thorgate's subprocessor monitoring is the operational layer that feeds your register.

Change events with severity classification. When an ICT third-party changes a material term — retention, location, breach SLA, subprocessor — Thorgate produces a structured change event you can route to your ICT risk function.

Audit-evidence exports. CSV per-vendor history and PDF audit reports formatted for DORA supervisory reviews.

What DORA still requires from you

Thorgate is not a DORA-readiness platform. It addresses one piece of one pillar. You still need: an ICT incident classification and reporting capability (Articles 17-23), a resilience testing programme (Articles 24-27), the actual Register of Contractual Arrangements with subprocessor depth (Article 29), and an ICT risk management framework (Article 6). Pair Thorgate with the broader stack that covers those.

Common DORA scenarios

• Subprocessor chain change in a tier-1 ICT vendor. Article 29 wants you to see down the subcontractor chain. Thorgate catches the published change daily.
• Material change to ICT third-party DPA. Article 30 requires specific contractual provisions; Thorgate flags when the vendor changes the language behind those provisions.
• Concentration-risk monitoring. Multiple ICT providers swapping to the same subprocessor (e.g., everyone moving to a single hyperscaler region) is visible across your vendor set.
• Pre-supervisory-review evidence pack. Export per-vendor audit PDFs for the period under review.

FAQ

Does Thorgate cover all of DORA?

No. DORA spans ICT incident reporting, digital operational resilience testing, ICT third-party risk, and information-sharing. Thorgate covers the documentation/monitoring half of the third-party risk pillar (Articles 28-30).

Is Thorgate registered as a DORA "critical ICT third-party provider"?

No. We're not in scope as a critical ICT TPP under DORA. The Anthropic / Jina subprocessors used by Thorgate are listed on our Security page for your own register.

Does DORA only apply to large banks?

No — DORA covers a wide set of EU financial entities (banks, insurers, investment firms, payment institutions, crypto-asset service providers, and others), with proportionality for smaller entities.

Try it

14-day free trial, no credit card. Start a trial or read the full FAQ.