DORA Managing ICT Third-Party Risk Under DORA: Practical Compliance for Financial Entities (SP0403)

A practical introduction to ICT third-party risk management under DORA, helping learners understand how financial entities should manage technology providers and outsourced ICT services in a compliant, resilient and well-documented way.

✔ Understand why ICT third-party risk is central to DORA compliance ✔ Identify ICT third-party service providers and relevant outsourced arrangements ✔ Learn key DORA expectations for contracts, monitoring and oversight ✔ Recognise the importance of concentration risk, exit planning and business continuity ✔ Understand how third-party risk connects to governance, ICT risk management and resilience
Participation Fee
€ 70 (excl. VAT)
Self Paced
2CPD Credits
Language(s)
english

“Under DORA, outsourcing may transfer the service — but never the accountability. Financial entities must know their providers, control their risks and evidence oversight at every stage.”

Table of Contents

Course Overview
  • About the DORA Managing ICT Third-Party Risk Under DORA Self-Paced Course
  • Who Should Attend
  • Designed as a Self-Paced Learning Experience
  • Course Curriculum
Support & Next Steps
  • Meet the Trainer
Registration
  • Fees & Registration Details

About the DORA Managing ICT Third-Party Risk Under DORA Self-Paced Course

Practical Compliance for Financial Entities is a practical, self-paced course designed to help financial services, compliance, risk, ICT, procurement, legal, and governance professionals understand how DORA regulates ICT third-party risk.

As the third course in our six-part DORA compliance training series, this module builds on the foundations of DORA scope, governance, and ICT risk management by focusing on third-party technology providers, outsourced ICT services, contractual requirements, monitoring obligations, concentration risk, and exit planning. Learners will understand how financial entities can identify, assess, manage, and evidence ICT third-party risk under DORA.

The DORA Compliance Pathway

This course is the external perimeter of the SP04 series. We recommend completing the full cluster for an audit-ready compliance profile:

This course matters because financial entities increasingly depend on cloud providers, software vendors, data processors, platforms, and other ICT service providers. Under DORA, third-party ICT risk is not only a procurement or vendor management issue; it is a core compliance, governance, and operational resilience responsibility requiring clear oversight, documentation, and ongoing monitoring.

Who Should Attend

This DORA ICT third-party risk course is designed for professionals involved in selecting, managing, reviewing, monitoring or evidencing ICT service provider arrangements within financial entities.

It is particularly relevant for:

✔ Compliance officers and regulatory professionals

✔ ICT risk, cybersecurity and technology governance teams

✔ Procurement, outsourcing and vendor management professionals

✔ Legal and contract management teams

✔ Risk management and operational resilience teams

✔ Internal auditors and assurance professionals

✔ Senior managers and governance teams overseeing outsourced ICT services

✔ Financial entities reviewing cloud, software, data, platform or technology service arrangements

Designed as a Self-Paced Learning Experience

This is not a recorded webinar or a static PDF.
The course is built as an interactive Moodle and Articulate Rise 360 learning experience. You move through short lessons, plain-English explanations, financial services examples, scenario checks and knowledge questions at your own pace.

What makes the format useful
  • Start anytime: complete the course when it suits your schedule
  • Pause and resume: return to the module when needed
  • Practical examples: connect AI-tools to real case scenarios
  • Knowledge checks: confirm understanding as you progress
  • Consistent learning: useful for team-wide AI-tool awareness
  • Completion evidence: Moodle records participation and certificate release
Three Practical Features
  • ICT third-party risk explained clearly: understand how DORA applies to technology providers, outsourced ICT services and critical supplier relationships.
  • Contract and oversight requirements made practical: learn how contractual clauses, monitoring, documentation and reporting support DORA compliance.
  • Provider-focused scenarios: recognise when an ICT third-party arrangement creates operational resilience, concentration, continuity or exit-planning risks.
What You Will Be Able To Do

After completing this course, you will be able to:

  • Explain why ICT third-party risk management is a core part of DORA compliance
  • Identify ICT third-party service providers and relevant outsourcing arrangements
  • Understand key contractual and oversight expectations under DORA
  • Recognise the importance of due diligence, monitoring and performance management
  • Explain how concentration risk can affect digital operational resilience
  • Understand the role of exit strategies, business continuity and contingency planning
  • Recognise how ICT third-party risk connects to governance, incident management and resilience testing
  • Describe why DORA third-party risk management requires coordination across compliance, ICT, procurement, legal, risk and senior management
What Is Included
  • Interactive Articulate Rise 360 course module
  • DORA ICT third-party risk management explanations
  • Financial services and outsourcing examples
  • Scenario-based knowledge checks
  • Key third-party risk and outsourcing terminology explained in plain English
  • Practical guidance on contracts, monitoring, concentration risk and exit planning
  • Certificate of completion
  • Moodle completion tracking

To review full updates on policy frameworks or technical submission requirements, you can access the latest guidance through the European Insurance and Occupational Pensions Authority (EIOPA) DORA Hub  as well as the specialized reporting guidelines published via the Commission de Surveillance du Secteur Financier (CSSF) ICT Cyber Risk Portal 

Course Curriculum

Lesson 1.1 – Understanding DORA and ICT Third-Party Risk

  • Why DORA brings ICT third-party providers into the resilience framework
  • Systemic risk created by outsourcing and cloud concentration
  • Financial entity responsibility for outsourced ICT services
  • Accountability, oversight and control expectations

Lesson 1.2 | Identifying Critical or Important Functions and Concentration Risk

  • Definition of critical or important functions under DORA
  • Why classification matters for compliance obligations
  • ICT concentration risk and dependency mapping
  • Impact of provider failure on continuity, soundness and regulatory compliance

 

Lesson 2.1 | Pre-Contractual Due Diligence and Risk Assessment

  • Required assessments before entering ICT provider contracts
  • Suitability and due diligence of prospective providers
  • Operational, legal, ICT, reputational and data-related risks
  • Geographic and jurisdictional considerations

 

Lesson 2.2 | DORA-Compliant Contracting and Subcontracting Requirements

  • Key DORA clauses for ICT third-party contracts
  • SLAs, cybersecurity protocols and business continuity expectations
  • Audit rights, step-in rights and in-sourcing rights
  • Subcontracting controls and material change management

Lesson 3.1 | Regulatory Oversight, Evidence and Ongoing Accountability

  • Designation of critical ICT third-party providers
  • ESA oversight and Lead Overseer powers
  • EU subsidiary requirement for certain third-country providers
  • Multi-vendor strategy and ongoing vendor oversight

Meet the Trainer

Xenia Neophytou Centre 8 Education Trainer
Xenia Neofytou

Founder, Managing Director

Fees & Registration Details

Enrollment Fee
€ 70 + VAT
Sing-up Duration
3 months