What is the ICT third-party register under DORA Art. 28?

Commission Delegated Regulation (EU) 2024/1773 (RTS on ICT third-party risk) specifies the minimum fields that must be documented for each listed ICT provider ^[1]. These are not optional; a register without them will be substantively challenged in a 2026 inspection.

The key mandatory fields: provider LEI or unique identifier, described ICT service with the ESA taxonomy code, criticality assessment under Art. 30 DORA, substitutability within 30/60/90 days, contract start/end, data-processing location (country), data-storage location (country), sub-outsourcing chain with the respective providers, applicable audit rights.

Art. 28 requires a criticality assessment per provider; Art. 30 defines when a provider is "critical or important" — when its failure would materially impact the financial performance, solvency or operation of the institution ^[2]. Critical providers carry additional requirements: documented exit strategy, BCM tests, contractual audit rights including supervisor on-site inspection.

The most frequent finding in 2026 inspections: the direct ICT vendor is in the register, but the sub-outsourcing chain behind it is missing. The supervisory expectation (EIOPA Supervisory Convergence 2025/2026) sets two thresholds: (a) any sub-provider processing personal data must be named; (b) any infrastructure provider whose outage would interrupt a critical function must be named ^[3].

The national competent authority (BaFin, AMF, EIOPA, depending on sector) requires the register submission once a year by 31 March. The submission template is harmonised in the ESA Joint-Committee decision; any deviation triggers automatic rejection. Sub-outsourcing updates within the year must be reported ad hoc when they touch critical functions ^[1].