The new DORA Oversight Guide for tech providers – What decision-makers need to know now

Executive summary

On July 15, 2025, the European supervisory authorities (EBA, ESMA, EIOPA - published theESAs) theGuide to monitoring critical ICT third-party service providers. What implications this has and how you can create a strategic competitive advantage from this will be discussed in the following article.

Direct supervision is a reality

Since January 17, 2025, your critical cloud and SaaS providers (CTPPs = Critical Third-Party Providers) have been subject to direct, EU-wide supervision for the first time. The time of pure contract management is over; active control is required.

Concentration risk becomes a top priority

The new ESAs guidelines make management directly responsible for system risks caused by provider concentration (e.g. at AWS, Azure, Google). Lack of exit strategies is no longer an option.

Contracts under the microscope

In the future, the supervisory authority can recommend minimum clauses for your contracts and even restrict sub-outsourcing by your critical third-party providers. Existing contracts urgently need to be reviewed.

The End of the Black Box: Why This Guide Changes Everything

Digital transformation in the financial sector relies on a handful of global technology giants. Until now, these have largely operated outside the direct control of financial regulators. That is now fundamentally changing.

The joint DORA guidelines published today by the EU supervisory authorities (EBA, EIOPA, ESMA) are more than just another regulation. It is the blueprint for a new era of digital responsibility. It translates the abstract requirements of the Digital Operational Resilience Act (DORA) into concrete, verifiable measures.

This article goes beyond the legal details. We translate the requirements into strategic imperatives for the C-level and provide those responsible with an actionable roadmap. We will show you how you can turn a regulatory obligation into a measurable competitive advantage.

1. What the new guidelines really mean: A look behind the scenes of supervision

The guidelines establish a powerful, three-tier supervisory architecture. Think of it as a precision inspection machine that will look deep into the operations of your key technology partners.

The Strategists: The Oversight Forum

This is where the strategic course is set. It decides which providers are classified as “critical” based on a scoring model made up of 11 criteria such as system relevance and substitutability.

The controllers: The Joint Oversight Network (JON)

The JON coordinates ongoing monitoring and develops annual oversight plans for each critical provider (CTPP).

The examiners: The Joint Examination Teams (JETs)

These teams are the “boots on the ground”. Led by a Lead Overseer (LO), they carry out the actual audits - from analyzing documents to on-site inspections.

The crucial point for you

Regulators will ask not just what your provider does, but how it does it. The costs for this intensive supervision are passed on directly to the providers through fees - and ultimately end up in your cost bill.

2. The new obligations of providers – and what they mean for your contracts

The guideline forces the CTPPs to be radically transparent. These obligations have a direct impact on your contractual relationships and risk management.

Obligation to cooperate

Each CTPP must designate a central contact in the EU with budget and escalation powers. This is your direct leverage in case of problems.

Data delivery on demand

Providers must provide granular data - from the entire service chain to sub-service providers to incident logs and financial indicators.

Mandatory correction plans

If the supervisory authority identifies deficiencies, the provider must submit a binding plan to correct them and report on progress. If recommendations are not followed, this can be made public – a significant reputational risk for your service provider and indirectly for you.

What this means for your contracts

Your contracts must reflect these new realities. Standard clauses are no longer sufficient. You now need “DORA-ready” additions that guarantee you audit rights without much notice, on-demand access to logs and clear exit timelines.

3. From IT risk to a matter for the boss: strategic implications for the C-level

This guide finally catapults third-party risk management from the IT basement into the boardroom. The responsibility has been clearly addressed since the publication of the Digital Operational Resilience Act (DORA). As a board, ask yourself the following questions:

For the CEO & the entire board

"How high is our concentration risk with a single cloud provider? Do we have a tested, financeable and technically feasible plan B if this provider fails or the regulator restricts its use?"

For the CFO

"Are the potential costs of switching providers or setting up a multi-cloud architecture taken into account in our medium-term planning? Do we understand the financial implications of the supervisory costs that are passed on to us?"

For the CTO/CIO

"Are our reporting pipelines automated enough that we can deliver the KPIs required by regulators (e.g. on incidents, controls, budgets) at the push of a button? Are our exit strategies technically validated or just theoretical papers?"

For the CRO

"What is our communication plan if our critical provider receives a public reprimand from the regulator? How do we manage the associated reputational risk for our own company?"

4. The best practice toolbox: How to make your company DORA-proof

Proactive action is now required for those responsible in the areas of IT, risk, compliance and purchasing.

Phase 1: Preparation & Analysis (Now!)

Action:Keep your information register up to date in accordance with Article 28 DORA.

Best practice tip:Maintain a “shadow register” that also records critical intra-group IT services. There are often hidden dependencies here.

Phase 2: Risk assessment

Action:Implement a supplier risk scoring model that goes beyond compliance checks to include technical threats (e.g. NIST SP 800-161 Rev. 1).

Best practice tip:Establish a simple Red/Amber/Green dashboard for the top 20 providers that reports directly to the board risk committee.

Phase 3: Continuous monitoring

Action:Automate monitoring by consuming telemetry data directly from provider APIs (e.g. AWS Security Hub, Azure Defender for Cloud).

Best practice tip:Define “Handshake KPIs” together with business owners to link technical metrics (e.g. uptime) directly to business processes.

Phase 4: Testing & Simulation

Action:Conduct table-top exercises that specifically simulate supervisory scenarios (e.g. failure of an entire cloud region, data loss at a sub-service provider).

Best practice tip:Incorporate an exit dry run as an integral part of your annual disaster recovery exercise to real-world test the portability of data and applications.

Outlook: The crucial deadlines on your radar

The schedule is ambitious and leaves no room for delays.

July 2025

First notifications to potentially critical providers.Who delivers:EU supervisory authorities (ESAs).

Q4 2025

Publication of the final list of CTPPs and start of the first examinations by the Joint Examination Teams (JETs).Who delivers:ESAs and the newly formed review teams.

Conclusion: Resilience as a competitive advantage

The new DORA Guide for monitoring critical ICT third-party service providers makes it unmistakably clear: Supervisors will delve deeply into the technologies and processes of your most important IT service providers. And it expects you to know and manage your digital supply chain with the same depth.

Companies that act now and build integrated third-party risk management with data-driven, real-time visibility will not only pass regulatory scrutiny. They will transform digital resilience from a chore into a strategic, measurable competitive advantage. The question is no longer whether you will act, but rather how quickly and how decisively.

ADVISORI supports you with tailor-made solutions and outstanding DORA expertise with regard toThird Party Risk Management.

Next step: Free initial consultation

Would you like to implement DORA compliance in a timely manner? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

📖 Also read:DORA RTS on subcontracting: New obligations for financial companies in 2025

📖 Also read:DORA RTS on subcontracting: New obligations for financial companies in 2025

Would you like to implement DORA compliance in a timely manner? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →