Kyanite Blue
Tools & Calculators

Third-Party ICT Risk Register Template for Financial Services (DORA and FCA SS2/21 Compliant)

Every FCA-regulated firm and every firm in scope of DORA needs a third-party ICT risk register. The ION Group ransomware attack and Finastra data breach demonstrated what happens when financial institutions do not know which of their critical functions depend on which third-party providers — and what their exposure is when those providers fail. The FCA's SS2/21 outsourcing guidance and DORA Article 28 both require a maintained register of third-party ICT providers. This guide explains what the register must contain and how to build and maintain it.

DORA Article 28 requires a mandatory register of all ICT third-party service providers. FCA SS2/21 requires equivalent records for material outsourcing arrangements. Both require ongoing maintenance.

What the Register Must Contain: DORA and FCA Requirements

DORA Article 28(3) specifies the information that must be included in the third-party ICT provider register. FCA SS2/21 has similar requirements for material outsourcing registers:

  • Provider identity: Full legal name, registration number, registered address, and key contacts
  • Services provided: Specific ICT services, functions, or data processing activities provided
  • Criticality rating: Whether the provider supports a critical or important function — and the criteria used to determine criticality
  • Data classification: Categories of data accessed, processed, or stored by the provider — including any personal data, special category data, or market-sensitive data
  • Geographic location: Where services are delivered and data processed — relevant for international data transfer compliance
  • Sub-processor arrangements: Any material sub-contractors used by the provider
  • Contract details: Contract start and expiry dates, SLAs, key provisions summary
  • Due diligence status: Date of last assessment, certifications held (ISO 27001, SOC 2, PCI DSS), assessment outcome
  • Concentration risk: Whether this provider is also used by other firms in your group or by your competitors — systemic concentration indicators
  • Exit strategy: Reference to documented exit plan for the provider

Criticality Assessment: How to Rate Your Providers

The criticality rating for each provider determines the level of oversight required:

  • Critical: Provider supports one or more important business services (as identified under PS21/3); their unavailability would breach your impact tolerance within the tolerance period
  • Important: Provider supports material business functions; their unavailability would cause significant operational disruption but not immediately breach impact tolerances
  • Standard: Provider supports operational functions; their unavailability would be inconvenient but could be managed or worked around within impact tolerance
  • For DORA: Critical providers require enhanced due diligence, contractual provisions, and exit plans; important and standard providers require appropriate proportionate oversight
  • Document the rationale for each rating — FCA supervisors and DORA assessors will review criticality decisions

Concentration Risk Assessment

DORA requires firms to identify and manage concentration risk in their ICT supply chain:

  • Single-provider dependency: Identify any critical or important business service that relies on a single provider with no alternative or fallback
  • Common cloud infrastructure: Multiple cloud-hosted systems from different providers may rely on the same underlying infrastructure (AWS, Azure, GCP) — map this hidden concentration
  • Common sub-processors: Providers who use the same sub-contractors create concentration at a level below direct suppliers — the Finastra breach affected clients of multiple institutions via a single supplier
  • Group concentration: Intra-group technology services create concentration risk that must be assessed even though the counterparty is a related entity
  • Document concentration risk findings and the mitigation measures in place — or the residual risk if mitigation is not feasible

Maintaining the Register: Governance Requirements

A third-party ICT risk register that is created once and never updated satisfies neither the spirit nor the letter of DORA or FCA requirements:

  • Trigger-based updates: Update the register whenever a new provider is onboarded, an existing provider is offboarded, a material change occurs in a provider's services or security posture, or a contract is renewed
  • Annual review: Conduct an annual review of all register entries — confirm contact details, update due diligence status, refresh concentration risk assessment
  • Incident-triggered review: Following any ICT incident (including at a third-party provider), review affected entries and update accordingly
  • Ownership: Assign a named owner for the register — typically IT risk, procurement, or compliance. Under DORA, the ICT risk management function is responsible
  • Panorays integration: Panorays' continuous external monitoring provides a live feed of provider security posture changes that should inform register updates — reducing the reliance on annual point-in-time assessments

Frequently Asked Questions

How many providers should be on the register — do we include every supplier?

The register must include all ICT third-party service providers — meaning all suppliers that provide technology services, data processing, or software. This is broader than just critical providers. DORA Article 28 and FCA SS2/21 both expect comprehensive coverage, with proportionate scrutiny applied based on criticality. A typical financial firm may have 20–100 ICT providers on its register; a larger institution may have several hundred. Start with all providers that have access to your systems, data, or networks — then apply criticality ratings to determine oversight intensity.

Our providers will not share their security certifications. What do we do?

A provider that refuses to share evidence of security certifications is itself a risk indicator. For critical providers, refusal to provide ISO 27001 certification, SOC 2 reports, or equivalent evidence should trigger enhanced due diligence — including external monitoring via Panorays and potential escalation of contractual requirements. Under DORA's contractual provisions (Article 30), providers are required to maintain security standards and allow audit. If a provider refuses to meet these requirements, your contract renewal should include them as conditions, and if the provider is unwilling, you should assess whether they remain acceptable as a critical provider.

We use Microsoft 365 and AWS for most of our operations — how do we manage concentration risk?

This is the most common concentration risk scenario — and the FCA and DORA assessors are asking about it specifically. Your response should document: (1) which important business services depend on Microsoft 365 and/or AWS; (2) what your tolerance is for an extended outage of those services; (3) what fallback procedures you have if they are unavailable; and (4) whether you have assessed Microsoft and AWS's own resilience (they publish their SLAs and architecture documentation). For most firms, the honest answer is that certain services would be severely impaired by an extended Microsoft or AWS outage — documenting this as residual accepted risk, with tested fallback procedures for the most critical functions, is the appropriate response.

Automate your third-party risk monitoring with Panorays

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides