DORA (Regulation (EU) 2022/2554) imposes a broad set of obligations on in-scope financial entities. Of all of them, the ICT supplier register and the associated contractual review consistently consumes the most effort in our readiness engagements — usually by a wide margin.
The headline reason is simple: the ICT supplier inventory is almost always larger than the security and procurement teams realise. We have worked with mid-sized retail banks whose initial estimate of in-scope ICT suppliers was around 50; the final count after a thorough inventory exercise was over 400.
The detail is in what counts as an ICT supplier. DORA Article 28 defines the term broadly; the supporting RTS and ITS expand it further. Cloud providers and SaaS vendors are obvious; less obvious are professional-services firms with system access, contracted developers, managed-service providers for non-core systems, telecommunications providers, and outsourced operations vendors with access to ICT systems.
Once the inventory is complete, the work proper begins. Each supplier needs concentration-risk assessment (how much of our operation depends on this supplier?), criticality assessment (is this supporting a critical function?), and contractual review (do the DORA minimum contractual provisions of Article 30 appear in the contract?).
Contractual review is where the timeline pressure bites. Many existing supplier contracts do not include the DORA Article 30 provisions in the form required by the regulation. The remediation is either (a) renegotiate the existing contract, (b) execute an addendum, or (c) onboard the supplier under new contractual terms. Each option requires legal review, supplier agreement, and signed execution — and the legal capacity of the procurement function is finite.
Our pragmatic recommendation for clients still in the readiness phase: prioritise the contractual remediation by concentration and criticality, and accept that the long-tail of less-critical suppliers will take longer to bring into full compliance. Document the prioritisation, document the residual position, and present the supervisor with an honest picture of progress rather than a misleading picture of full coverage.
Most home-state supervisors we have engaged with respond well to honest, prioritised progress narratives. They respond poorly to misleading claims of full coverage that fall apart under scrutiny.
Our standard DORA engagement now includes a supplier-register workstream estimated at six months of effort for a mid-sized bank, longer for larger institutions. That estimate is calibrated against the engagements we have completed; it is honest about the work and conservative about the timeline.