Digital Operational Resilience Act · effective January 2025

The verification layer for DORA third-party risk management.

DORA requires EU financial entities to monitor and manage ICT third-party risk continuously. Veritor provides the entity-verification layer — registry-anchored counterparty status, concentration analysis, and regulator-ready documentation.

01 / What DORA requires

Four pillars, one entity-data substrate.

Article 28 — ICT third-party risk strategy
Policy + register
Maintain a register of all ICT third-party providers. Veritor: per-provider verified entity records with status, leadership, ownership, and country.
Article 29 — Concentration risk
Group-level exposure
Assess concentration of services and dependencies. Veritor: relationship cascade reveals when seemingly-distinct vendors share a common parent — critical for accurate concentration metrics.
Article 30 — Contractual arrangements
Pre-contract DD
Conduct due diligence before contract signature. Veritor: full counterparty verification + UBO + sanctions in one API call, with PDF audit report.
Continuous monitoring
Webhook subscriptions
DORA requires ongoing monitoring — not just point-in-time onboarding. Veritor: webhook on status change, leadership change, sanctions match, ownership change.
02 / Critical Third-Party Providers (CTPPs)

DORA designates EU-systemically-important ICT providers for direct oversight.

The European Supervisory Authorities (ESAs) designate Critical ICT Third-Party Providers (CTPPs) — hyperscalers, payment-rails operators, cloud-infrastructure providers whose failure could cascade across the EU financial system. CTPPs are subject to direct EU-level oversight, not just member-state regulator review.

For financial entities, this means your CTPP exposure is regulator-visible. You can't quietly under-report concentration on AWS, Azure, or major payment processors. Veritor helps you compose the accurate register: the entity-resolution layer that ensures every dependency rolls up to the correct legal parent — including subsidiaries, regional incorporations, and rebranded acquisitions.

03 / FAQ

DORA questions

Who does DORA apply to?

EU financial entities — banks, investment firms, payment institutions, e-money institutions, crypto-asset service providers, AIFM, UCITS managers, insurance / reinsurance undertakings, occupational pension institutions, credit rating agencies, and a few more. Plus the ICT third-party providers serving them. Effective January 2025.

How does Veritor help with concentration risk specifically?

DORA's concentration test is at the group level — multiple subsidiaries of the same parent count as one dependency. Veritor's relationship cascade resolves corporate hierarchies, so your concentration analysis reflects actual group exposure rather than per-contract exposure. This often reveals concentration risks that didn't appear in vendor-management-system reports.

Does Veritor itself need to comply with DORA as an ICT provider?

Veritor is an ICT third-party provider to financial-entity customers. We provide DORA-compliant contractual terms (Art. 30 requirements) including audit rights, subcontractor management, and exit assistance. Available in our standard Enterprise contract.

What about Article 28 register format?

The Implementing Technical Standards specify the register's data model. Veritor's exports can populate the required fields directly: entity LEI, country, services categories, sub-outsourcing chain. Talk to us about register-format export for your specific national competent authority.

Scope a DORA pilot.

We work with financial-entity TPRM leads on Article 28 register design, concentration analysis, and ongoing-monitoring architecture. No charge, no obligation.

Talk to us →