DORA requires EU financial entities to monitor and manage ICT third-party risk continuously. Veritor provides the entity-verification layer — registry-anchored counterparty status, concentration analysis, and regulator-ready documentation.
The European Supervisory Authorities (ESAs) designate Critical ICT Third-Party Providers (CTPPs) — hyperscalers, payment-rails operators, cloud-infrastructure providers whose failure could cascade across the EU financial system. CTPPs are subject to direct EU-level oversight, not just member-state regulator review.
For financial entities, this means your CTPP exposure is regulator-visible. You can't quietly under-report concentration on AWS, Azure, or major payment processors. Veritor helps you compose the accurate register: the entity-resolution layer that ensures every dependency rolls up to the correct legal parent — including subsidiaries, regional incorporations, and rebranded acquisitions.
EU financial entities — banks, investment firms, payment institutions, e-money institutions, crypto-asset service providers, AIFM, UCITS managers, insurance / reinsurance undertakings, occupational pension institutions, credit rating agencies, and a few more. Plus the ICT third-party providers serving them. Effective January 2025.
DORA's concentration test is at the group level — multiple subsidiaries of the same parent count as one dependency. Veritor's relationship cascade resolves corporate hierarchies, so your concentration analysis reflects actual group exposure rather than per-contract exposure. This often reveals concentration risks that didn't appear in vendor-management-system reports.
Veritor is an ICT third-party provider to financial-entity customers. We provide DORA-compliant contractual terms (Art. 30 requirements) including audit rights, subcontractor management, and exit assistance. Available in our standard Enterprise contract.
The Implementing Technical Standards specify the register's data model. Veritor's exports can populate the required fields directly: entity LEI, country, services categories, sub-outsourcing chain. Talk to us about register-format export for your specific national competent authority.
We work with financial-entity TPRM leads on Article 28 register design, concentration analysis, and ongoing-monitoring architecture. No charge, no obligation.
Talk to us →