Register of Information — Maintain and keep up-to-date a register of information on all ICT third-party contractual arrangements, and submit it to competent authorities upon request or as required (DORA Article 28)
Key contractual provisions for ICT third-party service agreements
Concentration risk
Assess and manage concentration risk from third-party ICT dependencies
Critical provider oversight
Designated critical third-party providers (CTPPs) subject to ESA oversight
Exit strategies
Maintain exit strategies for critical ICT third-party services
Register of Information
Maintain and keep up-to-date a register of information on all ICT third-party contractual arrangements, and submit it to competent authorities upon request or as required (DORA Article 28)
Penalties
Violation
Fine
CTPP non-compliance
ESAs may impose periodic penalty payments on critical third-party providers