Exploring Digital resilience third-party registers

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Digital Resilience Third-Party Registers

    The Digital Resilience Third-party Registers application enables financial entities to maintain comprehensive records of their contractual arrangements with Information and Communication Technology (ICT) third-party service providers. It supports compliance with the European Union's Digital Operational Resilience Act (DORA), which aims to strengthen ICT security and operational resilience in the financial sector. Released with version 19.1.x, this application helps financial institutions track ICT third-party risks and supports regulatory oversight by European Supervisory Authorities (ESA).

    Show full answer Show less

    Key Features

    • Applications for DORA Compliance:
      • Digital Operational Resilience Management: Handles uploading and downloading of all DORA-related tables.
      • Digital Resilience Third-party Information Register: Provides Microsoft Excel templates for maintaining and reporting on third-party registers at individual entity, sub-consolidated, and consolidated levels.
    • Record Management: Users can create, edit, and bulk upload or download records related to assessments, contracts, functions, legal entities, supply chains, and third-party engagements using the Excel upload/download feature or graphical user interface (GUI).
    • Licensing and Access:
      • IRM Professional license holders access the application via the Operational Resilience Workspace.
      • TPRM license holders access it through the TPRM Workspace.
    • Regulatory Support: The application supports the Register of Information (RoI) reporting requirement under DORA and includes a validation framework to ensure regulatory compliance.

    Why It Matters

    DORA mandates financial entities to manage ICT third-party risks effectively by implementing policies for engaging critical ICT service providers, performing due diligence, and maintaining business continuity. This application centralizes and automates the management of third-party contractual data, facilitating compliance with DORA’s ICT Third-party Risk Management pillar. It enhances operational integrity by ensuring entities can monitor and control risks associated with third-party ICT services, which is essential for maintaining uninterrupted financial services even during disruptions.

    What to Expect

    • Streamlined tracking and management of ICT third-party risks and contracts across different organizational levels.
    • Improved compliance with DORA through structured data templates, validation, and regulatory reporting support.
    • Flexible data management options via GUI or Excel import/export functionalities to accommodate diverse operational preferences.
    • Integration within existing ServiceNow workspaces (Operational Resilience or TPRM) based on licensing, ensuring seamless user experience.

    The Digital resilience third-party registers application empowers the financial entities to maintain registers of contractual arrangements with Information and Communication Technology (ICT) third-party service providers and comply with Digital Operational Resilience Act (DORA) regulation.

    Applications for DORA compliance

    Beginning with Release 19.1.x, the following applications are supported for ICT Third-party Risk Management as part of DORA compliance.
    • Digital Operational Resilience Management: This application is used for uploading and downloading of all individual DORA tables.
    • Digital Resilience Third-party Information Register: This application is used to download the Digital resilience third-party registers. The application contains the Microsoft Excel template that includes all tabs for reporting purposes. It helps the financial entities to maintain a comprehensive register of their contractual arrangements with ICT Third-party service providers at the individual entity, sub-consolidated, and consolidated levels.

      Customers use Digital resilience third-party registers to create or edit the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Microsoft Excel upload and download feature.

      Note:
      The IRM Professional license users can access Digital resilience third-party registers in the Operational Resilience Workspace. The TPRM license users can access Digital resilience third-party registers in the TPRM Workspace.
      The Digital resilience third-party registers application fulfills multiple functions for the entities:
      • Assists the entities in tracking their ICT third-party risks.
      • Empowers the competent authorities in European Union to oversee ICT and third-party risk management within financial entities.
      • Aids European Supervisory Authorities (ESA) in identifying Critical ICT third-party service providers (CTPP) for EU level supervision.

    Digital Operational Resilience

    Digital Operational Resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability. It ensures that the entity has the full range of ICT related capabilities that are needed to secure its network and information systems. These systems support the continuous provision of financial services and maintain their quality, even during disruptions. The continuity can be achieved directly or indirectly with the services provided by the ICT third-party service providers.

    Digital Operational Resilience Act (DORA)

    Digital Operational Resilience aligns with the Digital Operational Resilience Act (DORA). It is a European Union (EU) regulation that came into effect on 16 January 2023 and it will be applicable from January 17, 2025. It enhances the ICT security of financial entities supervised by the European Supervisory Authorities (ESA)s and protects Europe's financial sector from major digital disruptions.

    Regulatory Technical Standards

    DORA Regulation mandates that financial entities incorporate and periodically review a strategy for managing ICT third-party risk within their ICT risk management framework. This strategy must include a policy governing the use of ICT services that support critical or important functions, as provided by third-party ICT service providers.

    A financial institution's policy on using third-party ICT service providers plays a crucial role in defining key aspects of its governance, risk management, and internal control frameworks for these services. Financial entities must perform risk assessments and due diligence before signing contracts with third-party ICT service providers. They must also ensure they can terminate these arrangements if needed and maintain business continuity for critical or important functions. For instance, an action could be necessary where the service is not optimal, external ICT systems malfunction, or the service is disrupted due to sanctions.

    Pillars for DORA

    Digital Operational Resilience Act (DORA) comprises the important pillars:
    1. ICT Risk Management
    2. ICT Incident Reporting
    3. Digital Operational Resilience Testing
    4. ICT Third-party Risk Management
    5. Information and Intelligence Sharing
    Pillars.
    Note:
    Operational Resilience, Release 19.1.x focuses on the ICT Third-party Risk Management pillar only.

    Processing the records using GUI or Microsoft Excel

    Customers can manage the contractual arrangements by processing the records by using the graphical user interface (GUI) or by importing or exporting Microsoft Excel files in the Digital resilience third-party registers application.

    For information on processing the records through the graphical user interface (GUI) or by importing or exporting Microsoft Excel files, see Using Digital resilience third-party registers.

    Licensing requirements

    Users can access the Digital resilience third-party registers application in the following ways:
    • Beginning with Release 19.1.x, customers who already have the Operational Resilience or the TPRM applications can access the Digital resilience third-party registers.
    • These customers can download, install, and start using the Digital resilience third-party registers application.

    The licensing information and the associated workspaces are listed in the following table.

    Table 1. Licensing and associated workspaces
    License Application displayed in the UI Associated workspaces
    IRM Professional Digital resilience third-party registers Operational Resilience Workspace
    TPRM Digital resilience third-party registers TPRM Workspace

    Digital resilience third-party registers in Operational Resilience Workspace

    Upon opening the Operational Resilience Workspace, the menu featuring Digital resilience third-party registers is displayed.

    Workspace menu.

    Digital resilience third-party registers in the TPRM Workspace

    For information on Digital resilience third-party registers in the TPRM Workspace, see Third-party Risk Management.