Policy area
DORA
Monitor
DORA ยท Monitor
DORA makes ICT third-party evidence an ongoing monitoring task, not a one-off file request
Financial entities and ICT suppliers should organize evidence and ownership before review pressure peaks.
Reader limit
Does not replace regulated DORA assessment or legal review. This briefing is not legal advice or certification.
At a glance
Updated
12 May 2026
Official source reviewed 12 May 2026.
Source
ESMA DORA information page
Open official sourceWhat changed
The 12 May 2026 official source check confirmed ESMA describes DORA as applying from 17 January 2025 and covering ICT risk management, third-party risk, testing, incidents, information sharing, and oversight of critical providers.
Why it matters for teams
Finance, SaaS, ICT vendor, risk, procurement, and operations teams should use this as an early evidence and owner-readiness prompt before making public claims or sending sensitive material.
First practical question
Which ICT services, owners, and evidence files would be hard to assemble this week?
Checklist starter
- Map critical ICT services and business owners.
- Identify third-party, subcontractor, and contract owners.
- Collect resilience, continuity, testing, and incident evidence.
- Separate financial-entity obligations from ICT-supplier evidence pressure.
- Set a recurring monitoring rhythm instead of a one-off file request.
What to watch next
- new Level 2/3 material or supervisory update.
- new financial-customer evidence request.
- new ICT provider, subcontractor, incident, or resilience-testing dependency.
Official source and limits
Grounded in: ESMA DORA information page. RegulationsOffice summarizes public official source material and prepares workflow/checklist support; it does not provide legal advice, certification, representation, or a compliance guarantee.