The biggest DORA risk isn’t in your systems

💥 The biggest DORA risk isn’t in your systems — it’s in your partners’ infrastructure. 

Since DORA came into force on January 17, 2025, European supervisory authorities have accelerated the process of identifying Critical Third-Party Providers (CTPPs). National authorities submitted their Registers of Information by April 30, and the ESAs (EBA, EIOPA, ESMA) are expected to publish the first CTPP shortlist by July 2025, triggering a six-week objection period before final designation. 

Meanwhile, the EBA has simplified the regulatory landscape by repealing outdated PSD2 guidelines for ICT incident reporting. From now on, DORA’s harmonized framework is the single reference. 

🚨 3 Common Mistakes We’re Already Seeing in the Field: 

• Only mapping the “Top 10” vendors: DORA requires visibility across the entire supply chain, including fourth parties. 

• SLAs misaligned with business impact: Many contracts do not reflect your actual Recovery Time Objectives (RTO) or Recovery Point Objectives (RPO) — and are therefore non-compliant. 

• No financial prioritization model: You cannot demonstrate proportionality without estimating the potential financial impact of each third-party relationship. 

✅ Quick “Third-Party DORA Readiness” Checklist: 

•  Single, up-to-date third-party register (including 4th parties) 

•  Vendor classification based on potential financial loss (€) 

• Audit rights and resilience testing clauses in contracts 

•  Crisis/failure scenarios tested and quantified 

How DEEP SAFE x SAFE One Makes It Simple: 

🔹 Automated import and analysis of your vendor register, with real-time gap detection and FAIR™-based financial risk scoring 
🔹 Live alerts on high-impact vendors — even before they’re officially designated as CTPPs 
🔹 Board-ready dashboards: Speak the language of euros, not heatmaps