What Is Dritt?
In the context of the European Union's Digital Operational Resilience Act (DORA), "Dritt" refers to third-party Information and Communication Technology (ICT) service providers. As part of the broader field of Financial Regulation and Operational Resilience, the concept of Dritt addresses the critical reliance of financial entities on external technology services, such as cloud platforms, data analytics, or software solutions. The DORA regulation aims to strengthen the digital operational resilience of the financial sector by ensuring that all participants, including these Dritt providers, can withstand, respond to, and recover from ICT-related disruptions.
History and Origin
The increasing digital transformation of the financial sector led to a heightened dependence on ICT services and, consequently, an elevated risk of cyberattacks and IT disruptions. Recognizing the potential for systemic impact across the European Union's financial system from such incidents, the European Commission adopted a comprehensive Digital Finance Package in September 202017. This package included legislative proposals on crypto-assets and digital resilience, with DORA being a central component16. The Digital Operational Resilience Act (Regulation (EU) 2022/2554) was officially adopted on December 14, 2022, and entered into application on January 17, 2025, consolidating and updating fragmented ICT risk requirements into a single, binding regulatory framework across all EU Member States13, 14, 15.
Key Takeaways
- Definition: "Dritt," within the DORA framework, specifically denotes third-party ICT service providers that support financial entities.
- Regulatory Scope: DORA extends its reach to these Dritt providers, acknowledging their crucial role in the financial sector's operational resilience.
- Risk Management Focus: The regulation mandates stringent risk management requirements for financial entities regarding their engagement with Dritt providers.
- Harmonization: DORA harmonizes rules previously disparate across various financial sub-sectors, creating a unified approach to digital operational resilience.
- Systemic Importance: Oversight of critical Dritt aims to mitigate concentration risks and protect overall financial stability.
Interpreting the Dritt
The concept of Dritt under DORA signifies a shift in how financial entities manage their external information technology dependencies. It underscores that responsibility for digital operational resilience cannot be fully outsourced. Financial entities must actively engage in robust vendor management and ensure their Dritt adhere to strict standards for security, continuity, and recovery. This interpretation requires financial institutions to gain deep visibility into their ICT supply chain risk and the services provided by Dritt, rather than merely relying on contractual agreements.
Hypothetical Example
Consider "Horizon Bank," a medium-sized financial institution in the EU, that relies heavily on a third-party cloud computing provider (a Dritt) for its core banking operations and data storage. Under DORA, Horizon Bank must not only manage its internal ICT risks but also rigorously assess and monitor its Dritt. If the cloud provider experiences a significant service disruption, Horizon Bank is required to have clear incident management procedures in place, including communication protocols with the Dritt and its own customers. Furthermore, Horizon Bank must regularly test its ability to recover critical functions supported by this Dritt and ensure that the contractual arrangements include provisions for exit strategies and access to data in case of service termination or failure. This proactive due diligence and continuous oversight of the Dritt are central to Horizon Bank's compliance.
Practical Applications
The regulation of Dritt through DORA has several practical applications across the financial landscape. Financial entities must establish comprehensive ICT risk management frameworks that explicitly cover their dealings with third-party providers. This includes meticulous contract reviews to ensure that service level agreements with Dritt meet DORA's stringent requirements. Institutions are also required to maintain a register of all ICT third-party service providers, especially identifying those deemed "critical." Regulators, such as the European Supervisory Authorities (ESAs), have expanded powers to oversee these critical Dritt directly, ensuring that the entire ecosystem is resilient. This oversight helps to mitigate potential systemic risks arising from the concentration of services provided by a limited number of powerful cloud computing or other technology firms12. For many firms, enhancing their cybersecurity and data protection measures, especially in relation to data hosted or processed by Dritt, has become a top priority for compliance.
Limitations and Criticisms
While DORA is lauded for its comprehensive approach to digital operational resilience, its implementation, particularly concerning Dritt, presents significant challenges for financial institutions. A July 2025 survey indicated that many financial services organizations in EMEA still feel unprepared, with a reported 96% stating their data resilience is not where it needs to be11. Firms often struggle with the sheer scale of third-party networks and limited visibility into their Dritt operations, making comprehensive third-party risk management a complex undertaking10. Increased stress on IT and security teams, higher costs passed on by ICT vendors, and the substantial volume of new digital regulation are common criticisms9. Smaller financial entities, in particular, may face resource constraints in identifying and managing risks across their extensive IT estates and supply chains, leading to potential delays in compliance8.
Dritt vs. Outsourcing Risk
While closely related, "Dritt" under DORA refers specifically to the entity—the third-party ICT service provider—whereas "outsourcing risk" is a broader category of risk associated with delegating any business function to an external provider. Dritt focuses on the technological and operational resilience aspects of external ICT dependencies within the financial sector. Outsourcing risk, in general, encompasses a wider array of potential issues, including strategic, reputational, legal, and financial risks, beyond just technology disruptions. DORA's explicit focus on Dritt means financial entities must not only manage the traditional outsourcing risk but also adhere to specific, detailed requirements for the operational resilience of these particular ICT providers.
FAQs
What types of financial entities are impacted by DORA's rules on Dritt?
DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, payment institutions, electronic money institutions, and even some crypto-asset service providers. All these entities must manage their relationships with Dritt according to DORA's requirements.
6, 7What happens if a financial entity's Dritt fails to comply with DORA?
If a Dritt (third-party ICT service provider) fails to comply with DORA, the financial entity relying on that Dritt can face significant penalties, including fines and operational restrictions. DO5RA also grants supervisory authorities the power to directly oversee critical Dritt and impose penalties on them.
4How does DORA ensure the resilience of Dritt?
DORA mandates that financial entities establish comprehensive ICT risk management frameworks, conduct digital operational resilience testing, and manage their ICT third-party risks effectively. This includes requiring detailed contractual arrangements with Dritt, ensuring robust data protection measures, and establishing clear exit strategies for critical services.
2, 3Does DORA affect non-EU Dritt?
Yes, DORA has extraterritorial reach. If a non-EU Dritt provides ICT services to financial entities operating within the EU, that Dritt falls under the scope of DORA's requirements, particularly if designated as critical. Th1is means global ICT service providers must ensure their services and operations align with DORA standards when serving EU financial clients.