Exploring Digital resilience third-party registers

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Digital resilience third-party registers

    The Digital resilience third-party registers application enables financial entities to maintain detailed registers of contractual relationships with ICT third-party service providers, ensuring compliance with the European Union's Digital Operational Resilience Act (DORA). This application supports ICT Third-party Risk Management by helping entities track and manage risks linked to third-party ICT services critical to their operations.

    Show full answer Show less

    DORA, effective from January 17, 2025, mandates financial entities to implement robust ICT risk management strategies, including policies on third-party ICT service providers, risk assessments, due diligence, and business continuity planning. The application assists entities and EU supervisory authorities in overseeing ICT third-party risk and identifying critical ICT providers.

    Key Features

    • Comprehensive Registers: Maintains registers of contractual arrangements at individual, sub-consolidated, and consolidated levels with third-party ICT providers.
    • Data Management: Allows bulk or individual record creation and editing via Microsoft Excel templates or through a graphical user interface (GUI), facilitating efficient updates of assessments, contracts, functions, and engagements.
    • Regulatory Compliance: Supports the creation and validation of Register of Information (RoI) packages required under DORA for regulatory reporting.
    • Licensing and Access: Accessible through IRM Professional or TPRM licenses within the Operational Resilience Workspace or the Third-party Risk Management (TPRM) Workspace, respectively.
    • Integration with DORA Pillars: Focuses specifically on the ICT Third-party Risk Management pillar, complementing other aspects such as incident reporting and resilience testing.

    Practical Benefits for ServiceNow Customers

    • Streamlined Compliance: Enables financial institutions to efficiently comply with DORA requirements by organizing and managing third-party ICT risk data in a single, standardized system.
    • Improved Risk Oversight: Facilitates better tracking and governance of third-party ICT risks, supporting internal control and governance frameworks.
    • Regulatory Readiness: Simplifies preparation and validation of regulatory reports and packages to meet EU supervisory expectations.
    • Flexible Data Handling: Offers both GUI and Excel-based data processing options, catering to various operational preferences and IT environments.
    • Enhanced Operational Resilience: Helps maintain continuous financial service provision by managing risks related to ICT third-party disruptions or failures.

    The Digital resilience third-party registers application empowers the financial entities to maintain registers of contractual arrangements with Information and Communication Technology (ICT) third-party service providers and comply with Digital Operational Resilience Act (DORA) regulation.

    Applications for DORA compliance

    Beginning with Release 19.1.x, the following applications are supported for ICT Third-party Risk Management as part of DORA compliance.
    • Digital Operational Resilience Management: This application is used for uploading and downloading of all individual DORA tables.
    • Digital Resilience Third-party Information Register: This application is used to download the Digital resilience third-party registers. The application contains the Microsoft Excel template that includes all tabs for reporting purposes. It helps the financial entities to maintain a comprehensive register of their contractual arrangements with ICT Third-party service providers at the individual entity, sub-consolidated, and consolidated levels.

      Customers use Digital resilience third-party registers to create or edit the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Microsoft Excel upload and download feature.

      Note:
      The IRM Professional license users can access Digital resilience third-party registers in the Operational Resilience Workspace. The TPRM license users can access Digital resilience third-party registers in the TPRM Workspace.
      The Digital resilience third-party registers application fulfills multiple functions for the entities:
      • Assists the entities in tracking their ICT third-party risks.
      • Empowers the competent authorities in European Union to oversee ICT and third-party risk management within financial entities.
      • Aids European Supervisory Authorities (ESA) in identifying Critical ICT third-party service providers (CTPP) for EU level supervision.

    Digital Operational Resilience

    Digital Operational Resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability. It ensures that the entity has the full range of ICT related capabilities that are needed to secure its network and information systems. These systems support the continuous provision of financial services and maintain their quality, even during disruptions. The continuity can be achieved directly or indirectly with the services provided by the ICT third-party service providers.

    Digital Operational Resilience Act (DORA)

    Digital Operational Resilience aligns with the Digital Operational Resilience Act (DORA). It is a European Union (EU) regulation that came into effect on 16 January 2023 and it will be applicable from January 17, 2025. It enhances the ICT security of financial entities supervised by the European Supervisory Authorities (ESA)s and protects Europe's financial sector from major digital disruptions.

    Regulatory Technical Standards

    DORA Regulation mandates that financial entities incorporate and periodically review a strategy for managing ICT third-party risk within their ICT risk management framework. This strategy must include a policy governing the use of ICT services that support critical or important functions, as provided by third-party ICT service providers.

    A financial institution's policy on using third-party ICT service providers plays a crucial role in defining key aspects of its governance, risk management, and internal control frameworks for these services. Financial entities must perform risk assessments and due diligence before signing contracts with third-party ICT service providers. They must also ensure they can terminate these arrangements if needed and maintain business continuity for critical or important functions. For instance, an action could be necessary where the service is not optimal, external ICT systems malfunction, or the service is disrupted due to sanctions.

    Pillars for DORA

    Digital Operational Resilience Act (DORA) comprises the important pillars:
    1. ICT Risk Management
    2. ICT Incident Reporting
    3. Digital Operational Resilience Testing
    4. ICT Third-party Risk Management
    5. Information and Intelligence Sharing
    Pillars.
    Note:
    Operational Resilience, Release 19.1.x focuses on the ICT Third-party Risk Management pillar only.

    Processing the records using GUI or Microsoft Excel

    Customers can manage the contractual arrangements by processing the records by using the graphical user interface (GUI) or by importing or exporting Microsoft Excel files in the Digital resilience third-party registers application.

    For information on processing the records through the graphical user interface (GUI) or by importing or exporting Microsoft Excel files, see Using Digital resilience third-party registers.

    Licensing requirements

    Users can access the Digital resilience third-party registers application in the following ways:
    • Beginning with Release 19.1.x, customers who already have the Operational Resilience or the TPRM applications can access the Digital resilience third-party registers.
    • These customers can download, install, and start using the Digital resilience third-party registers application.

    The licensing information and the associated workspaces are listed in the following table.

    Table 1. Licensing and associated workspaces
    License Application displayed in the UI Associated workspaces
    IRM Professional Digital resilience third-party registers Operational Resilience Workspace
    TPRM Digital resilience third-party registers TPRM Workspace

    Digital resilience third-party registers in Operational Resilience Workspace

    Upon opening the Operational Resilience Workspace, the menu featuring Digital resilience third-party registers is displayed.

    Workspace menu.

    Digital resilience third-party registers in the TPRM Workspace

    For information on Digital resilience third-party registers in the TPRM Workspace, see Third-party Risk Management.