Workshop on Digital Operational Resilience with financial sector associations

9 February 2026

On the 4th of February, a meeting was held in Rome on the topic 'Digital Operational Resilience. ICT Third Parties: the Registers of Information. Initial Evidence and Future Developments'. The meeting was attended by representatives of Banca d'Italia with the leading associations from the financial sector.

The initiative focused on the analysis of the risk to which a financial entity may be exposed when relying on information and communication technology (ICT) services provided by third‑party vendors, known as ICT third‑party risk. This is one of the main pillars addressed by EU Regulation 2022/2554 on Digital Operational Resilience ("DORA") and has long been an area of attention for the Supervisory Authority, considering the increasing reliance on third party providers in recent years and the ongoing digitalisation of the financial market.

The meeting provided an opportunity for Banca d'Italia to share the main findings from the horizontal analysis on ICT third‑party risk carried out in 2025 (see attached presentation). In particular, the discussion revolved around the prudential risk aspects related to:

  • the scale of reliance on ICT third parties and the complexity of interconnections;
  • a highly concentrated ICT vendor market and the limited substitutability of services;
  • articulated and complex supply chains, particularly for certain services.

The event was also used to raise awareness in the market regarding the quality and completeness of the data contained in the Registers of Information, with the objective of strengthening their usefulness both for intermediaries' risk management and for supervisory activity. To this end, some operational guidance was provided in view of the next reporting cycle for the Registers of Information, and the main lessons learned from the first exercise were shared.

Banca d'Italia emphasised that the management of ICT third‑party risk is strategically important for the resilience and stability of intermediaries. For this reason, it requires a solid governance framework in which the management body maintains adequate knowledge and understanding of these risks, defines strategy, policies and control arrangements, with a focus on the periodical assessment of suppliers providing critical or important functions.

The meeting is part of a broader path aimed at strengthening dialogue between Banca d'Italia and the industry. It follows the one organised in June 2025 dedicated to the implementation of the requirements introduced by EU Regulation 2022/2554 on Digital Operational Resilience by financial entities (see link).