How to Tier and Segment Vendors for DORA Compliance

Operational resilience in financial services isn't just a buzzword – it's a regulatory mandate under the EU's Digital Operational Resilience Act (DORA). One of the keys to resilience is smart DORA vendor segmentation: tiering your third-party ICT providers by risk and criticality.

Why does this matter? Because not all vendors pose equal risk. A smart segmentation strategy helps you focus your energy where it matters most and ensures your firm applies the principle of proportionality regulators expect. Think of it as a cheat sheet for your next audit – a clear vendor tiering system shows you know which partners are truly critical and how you're managing them.

Understanding "Critical" Providers

You'll notice "critical" comes up frequently. DORA formalizes this by introducing "Critical ICT Third-Party Service Providers" – tech vendors so vital that regulators may designate them for special oversight. Think major cloud infrastructure companies or core banking software providers where an outage could ripple across many institutions.

But more practically, you need to identify which of your third parties are critical to you. DORA requires each financial entity to define which ICT third parties are critical to its operations – usually those supporting "critical or important functions." If you outsource your online banking platform or trade processing system, that provider is critical to you, triggering additional contractual safeguards under Article 30(3) like detailed service levels, audit rights, and exit strategies.

Even "non-critical" providers remain in DORA's scope. You still need comprehensive ICT risk management covering all third-party arrangements, but with proportionate oversight. A Tier 3 vendor might get an annual check-up with a simple questionnaire, while critical suppliers undergo quarterly reviews with extensive testing.# How to Tier and Segment Vendors for DORA Compliance

Operational resilience in financial services isn't just a buzzword – it's a regulatory mandate under the EU's Digital Operational Resilience Act (DORA). One of the keys to resilience is smart DORA vendor segmentation: tiering your third-party ICT providers by risk and criticality.

Why does this matter? Because not all vendors pose equal risk. A smart segmentation strategy helps you focus your energy where it matters most and ensures your firm applies the principle of proportionality regulators expect. Think of it as a cheat sheet for your next audit – a clear vendor tiering system shows you know which partners are truly critical and how you're managing them.

(For a primer on basic third-party segmentation concepts, see our earlier guide on starting with third-party risk management segmentation.)

Why DORA Makes Vendor Segmentation Essential

DORA has raised the bar for third-party risk management (TPRM). Articles 28–30 explicitly require financial entities to manage ICT third-party risk as part of their overall ICT risk program, scaling efforts to the nature and criticality of each vendor relationship. Article 28 specifically says you must factor in the "criticality or importance of the respective service, process or function" a vendor provides and its potential impact on your operations.

The regulation embeds the principle of proportionality: your risk controls should match the vendor's risk level. If a vendor supports a critical business function, you'll need more stringent oversight (detailed contractual terms, frequent monitoring) than for a low-risk supplier. Conversely, you shouldn't over-engineer controls for a low-impact vendor. Segmentation provides the framework to apply this proportional approach systematically.

Importantly, DORA requires you to maintain a register of all ICT service providers that clearly flags which ones support "critical or important functions." Regulators will ask for that distinction. One industry analysis notes that effective DORA compliance requires "risk-based prioritisation and automated onboarding, offboarding, and due diligence workflows" – and you can't do that without first classifying your vendors by risk tier.

Beyond compliance, segmentation is vital for operational resilience. By tiering vendors, you ensure the most critical providers (the ones that could cripple your services if they fail) get the most attention, reducing the likelihood of nasty surprises. When done right, segmentation actually saves time – your team isn't wasting effort on negligible-risk suppliers and can focus on the critical third-party providers that warrant deeper scrutiny.

Key Criteria for Vendor Classification

DORA doesn't hand you a ready-made tiering model, but it does highlight key criteria that every risk officer should consider. The core dimensions are: criticality, substitutability, and concentration risk.

Criticality of the service – How critical is the vendor's service to your operations? Does it support a "critical or important function"? A critical function is one whose failure would materially disrupt your activities or services to clients. For example, a payment processing platform or core banking software vendor is likely high-criticality. If a vendor's failure could halt your ability to serve customers or meet legal obligations, that vendor is high-risk by criticality. DORA explicitly wants firms to gauge this – it's the linchpin of identifying critical ICT third-party providers.

Substitutability – How easily can you replace the vendor if needed? DORA is very concerned with providers that are "not easily substitutable." Article 29 actually instructs firms to assess if entering a contract would lead to "contracting an ICT third-party provider that is not easily substitutable." In practice, ask yourself: "If this vendor goes down, do we have a Plan B?" If you have alternative providers or in-house solutions you could switch to without major disruption, then substitutability is high (lower risk). But if the vendor offers unique services or has such deep integration that no quick replacement exists, treat them as critical.

Concentration risk – This comes in multiple flavors. Internal concentration means having many critical processes all reliant on the same provider (creating a single point of failure). DORA specifically calls out having "multiple contractual arrangements... with the same ICT third-party" for critical functions as a risk factor. There's also systemic concentration – if most of your outsourced services run on one cloud platform, that's a concentration risk. When segmenting, vendors supporting numerous important services or used across multiple business lines should get a higher tier.

Risk-based vs. spend-based approach: Historically, some organisations tiered vendors by contract value – Tier 1 for biggest spends, etc. While spend often correlates with importance, it's not a reliable proxy for risk. DORA pushes for risk-based segmentation. A low-cost cloud service hosting mission-critical data poses higher risk than an expensive but easily replaceable consulting contract. Use spend as supporting input (it can indicate entrenchment), but don't let dollars be the primary decider.

A 4-Step Segmentation Framework

Step 1: Inventory your ICT relationships Start by gathering a complete list of all third-party providers offering IT or digital services (yes, all – DORA expects a comprehensive register). This includes external vendors and intra-group providers if affiliates provide tech services. For each vendor, capture key details: what service they provide, which business functions they support, contract value, and whether they support critical functions. Engage procurement and IT teams to ensure completeness. Set up a column in your register for "Critical/Important Function (Yes/No)" per Article 28 requirements.

Step 2: Define your tiers and criteria Most organisations use 3-4 levels (Low, Medium, High, Critical). Keep it simple – too many tiers complicate execution. Then select criteria covering business impact, confidentiality, and operational dependency. Some firms use a questionnaire approach with 5-10 targeted questions; others prefer a scoring model with weights. Choose what fits your culture, but ensure it's objective and repeatable – two people assessing the same vendor should reach the same conclusion.

‍Step 3: Score and classify vendors Apply your model consistently across all vendors. Involve business owners who know the vendor relationships best. Set score thresholds for each tier (e.g., >40 = Critical, 21-40 = High, etc.).

Step 4: Integrate and maintain Build segmentation into your vendor onboarding process and schedule annual reviews. Vendor risk can change over time – your usage might expand, their services might evolve, or business priorities could shift.

Practical Maintenance Tips

• Automate where possible: Consider tools like 3rdRisk's AI predictive risk profile that continuously assess vendor risk factors and suggest tier adjustments in real-time.
• Set reclassification triggers: Define what should prompt a re-evaluation – service changes, incidents, business growth with a vendor, or mergers/acquisitions.
• Document your decisions: Maintain records of why each vendor was classified in its tier. This helps with audits and knowledge transfer.
• Avoid common pitfalls: Don't over-classify everything as "high risk" (defeats the purpose), but don't ignore low-tier vendors entirely (they still need basic oversight).

The Bottom Line

Effective DORA vendor segmentation transforms third-party risk management from a reactive chore into a proactive, value-driven process. When done right, you'll demonstrate regulatory compliance while genuinely making your organisation more resilient against third-party disruptions.

Start with a clear framework, engage your business stakeholders, leverage technology to work smarter, and keep your classifications current. Your reward will be a third-party risk program that not only satisfies DORA's requirements but genuinely helps your firm withstand, respond to, and recover from whatever challenges come its way.

For more insights on third-party risk management segmentation, check out our comprehensive guide.