DORA has applied since 17 January 2025 across approximately 22,000 EU financial entities. So every MCP server a bank, insurer, investment firm, or payment institution uses now lands on its Article 28 ICT third-party register. This blog is the procurement-grade playbook for evaluating an MCP vendor under DORA. What to ask, what concentration risk looks like, why EU-hosting matters, and how the cooperative-architecture pattern (tool-calling vendors plus warehouse-first cross-source) maps onto DORA’s critical ICT third-party service provider designation.
The news anchor is clear. On 18 November 2025 the ESAs (EBA, EIOPA, and ESMA acting through the Joint Committee) designated the first 19 Critical ICT Third-Party Providers (CTPPs) under Article 31(9). Fourteen of the 19 are US-incorporated: AWS, Microsoft, Google Cloud, IBM, Oracle, FIS, Bloomberg, Kyndryl, NTT DATA, and others. None of the major MCP vendors got designated yet. However, almost every US-headquartered MCP vendor (Composio, Pipedream, Zapier, Workato, Boomi) sits downstream of a designated US hyperscaler. That inherits CLOUD Act exposure and concentration risk by default.
Financial services is the only buyer that has to satisfy all five regimes at once: DORA + EU AI Act + NIS2 + CLOUD Act / Schrems II + Peppol / ViDA. DORA is lex specialis only against NIS2. It does not displace GDPR, the AI Act, or Peppol. So the procurement answer for AI agent infrastructure narrows fast: EU-headquartered, EU-hosted, SOC 2 Type II + ISO 27001 certified, no US parent. The fourth regulatory pillar in our cluster.
The cooperative architecture for DORA-bound financial entities
The right mental model is three cooperating MCP surfaces, each doing what it was built for. So Composio, Pipedream, and Zapier handle tool-calling for non-regulated workflows. Workato and Boomi handle enterprise iPaaS where US parent exposure is acceptable. Peliqan layers warehouse-first cross-source SQL on top with EU-only hosting, Article 30 contract clause coverage, and audit-logged writeback. The same cooperative pattern is documented across our GDPR-compliant MCP servers playbook.
For the underlying protocol layer, the Claude MCP setup playbook covers the OAuth and audit-log primitives every DORA-bound deployment should standardise on.
The DORA timeline at a glance
The blog walks through what each of those dates means in procurement terms.
The 7 standing questions every DORA-bound buyer asks before approving an MCP vendor
If you are a CISO, Head of Compliance, CTO, or CIO at one of the ~22,000 in-scope financial entities, these seven questions come up every time a new MCP vendor reaches the procurement desk. Each one maps to a specific DORA article. So a generic vendor security questionnaire isn’t enough.
The 7 procurement questions and the DORA articles behind them
A “yes” to all seven is the floor. Even with seven yeses, concentration risk under Article 29 may still flag the vendor.
Article 28: the ICT third-party register decoded
Article 28 is the operational backbone of DORA’s third-party regime. So every financial entity must maintain a Register of Information covering every ICT arrangement. The first cycle ran to 30 April 2025 with submissions to National Competent Authorities, then NCA-to-ESA aggregation.
What goes on the register
The xBRL-CSV templates from Commission Implementing Regulation 2024/2956 cover entity and branch identification, ICT third-party master list with LEI codes and CTPP designation status, function performed, criticality classification (CIF or non-CIF), contract date and term, geographic location of service provision and data processing, sub-outsourcing chain disclosure for CIF, and exit strategy reference. So an MCP vendor goes on the register with all of those fields populated, not just the contract name.
For the access-control side that satisfies Article 30(3) audit evidence, the permissions documentation covers role-based access and column-level masking.
Sub-outsourcing chain disclosure
Article 30(2) + Commission Delegated Regulation 2025/532 require the financial entity to know the full subcontracting chain for CIF arrangements. So if an MCP vendor hosts on AWS, uses a third-party LLM provider, and routes through a US payment processor for billing, all of those subcontractors get disclosed. The vendor that publishes its sub-processors openly (via a Trust Center) saves the procurement team weeks. For the broader regulatory pattern, see our EU AI Act and MCP Article 26 reference.
Article 28(7) termination triggers
Four mandatory triggers must be in every CIF contract. First, significant breach of applicable laws or contractual terms. Second, regulatory change that prevents the vendor from continuing to provide the service. Third, identified deterioration in ICT risk that the vendor cannot remediate. Fourth, supervisor request following exercise of supervisory powers. Each trigger needs a defined notice period and an exit strategy with adequate transition time. The Peppol MCP pan-EU pillar covers a parallel exit pattern for e-invoicing infrastructure.
The 5 cross-source workflows that need MCP joining for DORA compliance
1. ICT third-party register automation
Join vendor inventory (procurement system) to contract terms (CLM platform) to DORA classification (CIF vs non-CIF) to LEI codes (GLEIF) to CTPP designation status (ESAs list). So the agent fills the xBRL-CSV templates from Commission Implementing Regulation 2024/2956 automatically rather than the compliance team hand-mapping 200 contracts each April. Per the ESAs 2024 DORA Dry Run summary, of 947 registers analysed, only 6.5% passed all data quality checks. Furthermore, 50% of failed registers had fewer than 5 of 116 data quality checks remaining. So automation against a warehouse is the practical answer. The cross-source MCP SQL cornerstone walks through the architectural pattern.
2. Concentration risk monitoring
Join vendor to business unit to spend to criticality to underlying hyperscaler. So the dashboard surfaces which functions inherit AWS, Microsoft, or Google Cloud concentration risk through their MCP vendor. This is the Article 29 question that the ESAs explicitly flagged when designating 14 US-headquartered providers in the first CTPP list. For more on the pricing trade-offs, see our MCP server pricing 2026 guide.
3. Incident detection + 24h/72h/1-month classification
Join incident severity (SIEM) to affected vendor system (CMDB) to affected business function (operational register) to reporting timeline (4h initial / 72h intermediate / 1-month final). So the agent classifies the incident under Commission Delegated Regulation 2024/1772 thresholds and drafts the report on time. Most financial entities cannot meet the 4h initial timeline manually for cross-vendor incidents. For the API-budget reality of multi-vendor MCP, see our MCP rate limits guide.
4. TLPT scope mapping
Join business function criticality (CIF designation) to underlying ICT service to CTPP designation status to test scope (Article 26). So the TLPT scope document is generated from current data rather than reconstructed from spreadsheets every 3 years. Threat Intelligence provider must be independent from the Red Team provider per RTS 2025/1190. Furthermore, ICT third-party providers supporting CIF must participate. So the warehouse pattern records which vendor’s infrastructure was in scope for which test cycle.
5. Exit strategy + data portability
Join contract termination triggers to data extraction requirements to business continuity test results. So when one of the four Article 28(7) triggers fires, the agent knows which data needs to be extracted, in what format, on what timeline, and where the warm standby lives. The reverse ETL documentation covers the writeback layer that makes exit-data-portability mechanical rather than a project.
The 3 failure modes of DORA-bound AI agent governance
This is the defensible IP a CISO can take into the ESA examination room. Three failure modes recur across every DORA enforcement audit we read. Each one is structural, not a vendor bug.
Failure mode 1: Shadow MCP
Finance teams adopt consumer-grade AI tools that touch regulated data without IT review. Article 28(3) requires the register to cover every ICT third-party arrangement with no de minimis exception. So a credit analyst pasting customer financials into a US-hosted chatbot is technically a DORA register omission. Combine with ENISA Threat Landscape 2025’s finding that “over 80% of all phishing emails identified between September 2024 and February 2025 using AI to some extent,” and the implication is direct. Every unsanctioned MCP server connected to regulated data is both a DORA register failure and a supply-chain attack surface.
Failure mode 2: concentration creep
Multiple business functions use the same US-hosted MCP vendor, accumulating untracked concentration risk that ESAs flag. The 18 November 2025 CTPP designation list is the clearest public evidence. 14 of 19 designated providers are US-headquartered hyperscalers and global integrators. So an MCP vendor that runs on AWS Frankfurt is still riding a designated CTPP. Per ECB Banking Supervision’s Supervisory Priorities 2025-27 (December 2024), operational resilience with DORA compliance is explicitly Priority 3. The supervisors will look at concentration in the SSM 2026 cycle.
Failure mode 3: audit-log invisibility
Most MCP servers don’t log queries against regulated data with the granularity ESAs expect for the audit trail. Commission Delegated Regulation 2024/1774 (RTS on ICT risk management framework) mandates audit-logged access controls. Furthermore, Article 30(3) requires SLA-grade evidence for CIF services. So a vendor that proxies prompts against customer data without logging the originating user, source dataset, mutation payload, and response cannot satisfy the requirement. The fix is structural: the MCP server must enforce the log at the protocol boundary, not in a separate observability stack.
The 8-vendor DORA-readiness matrix
Eight MCP and integration vendors any DORA-bound buyer will encounter. Here’s the honest matrix, framed by the dimensions that actually appear in a procurement spreadsheet.
For a deeper architectural breakdown across the third-party MCP options, see our 8-way MCP architecture comparison.
The 5-regime convergence: DORA × EU AI Act × NIS2 × CLOUD Act × Peppol
Financial services is the only buyer that has to satisfy all five regulatory regimes at the same time. So the procurement question isn’t “DORA-ready,” it’s “five-regime-ready.”
The five-regime stack is Peliqan’s strongest defensible IP. No US-hosted vendor can satisfy all five without re-architecting jurisdiction. Furthermore, the cooperative architecture lets the buyer keep US-hosted tool-calling for non-regulated workflows while moving regulated data onto an EU-resident warehouse-first layer.
DORA penalties decoded
The penalty structure differs sharply between financial entities and designated CTPPs. So get the inversion right before quoting numbers in a board paper.
The penalty inversion to get right
- Financial entities: up to 2% of total annual worldwide turnover (one-off ceiling for serious infringements). Up to 1% of average daily worldwide turnover for periodic penalty payments to compel compliance. Individual fines up to EUR 1m in some Member States.
- Designated CTPPs (Article 35(6)): the Lead Overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover per day of non-compliance, for up to 6 months. Fixed component up to EUR 5,000,000 for legal persons; EUR 500,000 for individuals.
- Member State variation under Article 50: national caps range from 5% turnover (Spain) to 10% turnover (Sweden); absolute ceilings from EUR 2m (Czech Republic) to EUR 20m (Italy).
- Article 52: Member States may add criminal penalties for severe violations.
So when ENISA Threat Landscape 2025 reports 4,875 verified incidents in the July 2024 to June 2025 reporting period (with 53.7% involving NIS2 essential entities), the financial-services share is 4.5%. That’s the supervisory backdrop a tier-1 bank’s DORA team will see referenced in every NCA examination this year.
Article 26 TLPT: who’s in scope and what it costs
Threat-Led Penetration Testing is the most expensive line item in a DORA program. So scope discipline matters.
Who’s in scope
Not all 22,000 entities. Only designated entities per Article 26(8) and RTS 2025/1190 (applicable 8 July 2025). Specifically: Global and Other Systemically Important Institutions under CRR/CRD (approximately 120 significant banks under ECB SSM supervision), plus systemically important payment and e-money institutions, CSDs, CCPs, and certain insurers above thresholds. ECB published the TIBER-EU SSM Implementation Guide in November 2025.
Cadence and methodology
Every 3 years. First cycle for designated entities due by 17 January 2028. Methodology aligned with ECB TIBER-EU framework. Internal red teams permitted for up to 2 of every 3 cycles. The third must be external. Threat Intelligence provider must be independent from the Red Team provider. Pooled TLPT permitted under Article 26(5). For the broader regulatory pattern across pillars, see our EU CFO hub.
What it costs an MCP vendor
ICT third-party providers supporting CIF must participate in scope, with safeguards under Article 26(4). So the contract has to make this mechanical, not negotiated case-by-case. A vendor that publishes its TLPT cooperation posture as part of the MSA saves the financial entity the contract reopen.
5 buyer sub-segments and the right stack for each
Peliqan’s posture for DORA-bound buyers
Peliqan was built EU-hosted, warehouse-first, and contract-clause-aware from day one. So the DORA-specific procurement checklist has prebuilt answers, not custom legal review per buyer.
How Peliqan handles the DORA procurement checklist
Logo customers in the Belgian finance ecosystem include Finvision (Belgian finance consultancy, operates a white-labelled Peliqan tenant at finvision.peliqan.io) and Vandelanotte (top-10 Belgian accounting firm founded 1948, integrated Callens, Pirenne & Co in October 2022). For the accountancy-side DORA exposure pattern, see our finance consultants persona page.
For tier-1 banks running Salesforce Financial Services Cloud, the Salesforce + Claude MCP cornerstone covers the multi-org consolidation pattern that fits the DORA Article 28 register obligation.
The bottom line on DORA + MCP
The 18 November 2025 CTPP designation list and the 30 April 2025 first Register of Information cycle have made the procurement story concrete. So an MCP vendor evaluation now starts with five questions: where is the entity incorporated, where is the data hosted, what SOC 2 and ISO 27001 certifications exist, what Article 30 clause coverage does the MSA already include, and how does the vendor handle the 4h/72h/1-month incident reporting cascade.
Furthermore, financial services is the only buyer that has to satisfy all five regimes simultaneously. DORA + EU AI Act + NIS2 + CLOUD Act/Schrems II + Peppol/ViDA. No US-hosted vendor satisfies all five without re-architecting jurisdiction. So the cooperative architecture is the cheap procurement decision. US-hosted tool-calling for non-regulated workflows, EU-hosted warehouse-first MCP for the regulated data layer, and audit-logged writeback throughout.
The 22,000 financial entities in DORA scope have until the next supervisory cycle to get this right. After the first 19 CTPPs were named, the next round of designations will land annually. So the AI agent architecture you set in May 2026 compounds across the next decade of supervisory examinations.
This post is informational and not legal advice. Verify DORA, EU AI Act, NIS2, Peppol/ViDA, and Schrems II details with qualified counsel before any procurement decision. Regulation citations reflect publicly available information as of May 2026 and may change.
