Role Definition
| Field | Value |
|---|---|
| Job Title | DORA Third-Party Risk Analyst (ICT TPRM Analyst) |
| Seniority Level | Mid-Level (3-5 years experience) |
| Primary Function | Assesses and monitors risks from ICT third-party service providers under DORA Chapter V. Conducts vendor due diligence, maintains the Register of Information (Article 28(3)), analyses concentration risk across critical ICT providers, manages vendor questionnaire workflows, tracks exit strategy readiness, and supports regulatory reporting to competent authorities. Operates within the TPRM function, typically reporting to a Third-Party Risk Lead or DORA ICT Risk Officer. |
| What This Role Is NOT | NOT a DORA ICT Risk Officer (owns the full ICT risk framework, management body reporting, incident classification — scored 55.2 GREEN). NOT a Third Party Risk Lead (Cyber) at senior level (strategic programme ownership, vendor negotiation authority — scored 59.3 GREEN). NOT a GRC Analyst (general governance/risk/compliance across all domains — scored 28.0 YELLOW). NOT a Supply Chain Security Analyst (software supply chain, SBOM analysis — scored 34.9 YELLOW). This role executes third-party risk assessments within an established DORA framework rather than designing the framework itself. |
| Typical Experience | 3-5 years in third-party risk management, IT risk, or financial services compliance. Certifications: CTPRP (Shared Assessments), CRISC, CISM, PECB DORA Foundation. Reports to Head of TPRM, DORA ICT Risk Officer, or CISO. |
Seniority note: A junior TPRM coordinator focused on questionnaire chasing and register data entry would score deeper Yellow or low Red. A senior Third-Party Risk Lead with strategic vendor negotiation, concentration risk decisions, and management body reporting scores Green (59.3).
Protective Principles + AI Growth Correlation
| Principle | Score (0-3) | Rationale |
|---|---|---|
| Embodied Physicality | 0 | Fully digital. GRC platforms, vendor portals, regulatory templates, stakeholder calls. |
| Deep Interpersonal Connection | 1 | Coordinates with ICT providers during assessments and internally with legal, procurement, and IT. Transactional relationships rather than deep trust-based advisory. |
| Goal-Setting & Moral Judgment | 1 | Interprets DORA requirements for specific vendor scenarios and flags concentration risk, but works within a framework designed by the DORA ICT Risk Officer or Risk Lead. Limited strategic authority. |
| Protective Total | 2/9 | |
| AI Growth Correlation | 1 | DORA creates a regulatory demand floor — every in-scope financial entity must maintain ICT third-party oversight. AI adoption introduces new ICT provider categories (LLM APIs, AI-as-a-Service) requiring assessment. Weak positive — regulation drives demand, not AI growth itself. |
Quick screen result: Protective 2 + Correlation 1 = Likely Yellow Zone.
Task Decomposition (Agentic AI Scoring)
| Task | Time % | Score (1-5) | Weighted | Aug/Disp | Rationale |
|---|---|---|---|---|---|
| Vendor risk assessment & due diligence | 25% | 3 | 0.75 | AUG | AI pre-screens vendor documentation, extracts contract clauses (audit rights, exit provisions, data residency), cross-references against DORA RTS requirements. Human evaluates nuanced provider capabilities, assesses whether SOC 2/ISO 27001 evidence truly covers DORA-specific requirements, determines risk ratings for complex multi-service arrangements. |
| Concentration risk analysis & monitoring | 15% | 2 | 0.30 | AUG | AI maps provider dependency chains and flags concentration thresholds. Human interprets whether concentration creates systemic risk for the specific entity, considers substitutability of critical providers, evaluates fourth/Nth-party dependencies. Genuine judgment required — no two entities have the same ICT dependency landscape. |
| Register of Information maintenance | 20% | 4 | 0.80 | DISP | Maintaining the DORA Article 28(3) register of ICT third-party arrangements. Structured data fields, template-driven, deterministic updates. GRC platforms (ServiceNow, Archer, MetricStream) with DORA modules handle end-to-end with human exception review only. OneTrust and Panorays automate RoI population from contract metadata. |
| Vendor questionnaire management | 15% | 4 | 0.60 | DISP | Designing, distributing, collecting, and scoring vendor questionnaires. Panorays, TrustCloud, and Prevalent automate questionnaire generation, response analysis, and risk scoring. AI NLP extracts answers from uploaded vendor documentation without manual review. Human handles exceptions and escalations only. |
| Continuous monitoring & compliance tracking | 10% | 4 | 0.40 | DISP | SecurityScorecard, BitSight, and UpGuard provide continuous external risk scoring. Automated alerts for rating changes, breach notifications, and compliance drift. Human reviews flagged exceptions but does not perform ongoing monitoring. |
| Stakeholder communication & reporting | 10% | 2 | 0.20 | AUG | Presenting assessment findings to internal stakeholders, coordinating remediation with providers, contributing to regulatory submissions. Requires organisational context and relationship navigation. AI drafts reports but human delivers and negotiates. |
| Exit strategy & contract clause analysis | 5% | 3 | 0.15 | AUG | AI extracts and flags exit clause adequacy, maps contractual provisions against DORA Article 28 requirements. Human evaluates whether exit strategies are operationally viable given the entity's ICT architecture and provider alternatives. |
| Total | 100% | 3.20 |
Task Resistance Score: 6.00 - 3.20 = 2.80/5.0
Displacement/Augmentation split: 45% displacement, 50% augmentation, 0% not involved.
Reinstatement check (Acemoglu): Moderate. AI-powered ICT providers (LLM APIs, AI-as-a-Service platforms) create a new category of third-party arrangements requiring assessment methodologies that do not yet exist in standard DORA templates. The analyst who can assess AI provider concentration risk and model dependency performs work that did not exist two years ago. However, this new work is bounded — it supplements rather than replaces the automating baseline.
Evidence Score
| Dimension | Score (-2 to 2) | Evidence |
|---|---|---|
| Job Posting Trends | 1 | Rothschild & Co actively recruiting "TPRM Analyst — DORA (F/H)." ECB hiring ICT Risk Experts for third-party oversight. Indeed shows 185 Third Party Vendor Risk Analyst openings in New York State. Demand growing but concentrated in EU/EEA financial services — limited total addressable market. Direction clearly positive. |
| Company Actions | 1 | Deloitte Wave 3: 39% of financial entities dedicate 5-7 FTEs to DORA compliance; 50% still not fully compliant by end-2025. EBA July 2025 consultation on non-ICT third-party risk creates 2-year transitional period through 2027. Organisations investing in TPRM functions, but total headcount per entity is small (2-4 analysts typical for mid-tier firms). |
| Wage Trends | 1 | Ireland: EUR 40K-60K mid-level IT Risk Analyst (Savvi Recruitment). Selby Jennings Europe: EUR 65K-100K Associate/AVP risk management. Glassdoor US: $117K IT Risk Manager. DORA-specific premium emerging but not yet separated from general risk management wages. Tracking above inflation. |
| AI Tool Maturity | 0 | SecurityScorecard, BitSight, Panorays, TrustCloud displace monitoring and questionnaire tasks (45% of role). GRC platforms with DORA-specific modules automate RoI maintenance. But vendor risk assessment judgment, concentration risk interpretation, and exit strategy evaluation remain human-led. Anthropic observed exposure: Compliance Officers 12.1%, Financial Risk Specialists 26.5% — both moderate-low. Mixed: significant displacement of execution tasks, augmentation of analytical tasks. |
| Expert Consensus | 1 | Copla: "DORA compliance not just 2025 — ongoing obligation with continuous improvement." Panorays: 46% of institutions cite RoI as most challenging area. ISC2 2025: 87% expect AI to enhance roles, 2% expect replacement. Consensus: regulation-driven demand persists, but the analyst role compresses toward judgment and away from execution as platforms mature. |
| Total | 4 |
Barrier Assessment
Reframed question: What prevents AI execution even when programmatically possible?
| Barrier | Score (0-2) | Rationale |
|---|---|---|
| Regulatory/Licensing | 1 | DORA mandates the ICT risk management function (Article 6(4)) but does not require a named analyst role — it requires a control function. The analyst operates within this mandated function but is not the named accountable person (that is the DORA ICT Risk Officer or CISO). CTPRP/CRISC certifications expected but not legally mandated. Moderate regulatory protection via the function, not the individual. |
| Physical Presence | 0 | Fully remote-capable. |
| Union/Collective Bargaining | 0 | Financial services professional role. No union representation typical in TPRM functions. |
| Liability/Accountability | 1 | Vendor risk assessment errors can result in regulatory findings if a critical provider fails and the assessment was inadequate. But personal liability sits with the named control function owner (DORA ICT Risk Officer) and management body (Article 5(2)), not the mid-level analyst. Shared accountability, not direct. |
| Cultural/Ethical | 1 | Financial regulators expect human assessors behind third-party risk decisions. Third-party providers expect human counterparts for assessment queries and remediation discussions. However, this cultural expectation is weakening as automated risk scoring platforms (SecurityScorecard, BitSight) gain regulatory acceptance for initial screening. |
| Total | 3/10 |
AI Growth Correlation Check
Confirmed at 1 (Weak Positive). DORA's mandatory ICT third-party oversight creates a regulatory demand floor for the function. AI adoption introduces new provider categories requiring assessment (LLM APIs, AI scoring services, AI-as-a-Service providers) — expanding the Register of Information and creating novel concentration risk questions. But the analyst role's existence is driven by regulation, not AI growth. The function grows with DORA enforcement, not with AI adoption rates.
JobZone Composite Score (AIJRI)
| Input | Value |
|---|---|
| Task Resistance Score | 2.80/5.0 |
| Evidence Modifier | 1.0 + (4 x 0.04) = 1.16 |
| Barrier Modifier | 1.0 + (3 x 0.02) = 1.06 |
| Growth Modifier | 1.0 + (1 x 0.05) = 1.05 |
Raw: 2.80 x 1.16 x 1.06 x 1.05 = 3.6150
JobZone Score: (3.6150 - 0.54) / 7.93 x 100 = 38.8/100
Zone: YELLOW (Green >=48, Yellow 25-47, Red <25)
Sub-Label Determination
| Metric | Value |
|---|---|
| % of task time scoring 3+ | 75% |
| AI Growth Correlation | 1 |
| Sub-label | Yellow (Urgent) — AIJRI 25-47 AND >=40% scoring 3+ |
Assessor override: None — formula score accepted. Score sits 0.5 points above Third Party Risk Lead (Cyber) Mid-Level (38.3), reflecting very similar risk profiles. The DORA-specific regulatory context provides marginally more barrier protection than generic cyber TPRM, but the analyst's execution-heavy task mix (45% displacement) keeps it firmly Yellow. Score is 16.4 points below DORA ICT Risk Officer (55.2), which has framework ownership, management body reporting, and incident classification authority that this analyst role lacks.
Assessor Commentary
Score vs Reality Check
The 38.8 places this role 13.8 points above the Yellow/Red boundary — not borderline, but firmly in the "adapt or be absorbed" territory. The score sits remarkably close to Third Party Risk Lead (Cyber) Mid-Level (38.3) because the core problem is identical: vendor risk assessment execution is being automated by the platforms that were originally built to support it. DORA's regulatory mandate protects the function but does not protect the analyst headcount — one DORA ICT Risk Officer with AI-native TPRM platforms can cover what previously required 2-3 analysts.
What the Numbers Don't Capture
- Function-spending vs people-spending. Financial entities are investing heavily in DORA compliance (Deloitte: EUR 2-5M per entity), but the spend is going to GRC platforms and TPRM tools (Panorays, OneTrust, ServiceNow DORA modules), not to additional analyst headcount. Budget growth does not equal hiring growth.
- Geographic concentration. DORA applies only to EU/EEA-regulated financial entities and their critical ICT third-party providers. UK has separate PRA/FCA operational resilience rules. US institutions are not in scope. The total addressable market is narrower than the cybersecurity domain's general demand signals suggest.
- Role absorption risk. At smaller payment providers, investment firms, and crypto-asset service providers, this analyst function is absorbed into the DORA ICT Risk Officer or CISO role rather than existing as a standalone position. The standalone analyst is most viable at tier-1 banks and large insurers.
- Platform maturity trajectory. Panorays, TrustCloud, and OneTrust TPRM are adding AI-native features quarterly — contract clause extraction, automated risk scoring, continuous monitoring, and questionnaire automation. The 45% displacement today could reach 60% by 2028.
Who Should Worry (and Who Shouldn't)
If your primary work is maintaining the Register of Information, chasing vendor questionnaire responses, and updating risk registers — these are exactly the tasks that GRC platforms automate fastest. Your 2028 role looks like a platform configuration specialist, not a risk analyst.
If you evaluate complex concentration risk scenarios, assess whether new AI-powered providers create systemic dependencies, and advise on exit strategy viability — you hold the judgment-intensive version that platforms cannot replicate. The analyst who tells the DORA ICT Risk Officer "this AI provider serves 40% of our critical functions and has no viable substitute" is performing irreplaceable work.
The single biggest separator: whether you assess risk or process risk data. The analyst who can determine whether a SOC 2 Type II report actually covers DORA-specific resilience requirements is safer than the analyst who collects SOC 2 reports and checks boxes.
What This Means
The role in 2028: The surviving DORA Third-Party Risk Analyst is a specialist risk assessor — evaluating complex ICT provider arrangements that AI platforms flag but cannot resolve. AI-powered providers, multi-layered sub-contracting chains, and cross-border concentration risk scenarios require human judgment. Register maintenance, questionnaire workflows, and continuous monitoring are fully platform-managed.
Survival strategy:
- Master concentration risk analysis. This is DORA's most complex requirement — assessing whether ICT dependencies create systemic risk across the entity and the broader financial system. Platforms can flag thresholds; humans must interpret what they mean.
- Specialise in AI provider risk assessment. As financial entities adopt AI-as-a-Service, LLM APIs, and AI-powered third-party tools, someone must assess whether these providers meet DORA's digital operational resilience requirements. This sub-specialism does not yet exist in standard frameworks.
- Build toward DORA ICT Risk Officer. The mid-level analyst role compresses; the strategic framework owner role (55.2 GREEN) does not. Develop management body reporting skills, incident classification judgment, and cross-regulation expertise (NIS2, EU AI Act, GDPR).
Where to look next. If you're considering a career shift, these Green Zone roles share transferable skills with DORA Third-Party Risk Analyst:
- DORA ICT Risk Officer (AIJRI 55.2) — direct progression; your DORA knowledge and vendor risk expertise transfer directly into framework ownership and management body advisory.
- Cybersecurity Risk Manager (AIJRI 52.9) — broader risk management scope beyond DORA; your risk assessment methodology and regulatory interpretation skills apply directly.
- Data Protection Officer (AIJRI 50.7) — privacy regulation expertise transfers; DORA's data residency and third-party data processing requirements overlap significantly with GDPR DPO responsibilities.
Browse all scored roles at jobzonerisk.com to find the right fit for your skills and interests.
Timeline: 3-5 years. Platform automation of execution tasks accelerates annually. The regulatory demand floor sustains the function but not the current analyst headcount.
