DORA-Art28-P3

Article
28 (3)
Pillar
Third-Party ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 28(3)
Last Reviewed
2026-01-15

Financial entities shall, at entity level, and on a sub-consolidated and consolidated basis, maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

Evidence Profiles

ICT Third-Party Service Provider Register COMMON

CSV register of all ICT third-party service providers with contractual arrangement details, service descriptions, criticality assessments, and data processing locations as required by DORA Article 28(3).

Formats
CSV JSON
Evidence Class
ict-provider-register
Availability
COMMON
Update Frequency
quarterly
Typical Author
Vendor Management Officer
Approval Chain
Vendor Management Officer → CRO

Content Sections

Expected Fields

Common Quality Issues

ICT Provider Criticality Assessment PARTIAL

JSON-structured assessment of ICT third-party service provider criticality, including impact analysis, dependency assessment, and criticality classification.

Formats
JSON
Evidence Class
provider-criticality-assessment
Availability
PARTIAL
Update Frequency
annual
Typical Author
Risk Manager
Approval Chain
Risk Manager → CRO

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

ict_provider_register_status

Schema ID
fs-ict-provider-register
Control
DORA-Art28-P3

Valid Ranges

register_date
within last 3 months
providers_with_contracts
should equal total_providers for full compliance
providers_with_criticality_assessment
should equal total_providers

Related Schemas

JSON Schema

{
  "properties": {
    "critical_providers": {
      "minimum": 0,
      "type": "integer"
    },
    "data_locations_documented": {
      "type": "boolean"
    },
    "last_full_review_date": {
      "format": "date",
      "type": "string"
    },
    "providers_with_contracts": {
      "minimum": 0,
      "type": "integer"
    },
    "providers_with_criticality_assessment": {
      "minimum": 0,
      "type": "integer"
    },
    "register_date": {
      "format": "date",
      "type": "string"
    },
    "subcontractors_documented": {
      "type": "boolean"
    },
    "total_providers": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "register_date",
    "total_providers",
    "critical_providers",
    "providers_with_contracts"
  ],
  "type": "object"
}

provider_criticality_assessment

Schema ID
fs-provider-criticality-assessment
Control
DORA-Art28-P3

Valid Ranges

assessment_date
within last 12 months
criticality_level
critical if supporting critical business functions

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "business_functions_supported_count": {
      "minimum": 0,
      "type": "integer"
    },
    "criticality_level": {
      "enum": [
        "low",
        "medium",
        "high",
        "critical"
      ],
      "type": "string"
    },
    "data_sensitivity_level": {
      "enum": [
        "public",
        "internal",
        "confidential",
        "restricted"
      ],
      "type": "string"
    },
    "impact_if_unavailable": {
      "enum": [
        "negligible",
        "moderate",
        "significant",
        "severe"
      ],
      "type": "string"
    },
    "provider_id": {
      "minLength": 1,
      "type": "string"
    },
    "substitutability_rating": {
      "enum": [
        "easily_substitutable",
        "substitutable_with_effort",
        "difficult_to_substitute",
        "not_substitutable"
      ],
      "type": "string"
    }
  },
  "required": [
    "provider_id",
    "assessment_date",
    "criticality_level",
    "business_functions_supported_count"
  ],
  "type": "object"
}