DORA-Art29-P1

Article
29 (1)
Pillar
Third-Party ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 29(1)
Last Reviewed
2026-01-15

Financial entities shall carry out a preliminary assessment of ICT concentration risk at entity level before entering into a contractual arrangement on the use of ICT services, including identifying whether the conclusion of such arrangement would lead to an increase in ICT concentration risk.

Evidence Profiles

ICT Concentration Risk Assessment PARTIAL

Assessment of concentration risk arising from dependency on ICT third-party service providers, including single-provider dependencies, geographic concentration, and systemic risk analysis as required by DORA Article 31.

Formats
PDF
Evidence Class
concentration-risk-assessment
Availability
PARTIAL
Update Frequency
annual
Typical Author
Risk Manager
Approval Chain
Risk Manager → CRO → Board Risk Committee

Content Sections

Expected Fields

Common Quality Issues

ICT Third-Party Service Provider Register COMMON

CSV register of all ICT third-party service providers with contractual arrangement details, service descriptions, criticality assessments, and data processing locations as required by DORA Article 28(3).

Formats
CSV JSON
Evidence Class
ict-provider-register
Availability
COMMON
Update Frequency
quarterly
Typical Author
Vendor Management Officer
Approval Chain
Vendor Management Officer → CRO

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

concentration_risk_assessment_status

Schema ID
fs-concentration-risk-assessment
Control
DORA-Art31-P1

Valid Ranges

assessment_date
within last 12 months
single_provider_dependencies
should be minimised for critical services

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "concentration_risk_within_tolerance": {
      "type": "boolean"
    },
    "geographic_concentrations_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "mitigation_actions_defined": {
      "minimum": 0,
      "type": "integer"
    },
    "mitigation_actions_implemented": {
      "minimum": 0,
      "type": "integer"
    },
    "service_concentrations_identified": {
      "minimum": 0,
      "type": "integer"
    },
    "single_provider_dependencies": {
      "minimum": 0,
      "type": "integer"
    },
    "total_providers_assessed": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "assessment_date",
    "total_providers_assessed",
    "single_provider_dependencies",
    "geographic_concentrations_identified"
  ],
  "type": "object"
}

ict_provider_register_status

Schema ID
fs-ict-provider-register
Control
DORA-Art28-P3

Valid Ranges

register_date
within last 3 months
providers_with_contracts
should equal total_providers for full compliance
providers_with_criticality_assessment
should equal total_providers

Related Schemas

JSON Schema

{
  "properties": {
    "critical_providers": {
      "minimum": 0,
      "type": "integer"
    },
    "data_locations_documented": {
      "type": "boolean"
    },
    "last_full_review_date": {
      "format": "date",
      "type": "string"
    },
    "providers_with_contracts": {
      "minimum": 0,
      "type": "integer"
    },
    "providers_with_criticality_assessment": {
      "minimum": 0,
      "type": "integer"
    },
    "register_date": {
      "format": "date",
      "type": "string"
    },
    "subcontractors_documented": {
      "type": "boolean"
    },
    "total_providers": {
      "minimum": 0,
      "type": "integer"
    }
  },
  "required": [
    "register_date",
    "total_providers",
    "critical_providers",
    "providers_with_contracts"
  ],
  "type": "object"
}