DORA-Art33-P1

Article: 33 (1)
Pillar: Third-Party ICT Risk Management
Regulation Ref: Regulation (EU) 2022/2554, Article 33(1)
Last Reviewed: 2026-01-15

The Lead Overseer shall assess whether each critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk that it may pose to financial entities.

Evidence Profiles

Critical Provider Oversight Compliance Report RARE

Report documenting the oversight assessment of critical ICT third-party service providers, including their ICT risk management arrangements, security posture, and compliance with oversight requirements as required by DORA Articles 33-44.

Formats: PDF
Evidence Class: oversight-compliance-report
Availability: RARE
Update Frequency: annual
Typical Author: Lead Overseer / Internal Audit
Approval Chain: Head of Internal Audit → CRO

Content Sections

Expected Fields

Common Quality Issues

Oversight assessment based on provider self-reporting
No on-site assessment performed
Findings not tracked to remediation
Assessment scope limited to contractual obligations

Provider ICT Risk Management Summary PARTIAL

Plain text summary of a critical ICT third-party service provider's ICT risk management arrangements, compiled from provider-supplied documentation and audit reports.

Formats: PLAIN_TEXT
Evidence Class: provider-ict-risk-management
Availability: PARTIAL
Update Frequency: annual
Typical Author: Vendor Management Officer
Approval Chain: Vendor Management Officer → CISO

Content Sections

Expected Fields

Common Quality Issues

Summary based solely on provider marketing materials
Security certifications not independently verified
Missing assessment of provider's subcontractor risk management
No independent audit report obtained

Fact Schemas

oversight_compliance_status

Schema ID: fs-oversight-compliance-status
Control: DORA-Art33-P1

Valid Ranges

assessment_date: within last 12 months
overall_compliance_rating: compliant for continued service provision

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "critical_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "findings_count": {
      "minimum": 0,
      "type": "integer"
    },
    "has_business_continuity": {
      "type": "boolean"
    },
    "has_incident_management": {
      "type": "boolean"
    },
    "has_risk_framework": {
      "type": "boolean"
    },
    "has_security_controls": {
      "type": "boolean"
    },
    "overall_compliance_rating": {
      "enum": [
        "compliant",
        "partially_compliant",
        "non_compliant"
      ],
      "type": "string"
    },
    "provider_id": {
      "minLength": 1,
      "type": "string"
    }
  },
  "required": [
    "provider_id",
    "assessment_date",
    "overall_compliance_rating",
    "has_risk_framework",
    "has_security_controls"
  ],
  "type": "object"
}

provider_ict_risk_management_status

Schema ID: fs-provider-ict-risk-management
Control: DORA-Art33-P1

Valid Ranges

assessment_date: within last 12 months
last_independent_audit_date: within last 18 months

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "audit_findings_resolved": {
      "type": "boolean"
    },
    "certifications_list": {
      "items": {
        "type": "string"
      },
      "type": "array"
    },
    "has_risk_framework": {
      "type": "boolean"
    },
    "has_security_certifications": {
      "type": "boolean"
    },
    "last_independent_audit_date": {
      "format": "date",
      "type": "string"
    },
    "provider_id": {
      "minLength": 1,
      "type": "string"
    },
    "subcontractor_risk_managed": {
      "type": "boolean"
    }
  },
  "required": [
    "provider_id",
    "assessment_date",
    "has_risk_framework",
    "has_security_certifications"
  ],
  "type": "object"
}