DORA-Art38-P1

Article
38 (1)
Pillar
Third-Party ICT Risk Management
Regulation Ref
Regulation (EU) 2022/2554, Article 38(1)
Last Reviewed
2026-01-15

The Lead Overseer shall, on the basis of all oversight activities conducted, adopt recommendations to be addressed to the critical ICT third-party service provider.

Evidence Profiles

Critical Provider Oversight Compliance Report RARE

Report documenting the oversight assessment of critical ICT third-party service providers, including their ICT risk management arrangements, security posture, and compliance with oversight requirements as required by DORA Articles 33-44.

Formats
PDF
Evidence Class
oversight-compliance-report
Availability
RARE
Update Frequency
annual
Typical Author
Lead Overseer / Internal Audit
Approval Chain
Head of Internal Audit → CRO

Content Sections

Expected Fields

Common Quality Issues

Fact Schemas

oversight_compliance_status

Schema ID
fs-oversight-compliance-status
Control
DORA-Art33-P1

Valid Ranges

assessment_date
within last 12 months
overall_compliance_rating
compliant for continued service provision

Related Schemas

JSON Schema

{
  "properties": {
    "assessment_date": {
      "format": "date",
      "type": "string"
    },
    "critical_findings": {
      "minimum": 0,
      "type": "integer"
    },
    "findings_count": {
      "minimum": 0,
      "type": "integer"
    },
    "has_business_continuity": {
      "type": "boolean"
    },
    "has_incident_management": {
      "type": "boolean"
    },
    "has_risk_framework": {
      "type": "boolean"
    },
    "has_security_controls": {
      "type": "boolean"
    },
    "overall_compliance_rating": {
      "enum": [
        "compliant",
        "partially_compliant",
        "non_compliant"
      ],
      "type": "string"
    },
    "provider_id": {
      "minLength": 1,
      "type": "string"
    }
  },
  "required": [
    "provider_id",
    "assessment_date",
    "overall_compliance_rating",
    "has_risk_framework",
    "has_security_controls"
  ],
  "type": "object"
}