DORA2026-03-104 min read

DORA Article 28 Explained: General Principles for ICT Third-Party Risk Management

Also available in:DeutschFrançaisEspañolNederlandsItaliano

Table of Contents

  1. 01Introduction
  2. 02Key Requirements
  3. 03Implementation Guide
  4. 04Common Pitfalls
  5. 05How Matproof Helps
  6. 06Related Articles

Introduction

In the ever-evolving digital landscape, financial entities are increasingly reliant on Information and Communication Technology (ICT) third-party service providers to deliver a wide range of services. As the dependency on these third parties grows, so does the risk of operational disruption, data breaches, and other cybersecurity threats. The Digital Operational Resilience Act (DORA), a cornerstone of the European Union’s regulatory framework, addresses this by introducing robust requirements for managing risks from ICT third-party service providers. This article delves into DORA Article 28, which outlines the general principles for ICT third-party risk management, an essential aspect of digital operational resilience for financial entities.

Key Requirements

DORA Article 28 mandates financial entities to establish and maintain effective risk management practices regarding their ICT third-party service providers. Here are the key requirements:

  • Assessment of Third-Party Risks: Conduct an assessment of risks associated with third-party services, including the risk of cyber threats.
  • Due Diligence: Perform due diligence on third-party providers to ensure they have adequate operational resilience.
  • Monitoring and Review: Continuously monitor and regularly review third-party risk profiles.
  • Contractual Agreements: Include operational resilience requirements in contractual agreements with ICT third-party providers.
  • Incident Reporting: Establish mechanisms for reporting and communicating incidents or potential incidents promptly.
  • Proportionality: Apply risk management measures that are proportionate to the risks posed by each third-party service.

Implementation Guide

To comply with DORA Article 28, financial entities should undertake the following practical steps:

  1. Risk Identification: Map out all third-party relationships and identify potential risks associated with each, including operational, reputational, and cyber risks.

  2. Due Diligence Process: Develop a comprehensive due diligence framework to assess third-party providers’ operational resilience capabilities.

  3. Risk Assessment Framework: Establish a risk assessment framework that includes third-party risk assessment criteria and risk rating methodologies.

  4. Regular Monitoring: Implement ongoing monitoring processes to identify changes in third-party risk profiles and update risk assessments accordingly.

  5. Contractual Provisions: Review and update contracts with third-party providers to include operational resilience requirements, such as incident reporting and data security standards.

  6. Incident Management Plan: Develop an incident management plan that includes procedures for handling incidents involving third-party services.

  7. Training and Awareness: Provide training to staff on the importance of third-party risk management and the processes in place to manage these risks.

  8. Document Retention: Maintain records and documentation related to third-party risk assessments, due diligence, and incident management.

Common Pitfalls

When implementing DORA Article 28 requirements, financial entities should avoid the following common pitfalls:

  • Neglecting Proportionality: Failing to apply risk management measures proportionate to the risks posed by each third-party service can lead to over or under-investment in risk mitigation.

  • Lack of Continuous Monitoring: Not continuously monitoring third-party risk profiles can result in outdated risk assessments and delayed responses to changes in risk.

  • Inadequate Contractual Agreements: Insufficient contractual agreements with third-party providers can leave financial entities exposed to operational risks and legal liabilities.

  • Poor Incident Reporting Mechanisms: Ineffective incident reporting mechanisms can hinder timely detection and response to operational incidents involving third-party services.

How Matproof Helps

Matproof's compliance management platform streamlines tracking and evidence collection for Article 28 requirements, ensuring financial entities maintain up-to-date risk assessments and due diligence processes without the need for manual intervention. By automating these tasks, Matproof helps organizations maintain compliance while focusing on their core business activities.

Related Articles

For further insights into DORA's comprehensive framework for digital operational resilience, consider exploring the following related articles:

Understanding and implementing the requirements of DORA Article 28 is crucial for financial entities to ensure their operational resilience in the digital era. By following the guidelines and avoiding common pitfalls, organizations can effectively manage the risks posed by their ICT third-party service providers.

DORA Article 28General Principles for ICT Third-Party Risk Managementdigital operational resilienceICT risk managementfinancial regulation

Ready to simplify compliance?

Get audit-ready in weeks, not months. See Matproof in action.

Request a demo