What this guide covers:
DORA compliance requirements under Article 28 (Regulation EU 2022/2554) obligate financial institutions to conduct documented, evidence-grade due diligence on every ICT third-party service provider before contract, at renewal, and continuously throughout the relationship. This guide covers the six assessment elements, Register of Information obligations, Article 30 contract clauses, and where firms are failing supervisory reviews in 2026.
Image: The 5 Pillars of DORA Compliance
Table of Content
Last reviewed: June 2026 | Reading time: 18 minutes | Regulation: EU 2022/2554
DORA compliance requirements cover five pillars under Regulation (EU) 2022/2554, which has been fully applicable across EU financial services since 17 January 2025. The five pillars span ICT risk management (Articles 5-16), incident reporting (Articles 17-23), digital operational resilience testing (Articles 24-27), ICT third-party risk management (Articles 28-44), and information sharing (Articles 45-49).
In 2026, supervisory attention concentrates on Pillar 4. The EBA, ESMA, and EIOPA have consistently identified Articles 28-30 as the primary source of compliance gaps across institutions, driven by incomplete Registers of Information, missing criticality classifications, absent pre-contract due diligence evidence, and Article 30 contract clauses that don’t meet the mandatory standard. This page addresses that pillar in full.
One fact that often surprises compliance teams: DORA does not replace existing outsourcing requirements. It runs alongside the EBA’s guidelines on outsourcing arrangements for banks, Solvency II Article 274 for insurers, and MiFID II Article 16 for investment firms. Firms running parallel compliance programmes under multiple frameworks are frequently duplicating assessment work. A unified Article 28 assessment framework, designed to meet DORA’s evidential standard, typically satisfies the overlapping outsourcing obligations in a single exercise. For the full five-pillar breakdown, read the complete DORA compliance guide for regulated firms.
Key takeaways
DORA compliance requires financial institutions to address five mandatory pillars, all of which have been applicable since January 2025. The page from this point focuses on Pillar 4 and specifically Article 28, which supervisory authorities are examining most closely in 2026 reviews.
Article 28 of Regulation (EU) 2022/2554 establishes the general framework for ICT third-party risk management. It requires financial entities to treat third-party ICT risk as an integral part of their overall ICT risk framework, with board oversight, a formal programme, and documented evidence of every assessment stage. The obligation is not procedural. It’s evidential: supervisors reviewing your Article 28 compliance will ask to see the documentation, not hear a description of your process.
The core obligations under Article 28 break into five areas. Each is mandatory. Each requires written evidence a supervisor can examine.
Must cover individual, sub-consolidated and consolidated group levels. Multi-vendor strategy required.
The management body must formally adopt a written strategy for ICT third-party risk. This is not a CISO-level sign-off. It requires board approval. The strategy must address how the firm manages concentration risk and what it does if a critical provider fails or exits. Evidence: board minutes citing approval, dated strategy document with version control.
Central register covering every ICT third-party contractual arrangement.
The Register of Information (RoI) must cover all ICT contractual arrangements at entity, sub-consolidated and consolidated group levels. It uses the ESA-specified template and must be submitted to your national competent authority on request. The RoI section below covers the mandatory fields and where firms are failing.
Determine whether each ICT service supports a critical or important function.
Before entering a contract, each ICT service must be classified as supporting a critical or important function (CIF) or as standard. This classification determines which Article 30 contractual clauses apply and whether the vendor enters the Register of Information.
Assess suitability before contract signature.
Article 28 requires firms to undertake due diligence on prospective ICT third-party providers and ensure they are suitable. It also requires concentration risk analysis and conflict-of-interest identification. This is the area where most questionnaire-only assessments fall short.
Higher information security expectations apply to critical providers.
Financial entities may only enter contractual arrangements with providers that meet appropriate information security standards. For critical or important functions, firms must verify that providers use current and high-quality security standards, including objective evidence such as ISO 27001 and SOC 2 certifications.
Article 28 establishes five distinct obligations, each requiring documented evidence. The pre-contract due diligence obligation under Article 28(4)(d) is the area most frequently examined during supervisory reviews and one where firms commonly struggle to provide sufficient evidence.
Image: Article 28 assessment requirements[/caption]
Article 28(4)(d) requires financial entities to “undertake all due diligence on prospective ICT third-party service providers.” The phrase “all due diligence” has a specific meaning in the context of a supervisory examination: a regulator reviewing your pre-contract evidence file will ask what independent verification you conducted, not what information the vendor provided about itself.
A vendor questionnaire is a structured request for self-disclosure. It tells you what the vendor chooses to tell you. It cannot surface an adverse regulatory enforcement action the vendor didn’t disclose. It cannot identify that a beneficial owner has a sanctions designation in a jurisdiction the vendor didn’t list. It cannot map the subcontractor chain beyond what the vendor elected to include. These are not edge cases — they’re the categories regulators have found missing in the majority of Article 28 pre-contract files examined so far.
Supervisory finding pattern: The most common Article 28 audit failure is not the absence of a questionnaire — it’s the absence of independent verification. Firms have questionnaire responses on file. They don’t have evidence of independent adverse media screening, beneficial ownership verification, or subcontractor chain assessment conducted by a third party with access to external data sources.
The specific data categories that Article 28(4)(d) requires — and that questionnaires cannot supply — are listed in the six assessment elements section below. Each requires access to external databases and intelligence sources that most compliance teams don’t maintain internally, and that even the most comprehensive questionnaire process can’t replicate.
There’s a second problem that rarely gets discussed. Personnel security has emerged as an area of regulatory expectation that Article 28, while not naming it explicitly, is being applied to in practice. Banks are now routinely requiring background checks on vendor employees with privileged access to their systems, including ongoing sanctions and PEP monitoring for individuals in key roles, as part of their Article 28 assessment process. This expectation comes from the EBA’s RTS on outsourcing arrangements and ESMA guidelines being read alongside Article 28 — an interpretive position that sophisticated compliance programmes are already acting on.
What questionnaires can’t capture
Adverse media not disclosed by the vendor. Regulatory enforcement actions in jurisdictions outside the vendor’s primary market. Beneficial ownership structures routed through nominees or intermediary holding companies. Sanctions designations on UBO-level individuals. Fourth-party dependencies the vendor characterised as internal operations. Personnel with privileged access who carry undisclosed PEP status. None of these appear in questionnaire responses. All of them have appeared in Neotas’s enhanced due diligence reports on ICT vendors.
For a practical view of how OSINT-enhanced due diligence adds an intelligence layer to ICT vendor assessments, and how the resulting evidence satisfies Article 28(4)(d), see the Neotas capability section below. The limitations of questionnaire-only approaches are also covered in the TPRM questionnaire guide.
Article 28(4)(d) requires independent verification, not self-reported disclosure. Questionnaire-based processes don’t satisfy this standard because they cannot surface adverse media, undisclosed regulatory actions, sanctions-linked UBOs, or fourth-party dependencies. The pre-contract evidence file must contain documentation of independent checks conducted against external data sources.
An Article 28-compliant pre-contract assessment covers six specific areas. Each maps to a sub-clause in Article 28 or the implementing technical standards. Each produces a distinct evidence output that goes into the pre-contract assessment file. Together, they constitute what a regulator means when they ask whether “all due diligence” was undertaken.
Determines which Article 30 clauses apply and whether the vendor enters the RoI.
Classify whether the ICT service supports a critical or important function (CIF) using the criteria in Article 28(2). The classification must be documented, dated and signed off by an appropriate senior authority. It drives every downstream obligation including contract clause requirements, monitoring cadence, Register of Information entry, exit strategy obligations and concentration risk assessment thresholds.
Substitutability, insolvency risk, single-provider dependency and multi-entity exposure.
Article 28(4)(c) requires identification of all relevant risks in the contractual arrangement, including whether it contributes to concentration risk under Article 29. The assessment should evaluate provider substitutability, business continuity implications, insolvency scenarios and dependency across critical functions and group entities.
Regulatory enforcement history, litigation, sanctions exposure and adverse media findings.
Adverse media screening should assess regulatory actions, litigation records, public sanctions designations and significant negative press that could affect the suitability of the ICT provider. Screening should be performed across all relevant jurisdictions and documented with supporting evidence and methodology.
Named individual and entity screening at director, UBO and key personnel level.
Screening should cover the vendor entity, directors, ultimate beneficial owners and relevant personnel. Checks should include OFAC, EU, OFSI, UN and other relevant sanctions lists alongside politically exposed person screening and financial crime intelligence.
UBO chain verification, ownership transparency and jurisdictional exposure.
Beneficial ownership verification requires tracing ownership through all intermediary entities to the ultimate natural person. Independent verification should be performed using corporate registries, company databases and open-source intelligence rather than relying solely on vendor declarations.
Fourth-party exposure, cascading risk and material subcontractor dependencies.
Firms must identify material subcontractors supporting the ICT service and assess risks arising from the wider subcontracting chain. This includes evaluating fourth-party dependencies, operational resilience implications and potential concentration risks that may impact critical or important functions.
An Article 28-compliant pre-contract assessment contains six evidence-based assessment areas: criticality classification, concentration risk, reputational intelligence, financial crime screening, beneficial ownership verification and subcontractor chain mapping. Together they form the evidential record regulators expect to see when assessing DORA compliance.
Article 28(3) requires financial entities to maintain a Register of Information (RoI) covering all ICT third-party contractual arrangements. This register must be available at entity, sub-consolidated and consolidated group levels, and must be submitted to national competent authorities (NCAs) using the ESA-specified template in xBRL-CSV format.
The 2024 ESA dry-run exercise — where firms submitted test registers before the enforcement date — produced a striking result: only 6.5% of nearly 1,000 firms across the EU passed all 116 data quality checks. That figure was widely reported as a preparedness concern. By May 2026, after a full submission cycle, the failure rate in live submissions has improved but the underlying problems remain consistent.
Format warning: The Register of Information must be submitted in xBRL-CSV format using the ESA’s mandatory template. Submissions in proprietary formats, Excel spreadsheets or PDF will be rejected. Rejection triggers a mandatory resubmission process and may generate a supervisory inquiry. The ESA template is available at EBA register of information template.
The most common RoI failures, drawn from EBA supervisory guidance and NCA feedback in the 2025-2026 cycle, fall into three categories.
| Failure type | What goes wrong | Consequence |
|---|---|---|
| CIF misclassification Critical | ICT services supporting critical functions classified as standard, or vice versa. Often caused by applying the wrong definition of “critical or important function” | Resubmission required. Downstream Article 30 obligations may be wrong for every misclassified contract |
| Missing mandatory fields Critical | Incomplete LEI codes, missing data location fields, absent subcontractor entries for material fourth parties, start date errors | Fails xBRL-CSV validation checks. Submission rejected automatically |
| Consolidation level errors High | Groups submitting at entity level only, or applying wrong consolidation rules across subsidiaries. EBA FAQ Q4-Q9 addresses this but is frequently missed | Partial submission accepted but generates supervisory inquiry and data quality flag |
There is a strategic point about the RoI that rarely appears in compliance guidance. The register is not just a regulatory filing. It is the ESAs’ primary input data for designating Critical ICT Third-Party Providers. The 19 providers designated in November 2025 — including AWS, Microsoft Azure, Google Cloud, IBM, Bloomberg and LSEG — were identified using aggregated RoI data submitted by financial entities. Errors in your RoI submission don’t just risk resubmission: they affect which providers come under direct ESA oversight and how your relationship with those providers is supervised going forward.
Section summary: The Register of Information is both a compliance obligation and a supervisory data source. Errors trigger resubmission and supervisory inquiries. The three most common failure types — CIF misclassification, missing fields, and consolidation errors — are all avoidable with a pre-submission data validation process. The Neotas TPRM platform includes RoI data validation and submission support as part of the vendor management lifecycle.
Article 30 sets out the mandatory content for contracts between financial entities and ICT third-party service providers. For arrangements covering critical or important functions, all eight clause categories below are required. For standard ICT arrangements, a proportionate subset applies. Missing clauses don’t just create contractual risk — they mean the contract fails the Article 30 audit test and must be renegotiated or supplemented.
| Clause category | What the clause must address | Common drafting failure |
|---|---|---|
| Service description and SLAs | Full description of services, performance indicators, availability standards, and data quality commitments | Generic SLAs with no link to critical function performance thresholds |
| Data location | Specific locations where data is stored, processed and backed up; conditions for any change | Reference to “global infrastructure” without named jurisdictions |
| Audit and inspection rights | Unrestricted rights for the financial entity and its regulator to audit and inspect the provider, on reasonable notice and via third-party auditors | Audit rights limited to documentary review, excluding system access or third-party auditors |
| Incident notification obligations | Timelines and content requirements for vendor notification to the financial entity of ICT incidents, aligned to the entity’s DORA reporting obligations | Notification timelines that don’t account for the entity’s 4-hour initial reporting window |
| Exit assistance and data portability | Transition assistance, data portability in a usable format, cooperation with replacement provider, minimum notice periods | No exit assistance clause, or clause that conditions exit assistance on mutual agreement |
| Subcontracting notification | Prior notification requirements for any subcontracting of critical or important functions, with right to object | Notification-only clause with no right to object or withhold consent |
| Resilience testing cooperation | Vendor cooperation with the entity’s DORA resilience testing programme, including TLPT where applicable | No testing cooperation clause, or clause limited to questionnaire-based assessments only |
| Termination rights | Rights to terminate for regulatory non-compliance, material breach, insolvency, acquisition by an unsuitable third party, and regulatory direction | Termination only for material breach after cure period, with no regulatory direction trigger |
Hyperscaler contracts: Commission Delegated Regulation (EU) 2025/532 acknowledges that financial entities contracting with large cloud providers often face non-negotiable standard terms. This does not exempt firms from Article 30 obligations — it requires them to document accepted deviations from the mandatory clauses and demonstrate compensating controls for each gap. “We couldn’t negotiate” is not a supervisory defence without the documented deviation analysis and compensating control evidence.
For managing Article 30 obligations across a large ICT vendor portfolio, the third-party risk management framework covers the programme design needed to track clause compliance at scale.
DORA applies to EU-authorised financial entities and their ICT service providers — wherever those providers are headquartered. A US or UK firm is in scope if it provides ICT services to EU financial entities, or has an EU-authorised subsidiary or branch operating under the regulation.
| Situation | UK firms | US firms |
|---|---|---|
| EU subsidiary or branch | EU entities fully in scope. UK parent not directly obligated but often aligns programme across the group for efficiency | EU entities fully in scope. US parent carries indirect exposure through intra-group ICT arrangement obligations |
| ICT provider to EU entities | UK FinTechs and managed service providers with EU financial entity clients are Article 28 third-party ICT providers | US cloud providers, platform vendors and data services firms serving EU entities are Article 28 third-party ICT providers. 9 of the 19 designated CTPPs are US-headquartered |
| Parallel domestic regime | UK PS21/3 operational resilience framework. FCA/PRA Critical Third Party (CTP) regime mirrors CTPP oversight. Assessment criteria are compatible with Article 28 | FFIEC IT Examination Handbook and OCC third-party risk guidance overlap significantly with Article 28. A unified assessment framework satisfies both |
| Intra-group ICT | UK entities providing ICT services to EU affiliates are third-party ICT providers under Article 28. The same due diligence and contract clause requirements apply | US entities providing ICT services to EU affiliates are third-party ICT providers under Article 28. A simplified assessment standard may apply for intra-group arrangements in practice, but documented evidence is still required |
Practical note for UK dual-regime firms
UK firms managing both FCA/PRA PS21/3 and DORA obligations for EU entities don’t need two parallel assessment processes. The Article 28 assessment criteria — pre-contract due diligence, CIF classification, concentration risk, ongoing monitoring — map directly onto PS21/3’s important business services and impact tolerance framework. A single assessment standard, designed to meet DORA’s evidential threshold, will satisfy PS21/3 requirements for the same vendor relationships.
Neotas delivers OSINT-enhanced ICT vendor due diligence as a managed service, with reports structured to satisfy the specific evidential requirements of Articles 28(4)(a) through (e). Each report is a pre-contract assessment file, not a summary document — it contains source-cited findings, screening methodology, and documented conclusions for each of the six assessment elements.
| Service | Article 28 obligation addressed | Evidence output |
|---|---|---|
| ICT vendor enhanced due diligence report | Article 28(4)(d) — pre-contract due diligence on prospective ICT third-party service providers | Structured report covering adverse media, sanctions, PEPs, UBO chain, regulatory enforcement history and information security certifications. Source-cited. Dated. Methodology documented. |
| Subcontractor chain mapping | Article 28(4)(d) + Delegated Regulation EU 2025/532 — fourth-party risk and material subcontractor assessment | Visualised supply chain with risk flags per tier. Identifies material subcontractors supporting critical functions. Maps fourth-party dependencies not disclosed in vendor questionnaire. |
| Ongoing vendor monitoring | Article 28 — continuous monitoring of critical and important ICT providers throughout the relationship | Real-time alerts on new sanctions hits, adverse media events and regulatory actions. Monthly monitoring summary for the pre-contract and RoI evidence file. |
| Register of Information support | Article 28(3) — complete and accurate RoI in xBRL-CSV format | RoI data validation against all 15 ESA mandatory fields. CIF classification review. Submission-ready file with completeness check report. |
| Beneficial ownership verification | Article 28(4)(d) — UBO identification and verification as part of pre-contract suitability assessment | UBO chain traced to natural person level across all jurisdictions. Company registry verification. Nominee structure identification. Documented conclusion on ownership transparency. |
Neotas is recognised by Chartis Research in the FCC50 as a leading financial crime compliance technology provider. The platform combines structured database screening with open-source intelligence and analyst-led investigation across more than 200 languages. It is used by compliance leads, CROs, vendor risk managers and general counsel at regulated financial services, insurance and legal firms across the UK and EU.
For programme-level third-party risk management, including vendor lifecycle automation and risk scoring, the Neotas TPRM platform integrates Article 28 assessment outputs directly into the vendor onboarding and ongoing monitoring workflow.
Neotas works with compliance leads, vendor risk managers and in-house counsel at regulated financial institutions to deliver Article 28-compliant ICT vendor assessments — pre-contract, at renewal, and on an ongoing basis.
Chartis FCC50 recognised. FCA-regulated sector experience. Used across banking, insurance, asset management and legal services.
Schedule a meeting See the full TPRM platformNo commitment required. We’ll confirm availability within 1 working day.
Adverse media finding prevented a critical function contract at a regulated insurer
A UK insurer commissioned a Neotas pre-contract assessment on a prospective cloud infrastructure provider ahead of a CIF contract. The enhanced due diligence report identified a regulatory enforcement action in a Central European jurisdiction that the vendor had not disclosed in the questionnaire process. The contract was paused pending clarification. The insurer avoided a post-contract Article 28 compliance gap and a potential supervisory finding. See all case studies
Subcontractor chain mapping identified fourth-party sanctions exposure for a UK bank
A UK retail bank asked Neotas to map the subcontractor chain behind a data analytics provider supporting a critical function. The chain mapping identified a fourth-party data processing subcontractor with a beneficial owner carrying an OFAC designation — a dependency not disclosed in the vendor’s questionnaire response. The bank renegotiated the subcontracting clause to include prior notification rights and OFAC screening obligations before renewing the contract. See all case studies
RoI data validation prevented a mandatory resubmission for an EU payment institution
An EU payment institution used Neotas’s RoI validation service before submitting to its NCA. The pre-submission check identified three CIF misclassifications and two missing LEI codes that would have failed the xBRL-CSV validation checks. Corrections were made before submission. The institution avoided mandatory resubmission and the supervisory data quality flag that accompanies it. See all case studies
Covering the DORA compliance requirements most commonly raised by compliance leads, vendor risk managers and in-house counsel at regulated financial institutions. Each answer cites the specific article in Regulation (EU) 2022/2554.
A practical Article 28 checklist to identify compliance gaps, strengthen ICT third-party due diligence, and prepare for DORA supervisory reviews with confidence.
Practical guides for compliance leads, vendor risk managers and in-house counsel managing DORA compliance requirements and ICT third-party risk across regulated financial institutions.
Covers all five DORA pillars with article-level mapping, the ICT incident reporting timeline, Register of Information obligations, and how DORA interacts with EBA outsourcing guidelines and Solvency II. The reference guide for regulated firms building a DORA programme from the ground up rather than patching an existing outsourcing framework.
OSINT-enhanced due diligence covering adverse media, sanctions and PEP screening, beneficial ownership verification and subcontractor chain mapping. Structured to produce the independent verification evidence that Article 28(4)(d) requires, delivered as a pre-contract assessment file within five working days.
The Neotas TPRM platform combines live risk intelligence with configurable vendor lifecycle automation. Integrates Article 28 assessment outputs, Register of Information data management, and ongoing monitoring for critical and important ICT providers into a single compliance workflow.
Programme design guide for compliance teams building or adapting a TPRM framework to meet the DORA ICT third-party risk management guidelines. Covers risk tiering, assessment cadence, monitoring standards, governance structure, and how to unify DORA Article 28 obligations with EBA outsourcing and PS21/3 requirements.
DORA Article 28 and Delegated Regulation (EU) 2025/532 require assessment of the full subcontracting chain behind critical ICT providers, not just the direct vendor. Covers fourth-party risk identification methodology, chain mapping using OSINT and corporate intelligence sources, and how to document subcontractor findings in the Article 28 pre-contract assessment file.
Practical checklist covering the six Article 28 assessment elements, the limitations of questionnaire-only processes against the DORA compliance requirements, and the independent verification steps needed to produce a pre-contract evidence file that holds up in a supervisory review.
A structured EDD checklist mapped to the Article 28(4)(d) assessment elements: adverse media, sanctions, PEPs, beneficial ownership and subcontractor risk. Designed for compliance and vendor risk teams planning pre-contract DORA ICT vendor due diligence for critical or important function contracts.
Sanctions screening across OFAC, UN, EU and OFSI lists, adverse media monitoring, and PEP identification integrated into ICT vendor due diligence programmes under Article 28(4)(d). Covers pre-contract screening and ongoing monitoring obligations for critical provider relationships throughout the contract lifecycle.
financial crime compliance
financial crimes compliance
what is financial crime compliance
financial crime and compliance
financial crime and compliance management
financial crime compliance jobs
financial crime compliance solutions
financial crimes compliance jobs
compliance and financial crime
cost of financial crime compliance
enterprise financial crimes compliance
fcc financial crime compliance
anti financial crime compliance
conduct financial crime and compliance
financial crime compliance analyst
financial crime compliance analyst salary
financial crime compliance certification
financial crime compliance course
financial crime compliance definition
financial crime compliance framework
financial crime compliance in banking
financial crime compliance meaning
financial crime compliance risk management
global financial crimes compliance
true cost of financial crime compliance global report
what is financial crimes compliance
Neotas Enhanced Due Diligence covers 600Bn+ Archived web pages, 1.8Bn+ court records, 198M+ Corporate records, Global Social Media platforms, and more than 40,000 Media sources from over 100 countries to help you screen & manage risks.
Assess your readiness across ICT third-party risk management, due diligence, contracts, Register of Information requirements, and ongoing monitoring in one practical framework.
