{ "id": "dora-rts-its-pack", "title": "DORA Article 28 RTS/ITS Pack", "description": "Primary-source radar mapping the DORA Article 28 RTS/ITS Pack — RTS 2024/1773 third-party policy, Commission Implementing Regulation (EU) 2024/2956 RoI templates, RTS 2025/532 subcontracting — against entity-level RoI fields, third-party-policy controls, subcontracting-chain controls and the 19 first-batch CTPP designations.", "layout": "cose-radar", "lastReviewed": "2026-05-10", "evidenceCutoff": "2026-05-10", "nodes": [ { "id": "european-commission", "label": "European Commission", "type": "regulator", "subtype": "EU public authority or public-source body", "summary": "European Commission is a public authority or public-source body used for DORA RTS/ITS evidence.", "description": "European Commission: Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap.", "url": "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap." }, { "id": "eba", "label": "European Banking Authority", "type": "regulator", "subtype": "EU public authority or public-source body", "summary": "European Banking Authority is a public authority or public-source body used for DORA RTS/ITS evidence.", "description": "European Banking Authority: Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap.", "url": "https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/preparation-dora-application", "evidence": [ "https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/preparation-dora-application, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap." }, { "id": "esma", "label": "European Securities and Markets Authority", "type": "regulator", "subtype": "EU public authority or public-source body", "summary": "European Securities and Markets Authority is a public authority or public-source body used for DORA RTS/ITS evidence.", "description": "European Securities and Markets Authority: Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap.", "url": "https://www.esma.europa.eu/digital-finance-and-innovation/digital-operational-resilience-act-dora", "evidence": [ "https://www.esma.europa.eu/digital-finance-and-innovation/digital-operational-resilience-act-dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap." }, { "id": "eiopa", "label": "European Insurance and Occupational Pensions Authority", "type": "regulator", "subtype": "EU public authority or public-source body", "summary": "European Insurance and Occupational Pensions Authority is a public authority or public-source body used for DORA RTS/ITS evidence.", "description": "European Insurance and Occupational Pensions Authority: Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap.", "url": "https://www.eiopa.europa.eu/esas-publish-list-critical-third-party-providers-under-dora-2025-11-18_en", "evidence": [ "https://www.eiopa.europa.eu/esas-publish-list-critical-third-party-providers-under-dora-2025-11-18_en, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap." }, { "id": "esas-joint-committee", "label": "ESAs Joint Committee", "type": "regulator", "subtype": "EU public authority or public-source body", "summary": "ESAs Joint Committee is a public authority or public-source body used for DORA RTS/ITS evidence.", "description": "ESAs Joint Committee: Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap.", "url": "https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-list-critical-third-party-providers-under-dora", "evidence": [ "https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-list-critical-third-party-providers-under-dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap." }, { "id": "enisa", "label": "ENISA", "type": "regulator", "subtype": "EU public authority or public-source body", "summary": "ENISA is a public authority or public-source body used for DORA RTS/ITS evidence.", "description": "ENISA: Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap.", "url": "https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive/finance", "evidence": [ "https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive/finance, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "regulator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Institutional anchor for DORA RTS Pack, RoI, CTPP or DORA/NIS2 overlap." }, { "id": "dora-2022-2554", "label": "Regulation (EU) 2022/2554 (DORA)", "type": "regulation", "subtype": "parent regulation", "summary": "Regulation (EU) 2022/2554 (DORA) is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "Regulation (EU) 2022/2554 (DORA): Parent act for DORA Articles 28-35.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Parent act for DORA Articles 28-35." }, { "id": "dora-article-28", "label": "DORA Article 28", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 28 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 28: General principles for ICT third-party risk and RoI.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "General principles for ICT third-party risk and RoI." }, { "id": "dora-article-29", "label": "DORA Article 29", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 29 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 29: Preliminary assessment of ICT concentration risk.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Preliminary assessment of ICT concentration risk." }, { "id": "dora-article-30", "label": "DORA Article 30", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 30 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 30: Key contractual provisions.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Key contractual provisions." }, { "id": "dora-article-31", "label": "DORA Article 31", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 31 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 31: Designation of CTPPs.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Designation of CTPPs." }, { "id": "dora-article-32", "label": "DORA Article 32", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 32 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 32: Structure of the Oversight Framework.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Structure of the Oversight Framework." }, { "id": "dora-article-33", "label": "DORA Article 33", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 33 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 33: Tasks of the Lead Overseer.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Tasks of the Lead Overseer." }, { "id": "dora-article-34", "label": "DORA Article 34", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 34 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 34: Operational coordination among Lead Overseers.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Operational coordination among Lead Overseers." }, { "id": "dora-article-35", "label": "DORA Article 35", "type": "regulation", "subtype": "DORA article anchor", "summary": "DORA Article 35 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "DORA Article 35: Powers of the Lead Overseer.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Powers of the Lead Overseer." }, { "id": "commission-delegated-regulation-2024-1773", "label": "Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy", "type": "regulation", "subtype": "DORA RTS/ITS implementing act", "summary": "Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy: Policy content for ICT services supporting C/I functions.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy content for ICT services supporting C/I functions." }, { "id": "commission-implementing-regulation-2024-2956", "label": "Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates", "type": "regulation", "subtype": "DORA RTS/ITS implementing act", "summary": "Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates: RoI templates, identifiers, data format and Annex taxonomy.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "RoI templates, identifiers, data format and Annex taxonomy." }, { "id": "commission-delegated-regulation-2025-532", "label": "Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting", "type": "regulation", "subtype": "DORA RTS/ITS implementing act", "summary": "Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting is a regulatory anchor for the DORA Article 28 RTS/ITS Pack.", "description": "Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting: Subcontracting assessment and contract controls.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "dora", "legal-anchor" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontracting assessment and contract controls." }, { "id": "nis2-directive-2022-2555", "label": "Directive (EU) 2022/2555 (NIS2)", "type": "standard", "subtype": "reference standard or adjacent legal framework", "summary": "Directive (EU) 2022/2555 (NIS2) is an adjacent standard or legal framework used for control-context mapping.", "description": "Directive (EU) 2022/2555 (NIS2): Cyber-resilience overlap; DORA remains sector lex-specialis.", "url": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "evidence": [ "https://eur-lex.europa.eu/eli/dir/2022/2555/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "standard", "reference-standard" ], "isFinrayProduct": false, "coiNote": null, "watching": "Cyber-resilience overlap; DORA remains sector lex-specialis." }, { "id": "iso-27001", "label": "ISO/IEC 27001", "type": "standard", "subtype": "reference standard or adjacent legal framework", "summary": "ISO/IEC 27001 is an adjacent standard or legal framework used for control-context mapping.", "description": "ISO/IEC 27001: Information-security management evidence used in due diligence.", "url": "https://www.iso.org/isoiec-27001-information-security.html", "evidence": [ "https://www.iso.org/isoiec-27001-information-security.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "standard", "reference-standard" ], "isFinrayProduct": false, "coiNote": null, "watching": "Information-security management evidence used in due diligence." }, { "id": "roi-01", "label": "LEI of the financial entity maintaining the RoI", "type": "control", "subtype": "RoI field control", "summary": "LEI of the financial entity maintaining the RoI is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "LEI of the financial entity maintaining the RoI: Annex I, B_01.01.0010; Identifies the entity maintaining and updating the RoI.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-02", "label": "Name of the financial entity", "type": "control", "subtype": "RoI field control", "summary": "Name of the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Name of the financial entity: Annex I, B_01.01.0020; Legal/entity name of the RoI maintainer.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-03", "label": "Country of the financial entity", "type": "control", "subtype": "RoI field control", "summary": "Country of the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Country of the financial entity: Annex I, B_01.01.0030; Home country of the entity maintaining the RoI.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-04", "label": "Type of financial entity", "type": "control", "subtype": "RoI field control", "summary": "Type of financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Type of financial entity: Annex I, B_01.01.0040; DORA entity category, including credit institution, payment institution, electronic money institution, investment firm, insurance undertaking, CASP and other listed categories.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-05", "label": "Hierarchy within group", "type": "control", "subtype": "RoI field control", "summary": "Hierarchy within group is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Hierarchy within group: Annex I, B_01.02.0060; Identifies parent/subsidiary relationships in the consolidation scope.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-07", "label": "Value of total assets", "type": "control", "subtype": "RoI field control", "summary": "Value of total assets is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Value of total assets: Annex I, B_01.02.0110 and Annex IV; Entity size metric, completed using Annex IV instructions for each entity type.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-09", "label": "Contractual arrangement reference number", "type": "control", "subtype": "RoI field control", "summary": "Contractual arrangement reference number is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Contractual arrangement reference number: Annex I, B_02.01.0010; Unique stable reference for each contractual arrangement with a direct ICT TPP.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-10", "label": "Type of contractual arrangement", "type": "control", "subtype": "RoI field control", "summary": "Type of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Type of contractual arrangement: Annex I, B_02.01.0020; Classifies standalone, overarching/master/framework, or associated contractual arrangement.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-11", "label": "Overarching contractual arrangement reference number", "type": "control", "subtype": "RoI field control", "summary": "Overarching contractual arrangement reference number is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Overarching contractual arrangement reference number: Annex I, B_02.01.0030; Links an associated arrangement to the overarching arrangement.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-13", "label": "Annual expense or estimated cost", "type": "control", "subtype": "RoI field control", "summary": "Annual expense or estimated cost is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Annual expense or estimated cost: Annex I, B_02.01.0050; Annual spend or estimated cost for the contractual arrangement; no duplicated counting across rows.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-14", "label": "Identification code of the ICT TPP signing/providing service", "type": "control", "subtype": "RoI field control", "summary": "Identification code of the ICT TPP signing/providing service is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Identification code of the ICT TPP signing/providing service: Annex I, B_02.02.0010; B_05.01.0010; Identifier for the ICT TPP providing services under the arrangement.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-15", "label": "Type of code used to identify ICT TPP", "type": "control", "subtype": "RoI field control", "summary": "Type of code used to identify ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Type of code used to identify ICT TPP: Annex I, B_02.02.0020; B_05.01.0020; States whether provider identifier is LEI, EUID or another permitted code.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-16", "label": "Function identifier", "type": "control", "subtype": "RoI field control", "summary": "Function identifier is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Function identifier: Annex I, B_02.02.0050; B_06.01.0010; Internal function identifier linking ICT services to the financial entity function they support.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-17", "label": "Type of ICT services", "type": "control", "subtype": "RoI field control", "summary": "Type of ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Type of ICT services: Annex I, B_02.02.0060; Annex III S01-S19; ICT service taxonomy, including ICT security, data, hosting, telecom, network, software, ICT operation, cloud IaaS/PaaS/SaaS.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-18", "label": "Start date of contractual arrangement", "type": "control", "subtype": "RoI field control", "summary": "Start date of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Start date of contractual arrangement: Annex I, B_02.02.0070; Date when the contractual arrangement starts.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-19", "label": "End date of contractual arrangement", "type": "control", "subtype": "RoI field control", "summary": "End date of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "End date of contractual arrangement: Annex I, B_02.02.0080; End date; indefinite arrangements are reported as 9999-12-31.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-21", "label": "Notice period for the financial entity", "type": "control", "subtype": "RoI field control", "summary": "Notice period for the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Notice period for the financial entity: Annex I, B_02.02.0110; Number of days the financial entity must give to terminate or exit.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-22", "label": "Notice period for the ICT TPP", "type": "control", "subtype": "RoI field control", "summary": "Notice period for the ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Notice period for the ICT TPP: Annex I, B_02.02.0120; Number of days the ICT TPP must give before termination.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-23", "label": "Country of governing law", "type": "control", "subtype": "RoI field control", "summary": "Country of governing law is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Country of governing law: Annex I, B_02.02.0130; Jurisdiction whose law governs the contractual arrangement.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-24", "label": "Country of ICT service provision", "type": "control", "subtype": "RoI field control", "summary": "Country of ICT service provision is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Country of ICT service provision: Annex I, B_02.02.0140; Country where the ICT service is provided.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-25", "label": "Storage of data", "type": "control", "subtype": "RoI field control", "summary": "Storage of data is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Storage of data: Annex I, B_02.02.0150; Indicates whether data are stored under the service.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-26", "label": "Location of data at rest", "type": "control", "subtype": "RoI field control", "summary": "Location of data at rest is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Location of data at rest: Annex I, B_02.02.0160; Countries where data are stored at rest.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-27", "label": "Location of data processing and management", "type": "control", "subtype": "RoI field control", "summary": "Location of data processing and management is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Location of data processing and management: Annex I, B_02.02.0170; Countries where data are processed or managed.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-28", "label": "Data sensitivity", "type": "control", "subtype": "RoI field control", "summary": "Data sensitivity is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Data sensitivity: Annex I, B_02.02.0180; Low/medium/high sensitivity of data in the ICT service.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-29", "label": "Level of reliance on ICT service", "type": "control", "subtype": "RoI field control", "summary": "Level of reliance on ICT service is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Level of reliance on ICT service: Annex I, B_02.02.0190; Level of reliance of the financial entity on the ICT service.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-30", "label": "ICT service supply-chain rank", "type": "control", "subtype": "RoI field control", "summary": "ICT service supply-chain rank is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "ICT service supply-chain rank: Annex I, B_05.02.0050; Article 2; Position in the ICT service supply chain; direct ICT TPP has rank 1, subcontractors have rank greater than 1.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-31", "label": "Recipient of subcontracted ICT services", "type": "control", "subtype": "RoI field control", "summary": "Recipient of subcontracted ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Recipient of subcontracted ICT services: Annex I, B_05.02.0060-.0070; Identifies the ICT TPP that receives subcontracted services from the subcontractor.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-32", "label": "Criticality or importance assessment", "type": "control", "subtype": "RoI field control", "summary": "Criticality or importance assessment is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Criticality or importance assessment: Annex I, B_06.01.0050; Assessment of whether the function is critical or important.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-33", "label": "Date of last criticality assessment", "type": "control", "subtype": "RoI field control", "summary": "Date of last criticality assessment is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Date of last criticality assessment: Annex I, B_06.01.0070; Date of last assessment for the function.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-34", "label": "Recovery time objective (RTO)", "type": "control", "subtype": "RoI field control", "summary": "Recovery time objective (RTO) is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Recovery time objective (RTO): Annex I, B_06.01.0080; Target time to recover the function.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-35", "label": "Recovery point objective (RPO)", "type": "control", "subtype": "RoI field control", "summary": "Recovery point objective (RPO) is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Recovery point objective (RPO): Annex I, B_06.01.0090; Target data-loss tolerance for the function.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-36", "label": "Substitutability of ICT TPP", "type": "control", "subtype": "RoI field control", "summary": "Substitutability of ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Substitutability of ICT TPP: Annex I, B_07.01.0050; Assesses whether the provider is not substitutable, highly complex, medium complexity or easily substitutable.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-38", "label": "Date of last audit for ICT services", "type": "control", "subtype": "RoI field control", "summary": "Date of last audit for ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Date of last audit for ICT services: Annex I, B_07.01.0080; Date of last audit for the ICT services; no audit is reported as 9999-12-31.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "roi-39", "label": "Exit plan existence", "type": "control", "subtype": "RoI field control", "summary": "Exit plan existence is an entity-level RoI field control in the DORA RTS/ITS Pack.", "description": "Exit plan existence: Annex I, B_07.01.0090; Indicates whether an exit plan exists for ICT service supporting a C/I function.", "url": "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "roi", "register-of-information" ], "isFinrayProduct": false, "coiNote": null, "watching": "Field accuracy / data lineage / annual update cadence" }, { "id": "pol-01", "label": "Management-body adoption of written policy", "type": "control", "subtype": "third-party-policy control", "summary": "Management-body adoption of written policy is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Management-body adoption of written policy: RTS 2024/1773 Article 3(1); evidence request: Board or management-body minutes approving the policy; policy version control; list of in-scope ICT services supporting C/I functions.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-02", "label": "Annual review and timely update cadence", "type": "control", "subtype": "third-party-policy control", "summary": "Annual review and timely update cadence is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Annual review and timely update cadence: RTS 2024/1773 Article 3(2); evidence request: Review calendar, policy-change log, evidence of review after regulatory/business changes.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-03", "label": "Methodology for determining ICT services supporting critical or important functions", "type": "control", "subtype": "third-party-policy control", "summary": "Methodology for determining ICT services supporting critical or important functions is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Methodology for determining ICT services supporting critical or important functions: RTS 2024/1773 Article 3(3); evidence request: Criticality methodology, decision records, linkage to function inventory and RoI B_06.01.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-04", "label": "Internal responsibilities and skills for approval, management, control and documentation", "type": "control", "subtype": "third-party-policy control", "summary": "Internal responsibilities and skills for approval, management, control and documentation is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Internal responsibilities and skills for approval, management, control and documentation: RTS 2024/1773 Article 3(4)-(6); evidence request: RACI matrix, role descriptions, training records, named senior management role under DORA Article 5(3).", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-05", "label": "Independent review or audit plan", "type": "control", "subtype": "third-party-policy control", "summary": "Independent review or audit plan is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Independent review or audit plan: RTS 2024/1773 Article 3(7); evidence request: Internal audit plan, review scope, findings and remediation evidence.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-06", "label": "Lifecycle governance for contractual arrangements", "type": "control", "subtype": "third-party-policy control", "summary": "Lifecycle governance for contractual arrangements is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Lifecycle governance for contractual arrangements: RTS 2024/1773 Article 4; evidence request: Process map from planning and due diligence through monitoring, record keeping, exit and termination.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-08", "label": "Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks", "type": "control", "subtype": "third-party-policy control", "summary": "Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks: RTS 2024/1773 Article 5(2)(a)-(j); evidence request: Risk assessment pack, data classification, location analysis, concentration-risk assessment and approval record.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-09", "label": "Due diligence on ICT TPP ability, expertise, resources and information-security standards", "type": "control", "subtype": "third-party-policy control", "summary": "Due diligence on ICT TPP ability, expertise, resources and information-security standards is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Due diligence on ICT TPP ability, expertise, resources and information-security standards: RTS 2024/1773 Article 6(1); evidence request: Due diligence questionnaire, SOC/ISO reports, financial viability review, security architecture review.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-10", "label": "Use and limitation of audits, certifications and third-party reports", "type": "control", "subtype": "third-party-policy control", "summary": "Use and limitation of audits, certifications and third-party reports is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Use and limitation of audits, certifications and third-party reports: RTS 2024/1773 Article 6(3); Article 8(4)-(6); evidence request: Evidence register recording certificate scope, report period, carve-outs, bridge letters and residual gaps.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-11", "label": "Conflicts-of-interest assessment, including intra-group arrangements", "type": "control", "subtype": "third-party-policy control", "summary": "Conflicts-of-interest assessment, including intra-group arrangements is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Conflicts-of-interest assessment, including intra-group arrangements: RTS 2024/1773 Article 7; evidence request: Conflict register, intra-group pricing/service assessment, independent challenge record.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-12", "label": "Contractual clauses aligned with DORA Article 30(2) and 30(3)", "type": "control", "subtype": "third-party-policy control", "summary": "Contractual clauses aligned with DORA Article 30(2) and 30(3) is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Contractual clauses aligned with DORA Article 30(2) and 30(3): RTS 2024/1773 Article 8(1); evidence request: Clause matrix mapped to Article 30(2)/(3), negotiated deviations, legal sign-off.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-13", "label": "Access, inspection, audit and ICT testing rights", "type": "control", "subtype": "third-party-policy control", "summary": "Access, inspection, audit and ICT testing rights is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Access, inspection, audit and ICT testing rights: RTS 2024/1773 Article 8(2)-(7); evidence request: Contract clauses, audit-right procedure, pooled audit protocol, evidence that certs/reports are not the sole source.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-14", "label": "Ongoing service monitoring and incident/service/security reporting", "type": "control", "subtype": "third-party-policy control", "summary": "Ongoing service monitoring and incident/service/security reporting is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Ongoing service monitoring and incident/service/security reporting: RTS 2024/1773 Article 9(1)-(3); evidence request: Service review packs, SLA/KPI/KCI dashboards, incident notices, corrective-action tracking.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "pol-16", "label": "Documented exit plan for each C/I supporting ICT contractual arrangement", "type": "control", "subtype": "third-party-policy control", "summary": "Documented exit plan for each C/I supporting ICT contractual arrangement is an entity-level third-party-policy control in the DORA RTS/ITS Pack.", "description": "Documented exit plan for each C/I supporting ICT contractual arrangement: RTS 2024/1773 Article 10(1)-(3); evidence request: Exit plan, test records, scenario coverage, transfer/reintegration assessment and timetable against notice periods.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "third-party-policy", "rts-2024-1773" ], "isFinrayProduct": false, "coiNote": null, "watching": "Policy review cadence / management body approval cycle / control owner evidence" }, { "id": "sub-01", "label": "Subcontracting risk factors determined before use", "type": "control", "subtype": "subcontracting-chain control", "summary": "Subcontracting risk factors determined before use is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Subcontracting risk factors determined before use: RTS 2025/532 Article 1(1)-(2); In-scope where ICT services support a critical or important function or material parts thereof; out-of-scope for services outside that DORA category unless other DORA obligations apply.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-03", "label": "Pre-contract decision whether subcontracting is permitted", "type": "control", "subtype": "subcontracting-chain control", "summary": "Pre-contract decision whether subcontracting is permitted is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Pre-contract decision whether subcontracting is permitted: RTS 2025/532 Article 3(1); In-scope before concluding the contractual arrangement.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-04", "label": "Due diligence on ICT TPP subcontractor selection and assessment processes", "type": "control", "subtype": "subcontracting-chain control", "summary": "Due diligence on ICT TPP subcontractor selection and assessment processes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Due diligence on ICT TPP subcontractor selection and assessment processes: RTS 2025/532 Article 3(2)(a); In-scope where the direct ICT TPP will use subcontractors.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-05", "label": "Provider capacity to identify all relevant subcontractors and provide information", "type": "control", "subtype": "subcontracting-chain control", "summary": "Provider capacity to identify all relevant subcontractors and provide information is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Provider capacity to identify all relevant subcontractors and provide information: RTS 2025/532 Article 3(2)(b); In-scope for C/I service chains.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-06", "label": "Contractual conditions allow the financial entity to comply with DORA", "type": "control", "subtype": "subcontracting-chain control", "summary": "Contractual conditions allow the financial entity to comply with DORA is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Contractual conditions allow the financial entity to comply with DORA: RTS 2025/532 Article 3(2)(c)-(d); In-scope for all permitted subcontracting of C/I supporting ICT services.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-07", "label": "Same access and inspection rights through the chain", "type": "control", "subtype": "subcontracting-chain control", "summary": "Same access and inspection rights through the chain is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Same access and inspection rights through the chain: RTS 2025/532 Article 3(2)(d); In-scope for subcontractors effectively underpinning C/I supporting ICT services.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-08", "label": "Contract identifies C/I ICT services or material parts eligible for subcontracting", "type": "control", "subtype": "subcontracting-chain control", "summary": "Contract identifies C/I ICT services or material parts eligible for subcontracting is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Contract identifies C/I ICT services or material parts eligible for subcontracting: RTS 2025/532 Article 4(1)(a); In-scope for contracts permitting subcontracting.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-09", "label": "Direct ICT TPP remains responsible despite subcontracting", "type": "control", "subtype": "subcontracting-chain control", "summary": "Direct ICT TPP remains responsible despite subcontracting is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Direct ICT TPP remains responsible despite subcontracting: RTS 2025/532 Article 4(1)(b); In-scope for all subcontracted C/I services.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-10", "label": "Ongoing monitoring and reporting of subcontracted C/I services", "type": "control", "subtype": "subcontracting-chain control", "summary": "Ongoing monitoring and reporting of subcontracted C/I services is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Ongoing monitoring and reporting of subcontracted C/I services: RTS 2025/532 Article 4(1)(c)-(d); In-scope where subcontractors support C/I services or material parts.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-11", "label": "Location, data-processing and data-storage risk assessment through chain", "type": "control", "subtype": "subcontracting-chain control", "summary": "Location, data-processing and data-storage risk assessment through chain is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Location, data-processing and data-storage risk assessment through chain: RTS 2025/532 Article 4(1)(e); In-scope where service/data locations are affected by subcontracting.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-13", "label": "Advance notification of intended material subcontracting changes", "type": "control", "subtype": "subcontracting-chain control", "summary": "Advance notification of intended material subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Advance notification of intended material subcontracting changes: RTS 2025/532 Article 5(1)-(3); In-scope for intended material changes to subcontracting.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-14", "label": "Buyer assessment, objection and modification right for material subcontracting changes", "type": "control", "subtype": "subcontracting-chain control", "summary": "Buyer assessment, objection and modification right for material subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Buyer assessment, objection and modification right for material subcontracting changes: RTS 2025/532 Article 5(4); In-scope when notified changes exceed risk tolerance or impair compliance.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "sub-15", "label": "Termination right for unauthorised or objected subcontracting changes", "type": "control", "subtype": "subcontracting-chain control", "summary": "Termination right for unauthorised or objected subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.", "description": "Termination right for unauthorised or objected subcontracting changes: RTS 2025/532 Article 6; In-scope if the provider implements changes despite objection, before approval, or where subcontracting was not contractually permitted.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "control", "subcontracting", "rts-2025-532" ], "isFinrayProduct": false, "coiNote": null, "watching": "Subcontractor onboarding diligence / chain-visibility refresh cadence / objection-right exercise" }, { "id": "servicenow-digital-resilience-registers", "label": "ServiceNow Digital resilience third-party registers", "type": "product", "subtype": "vendor-owned DORA support product", "summary": "ServiceNow Digital resilience third-party registers is vendor-owned evidence mapped only to supported DORA RTS/ITS controls.", "description": "ServiceNow Digital resilience third-party registers: vendor-owned product material. Supports edges do not imply ESA endorsement or prove compliance.", "url": "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "product", "vendor-owned-evidence", "product" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned evidence only / product-page support claim refresh cadence" }, { "id": "processunity-dora-compliance-software", "label": "ProcessUnity DORA compliance software", "type": "product", "subtype": "vendor-owned DORA support product", "summary": "ProcessUnity DORA compliance software is vendor-owned evidence mapped only to supported DORA RTS/ITS controls.", "description": "ProcessUnity DORA compliance software: vendor-owned product material. Supports edges do not imply ESA endorsement or prove compliance.", "url": "https://www.processunity.com/dora-compliance-software/", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "product", "vendor-owned-evidence", "product" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned evidence only / product-page support claim refresh cadence" }, { "id": "docusign-clm-dora-monitoring", "label": "DocuSign CLM / IAM for DORA agreement monitoring", "type": "product", "subtype": "vendor-owned DORA support product", "summary": "DocuSign CLM / IAM for DORA agreement monitoring is vendor-owned evidence mapped only to supported DORA RTS/ITS controls.", "description": "DocuSign CLM / IAM for DORA agreement monitoring: vendor-owned product material. Supports edges do not imply ESA endorsement or prove compliance.", "url": "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora", "evidence": [ "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "product", "vendor-owned-evidence", "product" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned evidence only / product-page support claim refresh cadence" }, { "id": "dapr-dora-register-solution", "label": "DORA Register of Information solution", "type": "product", "subtype": "vendor-owned DORA support product", "summary": "DORA Register of Information solution is vendor-owned evidence mapped only to supported DORA RTS/ITS controls.", "description": "DORA Register of Information solution: vendor-owned product material. Supports edges do not imply ESA endorsement or prove compliance.", "url": "https://doraregister.io/", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "product", "vendor-owned-evidence", "product" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned evidence only / product-page support claim refresh cadence" }, { "id": "ctpp-accenture-plc", "label": "Accenture plc", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Accenture plc appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Accenture plc is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "integrator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-amazon-web-services-emea-sarl", "label": "Amazon web Services EMEA Sarl", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Amazon web Services EMEA Sarl appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Amazon web Services EMEA Sarl is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10", "https://en.paperjam.lu/article/luxembourg-based-aws-receives-eu-critical-ict-designation-under-dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "hyperscaler" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement. Lead Overseer assignment confirmed 2025-11-18 (paperjam.lu reporting)." }, { "id": "ctpp-bloomberg-l-p", "label": "Bloomberg L.P.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Bloomberg L.P. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Bloomberg L.P. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "data-market" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-capgemini-se", "label": "Capgemini SE", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Capgemini SE appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Capgemini SE is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "integrator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-colt-technology-services", "label": "Colt Technology Services", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Colt Technology Services appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Colt Technology Services is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "telecom" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-deutsche-telekom-ag", "label": "Deutsche Telekom AG", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Deutsche Telekom AG appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Deutsche Telekom AG is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "telecom" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-equinix-emea-b-v", "label": "Equinix (EMEA) B.V.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Equinix (EMEA) B.V. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Equinix (EMEA) B.V. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "telecom" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-fidelity-national-information-services", "label": "Fidelity National Information Services, Inc.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Fidelity National Information Services, Inc. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Fidelity National Information Services, Inc. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "data-market" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-google-cloud-emea-limited", "label": "Google Cloud EMEA Limited", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Google Cloud EMEA Limited appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Google Cloud EMEA Limited is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "hyperscaler" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-international-business-machine-corporati", "label": "International Business Machine Corporation", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "International Business Machine Corporation appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "International Business Machine Corporation is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "hyperscaler" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-interxion-headquarters-b-v", "label": "InterXion HeadQuarters B.V.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "InterXion HeadQuarters B.V. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "InterXion HeadQuarters B.V. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "telecom" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-kyndryl-inc", "label": "Kyndryl Inc.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Kyndryl Inc. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Kyndryl Inc. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "integrator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-lseg-data-and-risk-limited", "label": "LSEG Data and Risk Limited", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "LSEG Data and Risk Limited appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "LSEG Data and Risk Limited is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "data-market" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-microsoft-ireland-operations-limited", "label": "Microsoft Ireland Operations Limited", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Microsoft Ireland Operations Limited appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Microsoft Ireland Operations Limited is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "hyperscaler" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-ntt-data-inc", "label": "NTT DATA Inc.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "NTT DATA Inc. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "NTT DATA Inc. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "integrator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-oracle-nederland-b-v", "label": "Oracle Nederland B.V.", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Oracle Nederland B.V. appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Oracle Nederland B.V. is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "hyperscaler" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-orange-sa", "label": "Orange SA", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Orange SA appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Orange SA is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "telecom" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-sap-se", "label": "SAP SE", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "SAP SE appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "SAP SE is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "hyperscaler" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "ctpp-tata-consultancy-services-limited", "label": "Tata Consultancy Services Limited", "type": "licensed-entity", "subtype": "CTPP-designated", "summary": "Tata Consultancy Services Limited appears on the ESA Article 31(9) first-batch CTPP list; the ESA list does not state LEIs.", "description": "Tata Consultancy Services Limited is represented only as a DORA Article 31(9) CTPP designation record. Provider-specific service categories and LEIs are not inferred from other sources.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "licensed-entity", "ctpp", "first-batch", "integrator" ], "isFinrayProduct": false, "coiNote": null, "watching": "Article 31 ongoing-criticality assessment, oversight-fee invoice cycle, lead-overseer engagement" }, { "id": "vendor-servicenow", "label": "ServiceNow", "type": "vendor", "subtype": "DORA support vendor", "summary": "ServiceNow is represented as the producer of a vendor-owned DORA support product.", "description": "ServiceNow appears only through its own public product material. Supports edges are due-diligence evidence, not ESA endorsement.", "url": "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned claim refresh cadence / product-scope changes / support-edge discipline" }, { "id": "vendor-processunity", "label": "ProcessUnity", "type": "vendor", "subtype": "DORA support vendor", "summary": "ProcessUnity is represented as the producer of a vendor-owned DORA support product.", "description": "ProcessUnity appears only through its own public product material. Supports edges are due-diligence evidence, not ESA endorsement.", "url": "https://www.processunity.com/dora-compliance-software/", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned claim refresh cadence / product-scope changes / support-edge discipline" }, { "id": "vendor-docusign", "label": "DocuSign", "type": "vendor", "subtype": "DORA support vendor", "summary": "DocuSign is represented as the producer of a vendor-owned DORA support product.", "description": "DocuSign appears only through its own public product material. Supports edges are due-diligence evidence, not ESA endorsement.", "url": "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora", "evidence": [ "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned claim refresh cadence / product-scope changes / support-edge discipline" }, { "id": "vendor-dapr", "label": "DAPR sp. z o.o.", "type": "vendor", "subtype": "DORA support vendor", "summary": "DAPR sp. z o.o. is represented as the producer of a vendor-owned DORA support product.", "description": "DAPR sp. z o.o. appears only through its own public product material. Supports edges are due-diligence evidence, not ESA endorsement.", "url": "https://doraregister.io/", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Vendor-owned claim refresh cadence / product-scope changes / support-edge discipline" }, { "id": "ctpp-designation", "label": "DORA Article 31(9) CTPP designation", "type": "status-class", "subtype": "CTPP designation class", "summary": "Status class for first-batch critical ICT third-party providers designated under DORA Article 31(9).", "description": "The ESAs published the first Article 31(9) list on 18 November 2025. The list names providers but does not publish LEIs.", "url": "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "status-class", "ctpp", "first-batch" ], "isFinrayProduct": false, "coiNote": null, "watching": "Designation refresh cycle / lead-overseer assignment / oversight-fee and examination programme" }, { "id": "eu-eea", "label": "European Union / European Economic Area", "type": "jurisdiction", "subtype": "EU/EEA", "summary": "Jurisdiction perimeter for DORA Article 28 RTS/ITS and ESA Article 31(9) CTPP designation.", "description": "DORA applies across the Union financial-sector perimeter, with EEA relevance handled through the European Economic Area framework.", "url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "jurisdiction", "eu", "eea" ], "isFinrayProduct": false, "coiNote": null, "watching": "EU/EEA application perimeter / ESA publication updates / national-competent-authority routing changes" }, { "id": "vendor-finray-technologies-ltd", "label": "Finray Technologies Ltd", "type": "vendor", "subtype": "Finray product publisher", "summary": "Finray Technologies Ltd is the publisher of Ordinis, included here only to satisfy product provenance for the recused Ordinis node.", "description": "Finray Technologies Ltd is represented as the producer of Ordinis. The vendor node is not ranked, scored or treated as evidence of control satisfaction.", "url": "https://finray.tech/", "evidence": [ "https://finray.tech/, accessed 2026-05-10", "https://ordinis.io/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "finray", "ordinis", "coi" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor standing recusal language and product-source boundaries for Ordinis references." }, { "id": "prod-ordinis", "label": "Ordinis (recused)", "type": "product", "subtype": "product or service surface", "summary": "Ordinis is a Finray Technologies Ltd compliance-operations product included as a recused vendor-universe entry.", "description": "Ordinis is represented for buyer due diligence under Finray Intelligence recusal. The node does not create ranking, scoring or control-support conclusions.", "url": "https://ordinis.io/", "evidence": [ "https://ordinis.io/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "product", "ordinis", "finray-product", "coi" ], "isFinrayProduct": true, "coiNote": "Finray Technologies Ltd ships Ordinis. The product appears in this radar vendor universe with a recusal flag; no ranking, scoring or best-of position is implied. See /intelligence/ cluster footer for the standing recusal language.", "watching": "Ordinis (recused) — Finray Technologies Ltd compliance-operations platform; vendor universe entry." }, { "id": "vendor-kpmg-eu", "label": "KPMG (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "KPMG (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "KPMG (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://kpmg.com/xx/en/our-insights/regulatory-insights-financial-services/dora-digital-operational-resilience-act.html", "evidence": [ "https://kpmg.com/xx/en/our-insights/regulatory-insights-financial-services/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-ey-eu", "label": "EY (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "EY (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "EY (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www.ey.com/en_gl/financial-services/dora-digital-operational-resilience-act", "evidence": [ "https://www.ey.com/en_gl/financial-services/dora-digital-operational-resilience-act, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-deloitte-eu", "label": "Deloitte (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "Deloitte (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "Deloitte (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www2.deloitte.com/global/en/pages/risk/articles/dora-digital-operational-resilience-act.html", "evidence": [ "https://www2.deloitte.com/global/en/pages/risk/articles/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-pwc-eu", "label": "PwC (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "PwC (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "PwC (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www.pwc.com/gx/en/issues/cybersecurity/digital-operational-resilience-act.html", "evidence": [ "https://www.pwc.com/gx/en/issues/cybersecurity/digital-operational-resilience-act.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-bdo-eu", "label": "BDO (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "BDO (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "BDO (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www.bdo.com/insights/regulatory/dora-digital-operational-resilience-act", "evidence": [ "https://www.bdo.com/insights/regulatory/dora-digital-operational-resilience-act, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-grant-thornton-eu", "label": "Grant Thornton (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "Grant Thornton (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "Grant Thornton (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www.grantthornton.global/en/insights/articles/digital-operational-resilience-act-dora/", "evidence": [ "https://www.grantthornton.global/en/insights/articles/digital-operational-resilience-act-dora/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-forvis-mazars-eu", "label": "Forvis Mazars (EU member firms)", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "Forvis Mazars (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "Forvis Mazars (EU member firms) appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www.forvismazars.com/group/en/services/financial-advisory/regulatory-compliance/dora", "evidence": [ "https://www.forvismazars.com/group/en/services/financial-advisory/regulatory-compliance/dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "vendor-rsm-global", "label": "RSM Global", "type": "vendor", "subtype": "DORA audit and advisory vendor", "summary": "RSM Global is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions.", "description": "RSM Global appears through public DORA advisory material. Evidence-for edges identify due-diligence surfaces, not regulator endorsement or implementation sufficiency.", "url": "https://www.rsm.global/insights/digital-operational-resilience-act-dora", "evidence": [ "https://www.rsm.global/insights/digital-operational-resilience-act-dora, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "vendor", "audit-firm", "vendor-owned-evidence" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor public DORA assurance materials for scope changes affecting Article 28 control evidence." }, { "id": "regulator-bafin-dora-portal", "label": "BaFin DORA implementation portal", "type": "regulator", "subtype": "national competent authority DORA portal", "summary": "BaFin DORA implementation portal is a national competent authority portal for DORA implementation evidence.", "description": "BaFin DORA implementation portal: national implementation and supervisory-communications surface for DORA-scope financial entities.", "url": "https://www.bafin.de/EN/Aufsicht/Bankenaufsicht/EinheitlicherAufsichtsmechanismus/DORA/dora_node_en.html", "evidence": [ "https://www.bafin.de/EN/Aufsicht/Bankenaufsicht/EinheitlicherAufsichtsmechanismus/DORA/dora_node_en.html, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "national-competent-authority", "dora-portal" ], "isFinrayProduct": false, "coiNote": null, "watching": "BaFin DORA implementation portal; consolidated German FI guidance for the Article 28 RTS Pack." }, { "id": "regulator-acpr-dora-portal", "label": "ACPR DORA portal", "type": "regulator", "subtype": "national competent authority DORA portal", "summary": "ACPR DORA portal is a national competent authority portal for DORA implementation evidence.", "description": "ACPR DORA portal: national implementation and supervisory-communications surface for DORA-scope financial entities.", "url": "https://acpr.banque-france.fr/en/european-and-international/dora-regulation-eu-20222554", "evidence": [ "https://acpr.banque-france.fr/en/european-and-international/dora-regulation-eu-20222554, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "national-competent-authority", "dora-portal" ], "isFinrayProduct": false, "coiNote": null, "watching": "ACPR DORA portal; French supervisory guidance for DORA implementation and Article 28 reporting expectations." }, { "id": "regulator-cssf-dora-portal", "label": "CSSF DORA pages (Luxembourg)", "type": "regulator", "subtype": "national competent authority DORA portal", "summary": "CSSF DORA pages (Luxembourg) is a national competent authority portal for DORA implementation evidence.", "description": "CSSF DORA pages (Luxembourg): national implementation and supervisory-communications surface for DORA-scope financial entities.", "url": "https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/", "evidence": [ "https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "national-competent-authority", "dora-portal" ], "isFinrayProduct": false, "coiNote": null, "watching": "CSSF DORA pages; Luxembourg ICT and cyber-risk guidance for DORA entities." }, { "id": "regulator-mfsa-dora-portal", "label": "MFSA DORA implementation circulars (Malta)", "type": "regulator", "subtype": "national competent authority DORA portal", "summary": "MFSA DORA implementation circulars (Malta) is a national competent authority portal for DORA implementation evidence.", "description": "MFSA DORA implementation circulars (Malta): national implementation and supervisory-communications surface for DORA-scope financial entities.", "url": "https://www.mfsa.mt/our-work/financial-services-regulation/dora/", "evidence": [ "https://www.mfsa.mt/our-work/financial-services-regulation/dora/, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulator", "national-competent-authority", "dora-portal" ], "isFinrayProduct": false, "coiNote": null, "watching": "MFSA DORA implementation circulars; Malta supervisory notices for DORA implementation." }, { "id": "commission-delegated-regulation-2024-1502", "label": "Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria", "type": "regulation", "subtype": "companion Commission delegated regulation", "summary": "Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria is a companion Commission act inside the DORA Article 28-35 perimeter.", "description": "Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria: criticality criteria for CTPP designation under DORA Article 31(6).", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "commission-delegated-regulation", "companion-act" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor EUR-Lex consolidation and DORA Article 28-35 perimeter interactions." }, { "id": "commission-delegated-regulation-2024-1505", "label": "Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees", "type": "regulation", "subtype": "companion Commission delegated regulation", "summary": "Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees is a companion Commission act inside the DORA Article 28-35 perimeter.", "description": "Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees: Lead Overseer oversight fees under DORA Article 43.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1505/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1505/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "commission-delegated-regulation", "companion-act" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor EUR-Lex consolidation and DORA Article 28-35 perimeter interactions." }, { "id": "commission-delegated-regulation-2024-1772", "label": "Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification", "type": "regulation", "subtype": "companion Commission delegated regulation", "summary": "Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification is a companion Commission act inside the DORA Article 28-35 perimeter.", "description": "Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification: ICT-related incident classification under DORA Article 18.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "commission-delegated-regulation", "companion-act" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor EUR-Lex consolidation and DORA Article 28-35 perimeter interactions." }, { "id": "commission-delegated-regulation-2024-1774", "label": "Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management", "type": "regulation", "subtype": "companion Commission delegated regulation", "summary": "Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management is a companion Commission act inside the DORA Article 28-35 perimeter.", "description": "Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management: ICT risk management under DORA Article 15.", "url": "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "commission-delegated-regulation", "companion-act" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor EUR-Lex consolidation and DORA Article 28-35 perimeter interactions." }, { "id": "commission-delegated-regulation-2025-295", "label": "Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct", "type": "regulation", "subtype": "companion Commission delegated regulation", "summary": "Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct is a companion Commission act inside the DORA Article 28-35 perimeter.", "description": "Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct: oversight conduct for critical ICT third-party providers.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/295/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/295/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "commission-delegated-regulation", "companion-act" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor EUR-Lex consolidation and DORA Article 28-35 perimeter interactions." }, { "id": "commission-delegated-regulation-2025-420", "label": "Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams", "type": "regulation", "subtype": "companion Commission delegated regulation", "summary": "Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams is a companion Commission act inside the DORA Article 28-35 perimeter.", "description": "Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams: Joint Examination Teams under DORA Article 40.", "url": "https://eur-lex.europa.eu/eli/reg_del/2025/420/oj", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/420/oj, accessed 2026-05-10" ], "tags": [ "dora-rts-its-pack", "regulation", "commission-delegated-regulation", "companion-act" ], "isFinrayProduct": false, "coiNote": null, "watching": "Monitor EUR-Lex consolidation and DORA Article 28-35 perimeter interactions." } ], "edges": [ { "source": "commission-delegated-regulation-2024-1773", "target": "dora-article-28", "type": "implements", "label": "implements", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "dora-article-28", "type": "implements", "label": "implements", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "dora-article-30", "type": "implements", "label": "implements", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "dora-article-28", "type": "implements", "label": "implements", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "dora-article-30", "type": "implements", "label": "implements", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "dora-article-31", "type": "implements", "label": "implements", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "european-commission", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "european-commission", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "european-commission", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "dora-article-31", "target": "esas-joint-committee", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "dora-article-32", "target": "eba", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "dora-article-32", "target": "esma", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "dora-article-32", "target": "eiopa", "type": "issued-by", "label": "issued by", "strength": "full", "evidence": [ "https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-01", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-02", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-03", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-04", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-05", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-07", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-09", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-10", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-11", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-13", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-14", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-15", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-16", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-17", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-18", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-19", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-21", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-22", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-23", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-24", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-25", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-26", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-27", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-28", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-29", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-30", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-31", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-32", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-33", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-34", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-35", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-36", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-38", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "roi-39", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-01", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-02", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-03", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-04", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-05", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-06", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-08", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-09", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-10", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-11", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-12", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-13", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-14", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "pol-16", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-01", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-03", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-04", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-05", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-06", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-07", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-08", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-09", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-10", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-11", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-13", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-14", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "sub-15", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "iso-27001", "target": "pol-09", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.iso.org/isoiec-27001-information-security.html, accessed 2026-05-10" ] }, { "source": "iso-27001", "target": "pol-10", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.iso.org/isoiec-27001-information-security.html, accessed 2026-05-10" ] }, { "source": "iso-27001", "target": "pol-13", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.iso.org/isoiec-27001-information-security.html, accessed 2026-05-10" ] }, { "source": "nis2-directive-2022-2555", "target": "sub-11", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/dir/2022/2555/oj, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "roi-09", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "roi-14", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "roi-17", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "roi-30", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "roi-39", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "pol-14", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "roi-09", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "roi-17", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "roi-30", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "roi-31", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "roi-36", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "roi-39", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "pol-08", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "sub-05", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "sub-10", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "docusign-clm-dora-monitoring", "target": "roi-09", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora, accessed 2026-05-10" ] }, { "source": "docusign-clm-dora-monitoring", "target": "pol-12", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora, accessed 2026-05-10" ] }, { "source": "docusign-clm-dora-monitoring", "target": "pol-13", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora, accessed 2026-05-10" ] }, { "source": "dapr-dora-register-solution", "target": "roi-09", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ] }, { "source": "dapr-dora-register-solution", "target": "roi-14", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ] }, { "source": "dapr-dora-register-solution", "target": "roi-17", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ] }, { "source": "dapr-dora-register-solution", "target": "roi-30", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ] }, { "source": "dapr-dora-register-solution", "target": "roi-39", "type": "supports", "label": "supports", "strength": "partial", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ] }, { "source": "ctpp-accenture-plc", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-amazon-web-services-emea-sarl", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-bloomberg-l-p", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-capgemini-se", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-colt-technology-services", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-deutsche-telekom-ag", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-equinix-emea-b-v", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-fidelity-national-information-services", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-google-cloud-emea-limited", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-international-business-machine-corporati", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-interxion-headquarters-b-v", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-kyndryl-inc", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-lseg-data-and-risk-limited", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-microsoft-ireland-operations-limited", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-ntt-data-inc", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-oracle-nederland-b-v", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-orange-sa", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-sap-se", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-tata-consultancy-services-limited", "target": "dora-article-31", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-09", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/e741af97-50b2-4271-ae51-779c9ffa60a0/ESA_2024_35%20DORA%20Dry%20Run%20Exercise%20on%20the%20reporting%20of%20register%20of%20information%20-%20Summary%20report.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-14", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/e741af97-50b2-4271-ae51-779c9ffa60a0/ESA_2024_35%20DORA%20Dry%20Run%20Exercise%20on%20the%20reporting%20of%20register%20of%20information%20-%20Summary%20report.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-17", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/e741af97-50b2-4271-ae51-779c9ffa60a0/ESA_2024_35%20DORA%20Dry%20Run%20Exercise%20on%20the%20reporting%20of%20register%20of%20information%20-%20Summary%20report.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-30", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/e741af97-50b2-4271-ae51-779c9ffa60a0/ESA_2024_35%20DORA%20Dry%20Run%20Exercise%20on%20the%20reporting%20of%20register%20of%20information%20-%20Summary%20report.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-01", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-03/1e861344-e19d-4881-9b8b-6e530eb7f2c7/DORA%20RoI%20reporting%20FAQ.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-09", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-03/1e861344-e19d-4881-9b8b-6e530eb7f2c7/DORA%20RoI%20reporting%20FAQ.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-14", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-03/1e861344-e19d-4881-9b8b-6e530eb7f2c7/DORA%20RoI%20reporting%20FAQ.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-39", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-03/1e861344-e19d-4881-9b8b-6e530eb7f2c7/DORA%20RoI%20reporting%20FAQ.pdf, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-01", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2025_7388, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-04", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2025_7388, accessed 2026-05-10" ] }, { "source": "eba", "target": "dora-article-28", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2025_7388, accessed 2026-05-10" ] }, { "source": "eba", "target": "roi-17", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2024_7290, accessed 2026-05-10" ] }, { "source": "esas-joint-committee", "target": "pol-01", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/1b2c5f3e-e5ac-42b3-9eca-1e9bcc2b29c7/JC%202024%2099%20-%20ESAs%20Statement%20on%20DORA%20application.pdf, accessed 2026-05-10" ] }, { "source": "esas-joint-committee", "target": "pol-08", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/1b2c5f3e-e5ac-42b3-9eca-1e9bcc2b29c7/JC%202024%2099%20-%20ESAs%20Statement%20on%20DORA%20application.pdf, accessed 2026-05-10" ] }, { "source": "esas-joint-committee", "target": "pol-14", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/1b2c5f3e-e5ac-42b3-9eca-1e9bcc2b29c7/JC%202024%2099%20-%20ESAs%20Statement%20on%20DORA%20application.pdf, accessed 2026-05-10" ] }, { "source": "esas-joint-committee", "target": "pol-16", "type": "evidence-for", "label": "evidence for", "strength": "indirect", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2024-12/1b2c5f3e-e5ac-42b3-9eca-1e9bcc2b29c7/JC%202024%2099%20-%20ESAs%20Statement%20on%20DORA%20application.pdf, accessed 2026-05-10" ] }, { "source": "servicenow-digital-resilience-registers", "target": "vendor-servicenow", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html, accessed 2026-05-10" ] }, { "source": "processunity-dora-compliance-software", "target": "vendor-processunity", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://www.processunity.com/dora-compliance-software/, accessed 2026-05-10" ] }, { "source": "docusign-clm-dora-monitoring", "target": "vendor-docusign", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://www.docusign.com/en-gb/solutions/industries/financial-services/dora, accessed 2026-05-10" ] }, { "source": "dapr-dora-register-solution", "target": "vendor-dapr", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://doraregister.io/, accessed 2026-05-10" ] }, { "source": "ctpp-accenture-plc", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-accenture-plc", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-amazon-web-services-emea-sarl", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-amazon-web-services-emea-sarl", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-bloomberg-l-p", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-bloomberg-l-p", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-capgemini-se", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-capgemini-se", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-colt-technology-services", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-colt-technology-services", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-deutsche-telekom-ag", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-deutsche-telekom-ag", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-equinix-emea-b-v", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-equinix-emea-b-v", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-fidelity-national-information-services", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-fidelity-national-information-services", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-google-cloud-emea-limited", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-google-cloud-emea-limited", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-international-business-machine-corporati", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-international-business-machine-corporati", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-interxion-headquarters-b-v", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-interxion-headquarters-b-v", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-kyndryl-inc", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-kyndryl-inc", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-lseg-data-and-risk-limited", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-lseg-data-and-risk-limited", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-microsoft-ireland-operations-limited", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-microsoft-ireland-operations-limited", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-ntt-data-inc", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-ntt-data-inc", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-oracle-nederland-b-v", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-oracle-nederland-b-v", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-orange-sa", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-orange-sa", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-sap-se", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-sap-se", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-tata-consultancy-services-limited", "target": "ctpp-designation", "type": "classified-as", "label": "classified as", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "ctpp-tata-consultancy-services-limited", "target": "eu-eea", "type": "located-in", "label": "located in", "strength": "full", "evidence": [ "https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf, accessed 2026-05-10" ] }, { "source": "dora-2022-2554", "target": "eu-eea", "type": "applies-to", "label": "applies to", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1773", "target": "eu-eea", "type": "applies-to", "label": "applies to", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "commission-implementing-regulation-2024-2956", "target": "eu-eea", "type": "applies-to", "label": "applies to", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-532", "target": "eu-eea", "type": "applies-to", "label": "applies to", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-01", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-02", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-03", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-04", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-05", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-06", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-08", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-09", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-10", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-11", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-12", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-13", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-14", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "pol-16", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-01", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-02", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-03", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-04", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-05", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-07", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-09", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-10", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-11", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-13", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-14", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-15", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-16", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-17", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-18", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-19", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-21", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-22", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-23", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-24", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-25", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-26", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-27", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-28", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-29", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-30", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-31", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-32", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-33", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-34", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-35", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-36", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-38", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "dora-article-28", "target": "roi-39", "type": "requires", "label": "requires", "strength": "full", "evidence": [ "https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10" ] }, { "source": "prod-ordinis", "target": "vendor-finray-technologies-ltd", "type": "produced-by", "label": "produced by", "strength": "full", "evidence": [ "https://ordinis.io/, accessed 2026-05-10" ] }, { "source": "vendor-kpmg-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://kpmg.com/xx/en/our-insights/regulatory-insights-financial-services/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-kpmg-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://kpmg.com/xx/en/our-insights/regulatory-insights-financial-services/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-kpmg-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://kpmg.com/xx/en/our-insights/regulatory-insights-financial-services/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-ey-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.ey.com/en_gl/financial-services/dora-digital-operational-resilience-act, accessed 2026-05-10" ] }, { "source": "vendor-ey-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.ey.com/en_gl/financial-services/dora-digital-operational-resilience-act, accessed 2026-05-10" ] }, { "source": "vendor-ey-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.ey.com/en_gl/financial-services/dora-digital-operational-resilience-act, accessed 2026-05-10" ] }, { "source": "vendor-deloitte-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www2.deloitte.com/global/en/pages/risk/articles/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-deloitte-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www2.deloitte.com/global/en/pages/risk/articles/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-deloitte-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www2.deloitte.com/global/en/pages/risk/articles/dora-digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-pwc-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.pwc.com/gx/en/issues/cybersecurity/digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-pwc-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.pwc.com/gx/en/issues/cybersecurity/digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-pwc-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.pwc.com/gx/en/issues/cybersecurity/digital-operational-resilience-act.html, accessed 2026-05-10" ] }, { "source": "vendor-bdo-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.bdo.com/insights/regulatory/dora-digital-operational-resilience-act, accessed 2026-05-10" ] }, { "source": "vendor-bdo-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.bdo.com/insights/regulatory/dora-digital-operational-resilience-act, accessed 2026-05-10" ] }, { "source": "vendor-bdo-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.bdo.com/insights/regulatory/dora-digital-operational-resilience-act, accessed 2026-05-10" ] }, { "source": "vendor-grant-thornton-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.grantthornton.global/en/insights/articles/digital-operational-resilience-act-dora/, accessed 2026-05-10" ] }, { "source": "vendor-grant-thornton-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.grantthornton.global/en/insights/articles/digital-operational-resilience-act-dora/, accessed 2026-05-10" ] }, { "source": "vendor-grant-thornton-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.grantthornton.global/en/insights/articles/digital-operational-resilience-act-dora/, accessed 2026-05-10" ] }, { "source": "vendor-forvis-mazars-eu", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.forvismazars.com/group/en/services/financial-advisory/regulatory-compliance/dora, accessed 2026-05-10" ] }, { "source": "vendor-forvis-mazars-eu", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.forvismazars.com/group/en/services/financial-advisory/regulatory-compliance/dora, accessed 2026-05-10" ] }, { "source": "vendor-forvis-mazars-eu", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.forvismazars.com/group/en/services/financial-advisory/regulatory-compliance/dora, accessed 2026-05-10" ] }, { "source": "vendor-rsm-global", "target": "pol-09", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.rsm.global/insights/digital-operational-resilience-act-dora, accessed 2026-05-10" ] }, { "source": "vendor-rsm-global", "target": "sub-04", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.rsm.global/insights/digital-operational-resilience-act-dora, accessed 2026-05-10" ] }, { "source": "vendor-rsm-global", "target": "roi-38", "type": "evidence-for", "label": "evidence for", "strength": "partial", "evidence": [ "https://www.rsm.global/insights/digital-operational-resilience-act-dora, accessed 2026-05-10" ] }, { "source": "regulator-bafin-dora-portal", "target": "dora-2022-2554", "type": "complementary-to", "label": "implementation portal for", "strength": "indirect", "evidence": [ "https://www.bafin.de/EN/Aufsicht/Bankenaufsicht/EinheitlicherAufsichtsmechanismus/DORA/dora_node_en.html, accessed 2026-05-10" ] }, { "source": "regulator-acpr-dora-portal", "target": "dora-2022-2554", "type": "complementary-to", "label": "implementation portal for", "strength": "indirect", "evidence": [ "https://acpr.banque-france.fr/en/european-and-international/dora-regulation-eu-20222554, accessed 2026-05-10" ] }, { "source": "regulator-cssf-dora-portal", "target": "dora-2022-2554", "type": "complementary-to", "label": "implementation portal for", "strength": "indirect", "evidence": [ "https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/, accessed 2026-05-10" ] }, { "source": "regulator-mfsa-dora-portal", "target": "dora-2022-2554", "type": "complementary-to", "label": "implementation portal for", "strength": "indirect", "evidence": [ "https://www.mfsa.mt/our-work/financial-services-regulation/dora/, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1502", "target": "dora-2022-2554", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1505", "target": "dora-2022-2554", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1505/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1772", "target": "dora-2022-2554", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2024-1774", "target": "dora-2022-2554", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-295", "target": "dora-2022-2554", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/295/oj, accessed 2026-05-10" ] }, { "source": "commission-delegated-regulation-2025-420", "target": "dora-2022-2554", "type": "complementary-to", "label": "complementary to", "strength": "indirect", "evidence": [ "https://eur-lex.europa.eu/eli/reg_del/2025/420/oj, accessed 2026-05-10" ] } ], "legend": { "regulator": { "color": "#4B6CB7", "shape": "round-rectangle", "note": "Public authority or supervisory-source body" }, "regulation": { "color": "#8B4513", "shape": "hexagon", "note": "Binding DORA legal act, article or technical standard" }, "standard": { "color": "#2E8B57", "shape": "rectangle", "note": "Adjacent standard or cyber-resilience framework" }, "control": { "color": "#F39C12", "shape": "diamond", "note": "Entity-level RoI, policy or subcontracting control" }, "vendor": { "color": "#7F8C8D", "shape": "ellipse", "note": "Vendor with public DORA support material" }, "product": { "color": "#16A085", "shape": "vee", "note": "Vendor-owned product surface mapped through supports edges only" }, "licensed-entity": { "color": "#C0392B", "shape": "octagon", "note": "First-batch DORA Article 31(9) CTPP" }, "status-class": { "color": "#8E44AD", "shape": "triangle", "note": "CTPP designation class" }, "jurisdiction": { "color": "#34495E", "shape": "star", "note": "Jurisdiction perimeter" } } }