# DORA Article 28 RTS/ITS Pack — entity-level RoI, third-party-policy and subcontracting controls The DORA Article 28 RTS/ITS Pack — Delegated Regulations 2024/1773 + 2025/532 and Implementing Regulation 2024/2956 — defines entity-level RoI templates, third-party-policy controls and subcontracting controls for ICT services supporting critical or important functions. The radar maps 34 RoI fields, 14 policy controls, 13 subcontracting controls and the 19 first-batch CTPPs. Ordinis recused. - Source: https://finray.tech/intelligence/dora-rts-its-pack/ - Cluster: Authority - Published: 2026-05-10 - Updated: 2026-05-11 - Publisher: Finray Technologies Ltd, Cyprus Companies Registry HE 445903 - Editorial principle: primary sources only; conflicts of interest disclosed inline --- # DORA Article 28 RTS/ITS Pack — entity-level RoI, third-party-policy and subcontracting controls The DORA Article 28 RTS/ITS Pack is the entity-level rule set that tells a financial entity what must sit behind its Register of Information, its policy for ICT services supporting critical or important functions, and its subcontracting-chain controls. The pack comprises Commission Delegated Regulation (EU) 2024/1773 on ICT third-party policy, in force from 15 July 2024; Commission Delegated Regulation (EU) 2025/532 on subcontracting, in force from 22 July 2025; and Commission Implementing Regulation (EU) 2024/2956 on standard RoI templates, in force from 22 December 2024. This radar is the WHAT counterpart to the existing DORA Article 28 RoI tracker, which maps the WHERE surface of NCA submission channels and ESA forwarding. Ordinis is recused. Finray Technologies Ltd ships Ordinis, the compliance-operations layer for ICT third-party risk and DORA-Article-28-anchored register-of-information workflow. Where Ordinis materials cover one of the controls below, the vendor evidence is captured in the graph with the standard `supports` edge from product to control; no ranking, scoring, league-table position or "best-of" recommendation is implied. The same disclosure applies on every Finray Intelligence radar where a Finray product evidences a control in scope; see the cluster footer on `/intelligence/` for the standing recusal language. Primary sources: https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10; https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10; https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10; https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10. ## The three implementing acts Commission Delegated Regulation (EU) 2024/1773 is the policy RTS under DORA Article 28(10). It turns the general Article 28 duty to manage ICT third-party risk into a written-policy operating model: management-body adoption, annual review, a method for deciding which ICT services support critical or important functions, named internal responsibilities, lifecycle governance, pre-contract risk assessment, due diligence, conflicts-of-interest assessment, Article 30 clause alignment, ongoing monitoring and exit planning. It is the bridge between a policy document and evidence that the contracting lifecycle actually follows the policy. Commission Implementing Regulation (EU) 2024/2956 is the Article 28(9) ITS on standard templates for the Register of Information. It is an Implementing Regulation, not a delegated regulation, and it defines the RoI as a relational data product: entity identity, group hierarchy, contractual-arrangement references, provider identifiers, function identifiers, ICT service taxonomy, data locations, supply-chain rank, audits and exit fields. It also sets completion logic, data-quality expectations and the Annex III ICT service taxonomy. Commission Delegated Regulation (EU) 2025/532 is the subcontracting RTS. It applies when ICT services support a critical or important function, or material parts of such a function, and asks whether subcontracting is permitted, how risk factors are assessed, whether the direct ICT third-party provider can identify and monitor relevant subcontractors, how access and inspection rights flow through the chain, how location and data-processing risks are assessed, and what notification, objection, modification and termination rights exist. ## Companion Commission acts The Article 28 RTS/ITS Pack does not stand alone. Six companion Commission instruments operate inside the same DORA Article 28–35 perimeter and the radar carries `complementary-to` edges to each: Commission Delegated Regulation (EU) 2024/1502 (criticality criteria for CTPP designation under DORA Article 31(6)), Commission Delegated Regulation (EU) 2024/1505 (Lead Overseer oversight fees under DORA Article 43), Commission Delegated Regulation (EU) 2024/1772 (RTS on ICT-related incident classification under DORA Article 18), Commission Delegated Regulation (EU) 2024/1774 (RTS on ICT risk management under DORA Article 15), Commission Delegated Regulation (EU) 2025/295 (RTS on oversight conduct), and Commission Delegated Regulation (EU) 2025/420 (RTS on Joint Examination Teams under DORA Article 40). The Treaty basis matters at the legislative-act-class level. Article 290 TFEU empowers the Commission to adopt **delegated** acts — non-legislative acts of general application that supplement or amend non-essential elements of the legislative act. Article 291 TFEU empowers the Commission to adopt **implementing** acts — non-legislative acts laying down uniform conditions for implementing legally binding Union acts. In the DORA Article 28 pack, Commission Delegated Regulation (EU) 2024/1773 (third-party policy) and Commission Delegated Regulation (EU) 2025/532 (subcontracting) are **Delegated Regulations** under Article 290 — they supplement Article 28(10) and Article 30(5) with detailed content the legislator did not specify. Commission Implementing Regulation (EU) 2024/2956 (RoI templates) is an **Implementing Regulation** under Article 291 — it lays down uniform templates for implementing the Article 28(9) reporting duty. The distinction surfaces in the EUR-Lex ELI URL structure (`reg_del` versus `reg_impl`) and in the legislative-act-class field on every node in this radar. ## Subcontracting RTS rejection-readoption history Commission Delegated Regulation (EU) 2025/532 (subcontracting) did not pass on the first attempt. The ESAs delivered draft RTS to the Commission in early 2024 containing an Article 5 chain-wide monitoring requirement: financial entities would have had to monitor every link in the ICT subcontracting chain end-to-end, not just the direct provider's monitoring of its own subcontractors. The Commission rejected the draft on the basis that chain-wide monitoring sat outside the Article 30(5) empowerment, which limits the RTS to "elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions". The ESAs issued a revised opinion on 7 March 2025 narrowing Article 5 to the direct-provider monitoring perimeter, and the readopted instrument entered into force as Commission Delegated Regulation (EU) 2025/532 on 22 July 2025. The operational consequence for financial entities: ongoing monitoring under Article 5 of Commission Delegated Regulation (EU) 2025/532 covers the direct ICT third-party provider's processes for selecting, governing, supervising and terminating its own subcontractors that perform critical or important functions. It does not require the financial entity itself to monitor every subcontractor several layers down the chain. The contractual flow-through of audit, access and termination rights remains, but the monitoring perimeter at the financial-entity level is bounded. ## What the RoI must contain The RoI field layer starts with the entity table. B_01 requires the financial entity's LEI at B_01.01.0010, its legal name, country, entity type and, where relevant, group hierarchy and total-asset data. These are not decorative fields; they are the join keys used by the entity, the group and the competent authority to reconcile who is maintaining the register and which licence perimeter the record belongs to. B_02 then moves to the contractual arrangement. The radar treats the contractual arrangement reference number at B_02.01.0010 as the stable spine of the register, because every later service, provider, cost, date, governing-law, notice-period and data-location field depends on it. B_02 also captures whether the arrangement is standalone, overarching or associated, the annual expense or estimated cost, the identification code of the ICT third-party provider, the type of code used, the function identifier, the ICT service type and the start and end dates. B_05 is where the RoI stops being a flat vendor list. It records the ICT service supply-chain rank at B_05.02.0050, with the direct provider at rank 1 and subcontractors ranked below it. B_05 also identifies the recipient of subcontracted ICT services. Read with the subcontracting RTS, those fields force a chain view: provider identity, recipient, role, rank and materiality need to be explainable, not merely named. B_06 connects services to functions. The function identifier links an ICT service to the function it supports, while the criticality or importance assessment and its last-assessment date show whether the service supports a critical or important function. Recovery time objective and recovery point objective fields turn continuity assumptions into reportable data. B_07 then adds the audit and exit layer: substitutability of the ICT third-party provider, date of last audit and exit-plan existence at B_07.01.0090. ## Third-party policy and subcontracting controls The policy RTS controls are lifecycle controls. Before contract signature, the entity should be able to show management-body adoption, annual policy review, a criticality methodology, named internal responsibilities and an independent review or audit plan. Pre-contract diligence then covers legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks, plus due diligence on the provider's ability, expertise, resources and information-security standards. At contract stage, the policy RTS looks for DORA Article 30(2) and 30(3) clause alignment. That means clause matrices, negotiated-deviation records, access and inspection rights, audit and ICT testing rights, and evidence that certificates or third-party reports are used with scope controls rather than as a substitute for direct assurance. After signature, ongoing service monitoring, incident reporting, service and security reporting, corrective-action tracking and documented exit planning become the recurring proof points. The subcontracting RTS overlays the supply chain. It asks for risk factors before subcontracting is used; a pre-contract decision on whether subcontracting is permitted; due diligence on the direct provider's subcontractor selection and monitoring process; capacity to identify all relevant subcontractors; contractual conditions that let the financial entity comply with DORA; same access and inspection rights through the chain; ongoing reporting; location, data-processing and data-storage assessment; advance notification of material changes; objection or modification rights; and a termination right where subcontracting is unauthorised or objected to. ## First-batch CTPP designations On 18 November 2025, the ESAs published the first DORA Article 31(9) list of critical ICT third-party providers after collecting RoI data, assessing criticality with competent authorities and notifying providers before final decisions. The list is a designation outcome, not a provider-service taxonomy and not a legal-entity identifier register. Primary source: ESA Article 31(9) CTPP designation list, accessed 2026-05-10. The hyperscaler and enterprise-software group is Amazon web Services EMEA Sarl, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, International Business Machine Corporation, Oracle Nederland B.V. and SAP SE; the system-integrator and consulting group is Accenture plc, Capgemini SE, Kyndryl Inc., NTT DATA Inc. and Tata Consultancy Services Limited. The data and market-infrastructure group is Bloomberg L.P., LSEG Data and Risk Limited and Fidelity National Information Services, Inc.; the telecom and infrastructure group is Colt Technology Services, Deutsche Telekom AG, Equinix (EMEA) B.V., InterXion HeadQuarters B.V. and Orange SA. The ESA list does not publish LEIs, and this radar does not infer them. The operator-lane reconciliation register at `/tmp/finray-gleif/ctpp-lei-reconciliation-register.md` can support a later legal-entity lookup, but no LEI is published in this v1 graph or prose. ## How to read the radar The graph separates regulators, regulations, supervisory standards, controls, vendors, products, CTPP licensed-entity nodes, a CTPP designation status class and the EU/EEA jurisdiction perimeter. Regulator nodes use round rectangles, regulation nodes use hexagons, standards use rectangles, controls use diamonds, vendors use ellipses, products use vee shapes, CTPP nodes use octagons, status classes use triangles and the jurisdiction node uses a star. The main reading paths are regulation to control, implementing act to parent DORA article, provider designation to status class, provider designation to DORA Article 31, and product to control. Vendor-owned materials appear only as `supports` edges. A `supports` edge means the vendor or product page describes functionality relevant to a control surface; it does not mean the ESAs, the Commission or a national competent authority has endorsed that vendor, accepted a buyer's implementation or validated the buyer's RoI. The control layer is deliberately atomic. RoI controls carry field accuracy, data lineage and update-cadence watch concerns. Policy controls carry policy review, management-body approval and owner-evidence watch concerns. Subcontracting controls carry onboarding diligence, chain-visibility refresh and objection-right watch concerns. That distinction keeps the radar from turning a legal pack into a generic outsourcing checklist. ## Editorial conclusion The RTS/ITS Pack makes the entity-side DORA Article 28 obligation concrete: RoI fields define what must be reported, the policy RTS defines how the contractual lifecycle is governed, and the subcontracting RTS defines how chain visibility, rights and exit must flow beyond the direct provider. No public EU/EEA enforcement decision was identified that sanctions a financial entity specifically for DORA Article 28 RoI deficiencies at this cut-off, so the graph treats evidence gaps as public-evidence status, not proof of supervisory silence. Read with the DORA Article 28 RoI tracker, this radar answers what goes into the RoI while the existing tracker answers where the RoI goes. This radar should be read alongside [/intelligence/dora-article-28-roi-tracker/](/intelligence/dora-article-28-roi-tracker/) for the supervisory pathway, NCA portal status and ESA forwarding deadlines; [/intelligence/amlr-amla-implementation-tracker/](/intelligence/amlr-amla-implementation-tracker/) for the parallel AMLR/AMLD6 implementation map; [/intelligence/deployment-topology-regulatory-alignment/](/intelligence/deployment-topology-regulatory-alignment/) for cloud-deployment-topology overlap with DORA Article 30 contractual provisions; and [/intelligence/methodology/](/intelligence/methodology/) for the source-discipline and recusal policy applied here. --- ## Reference index ### Regulators (10) - **European Commission** — https://finance.ec.europa.eu/regulation-and-supervision/financial-services-legislation/implementing-and-delegated-acts/digital-operational-resilience-regulation_en — European Commission is a public authority or public-source body used for DORA RTS/ITS evidence. - **European Banking Authority** — https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act/preparation-dora-application — European Banking Authority is a public authority or public-source body used for DORA RTS/ITS evidence. - **European Securities and Markets Authority** — https://www.esma.europa.eu/digital-finance-and-innovation/digital-operational-resilience-act-dora — European Securities and Markets Authority is a public authority or public-source body used for DORA RTS/ITS evidence. - **European Insurance and Occupational Pensions Authority** — https://www.eiopa.europa.eu/esas-publish-list-critical-third-party-providers-under-dora-2025-11-18_en — European Insurance and Occupational Pensions Authority is a public authority or public-source body used for DORA RTS/ITS evidence. - **ESAs Joint Committee** — https://www.eba.europa.eu/publications-and-media/press-releases/esas-publish-list-critical-third-party-providers-under-dora — ESAs Joint Committee is a public authority or public-source body used for DORA RTS/ITS evidence. - **ENISA** — https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive/finance — ENISA is a public authority or public-source body used for DORA RTS/ITS evidence. - **BaFin DORA implementation portal** — https://www.bafin.de/EN/Aufsicht/Bankenaufsicht/EinheitlicherAufsichtsmechanismus/DORA/dora_node_en.html — BaFin DORA implementation portal is a national competent authority portal for DORA implementation evidence. - **ACPR DORA portal** — https://acpr.banque-france.fr/en/european-and-international/dora-regulation-eu-20222554 — ACPR DORA portal is a national competent authority portal for DORA implementation evidence. - **CSSF DORA pages (Luxembourg)** — https://www.cssf.lu/en/ict-and-cyber-risk-for-dora-entities/ — CSSF DORA pages (Luxembourg) is a national competent authority portal for DORA implementation evidence. - **MFSA DORA implementation circulars (Malta)** — https://www.mfsa.mt/our-work/financial-services-regulation/dora/ — MFSA DORA implementation circulars (Malta) is a national competent authority portal for DORA implementation evidence. ### Regulations (18) - **Regulation (EU) 2022/2554 (DORA)** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — Regulation (EU) 2022/2554 (DORA) is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 28** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 28 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 29** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 29 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 30** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 30 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 31** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 31 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 32** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 32 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 33** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 33 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 34** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 34 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **DORA Article 35** — https://eur-lex.europa.eu/eli/reg/2022/2554/oj — DORA Article 35 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy** — https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj — Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates** — https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj — Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting** — https://eur-lex.europa.eu/eli/reg_del/2025/532/oj — Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. - **Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria** — https://eur-lex.europa.eu/eli/reg_del/2024/1502/oj — Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria is a companion Commission act inside the DORA Article 28-35 perimeter. - **Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees** — https://eur-lex.europa.eu/eli/reg_del/2024/1505/oj — Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees is a companion Commission act inside the DORA Article 28-35 perimeter. - **Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification** — https://eur-lex.europa.eu/eli/reg_del/2024/1772/oj — Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification is a companion Commission act inside the DORA Article 28-35 perimeter. - **Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management** — https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj — Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management is a companion Commission act inside the DORA Article 28-35 perimeter. - **Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct** — https://eur-lex.europa.eu/eli/reg_del/2025/295/oj — Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct is a companion Commission act inside the DORA Article 28-35 perimeter. - **Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams** — https://eur-lex.europa.eu/eli/reg_del/2025/420/oj — Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams is a companion Commission act inside the DORA Article 28-35 perimeter. ### Standards (2) - **Directive (EU) 2022/2555 (NIS2)** — https://eur-lex.europa.eu/eli/dir/2022/2555/oj — Directive (EU) 2022/2555 (NIS2) is an adjacent standard or legal framework used for control-context mapping. - **ISO/IEC 27001** — https://www.iso.org/isoiec-27001-information-security.html — ISO/IEC 27001 is an adjacent standard or legal framework used for control-context mapping. ### Controls (61) - **LEI of the financial entity maintaining the RoI** — LEI of the financial entity maintaining the RoI is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Name of the financial entity** — Name of the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Country of the financial entity** — Country of the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Type of financial entity** — Type of financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Hierarchy within group** — Hierarchy within group is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Value of total assets** — Value of total assets is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Contractual arrangement reference number** — Contractual arrangement reference number is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Type of contractual arrangement** — Type of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Overarching contractual arrangement reference number** — Overarching contractual arrangement reference number is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Annual expense or estimated cost** — Annual expense or estimated cost is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Identification code of the ICT TPP signing/providing service** — Identification code of the ICT TPP signing/providing service is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Type of code used to identify ICT TPP** — Type of code used to identify ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Function identifier** — Function identifier is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Type of ICT services** — Type of ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Start date of contractual arrangement** — Start date of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack. - **End date of contractual arrangement** — End date of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Notice period for the financial entity** — Notice period for the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Notice period for the ICT TPP** — Notice period for the ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Country of governing law** — Country of governing law is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Country of ICT service provision** — Country of ICT service provision is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Storage of data** — Storage of data is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Location of data at rest** — Location of data at rest is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Location of data processing and management** — Location of data processing and management is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Data sensitivity** — Data sensitivity is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Level of reliance on ICT service** — Level of reliance on ICT service is an entity-level RoI field control in the DORA RTS/ITS Pack. - **ICT service supply-chain rank** — ICT service supply-chain rank is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Recipient of subcontracted ICT services** — Recipient of subcontracted ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Criticality or importance assessment** — Criticality or importance assessment is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Date of last criticality assessment** — Date of last criticality assessment is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Recovery time objective (RTO)** — Recovery time objective (RTO) is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Recovery point objective (RPO)** — Recovery point objective (RPO) is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Substitutability of ICT TPP** — Substitutability of ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Date of last audit for ICT services** — Date of last audit for ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Exit plan existence** — Exit plan existence is an entity-level RoI field control in the DORA RTS/ITS Pack. - **Management-body adoption of written policy** — Management-body adoption of written policy is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Annual review and timely update cadence** — Annual review and timely update cadence is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Methodology for determining ICT services supporting critical or important functions** — Methodology for determining ICT services supporting critical or important functions is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Internal responsibilities and skills for approval, management, control and documentation** — Internal responsibilities and skills for approval, management, control and documentation is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Independent review or audit plan** — Independent review or audit plan is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Lifecycle governance for contractual arrangements** — Lifecycle governance for contractual arrangements is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks** — Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Due diligence on ICT TPP ability, expertise, resources and information-security standards** — Due diligence on ICT TPP ability, expertise, resources and information-security standards is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Use and limitation of audits, certifications and third-party reports** — Use and limitation of audits, certifications and third-party reports is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Conflicts-of-interest assessment, including intra-group arrangements** — Conflicts-of-interest assessment, including intra-group arrangements is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Contractual clauses aligned with DORA Article 30(2) and 30(3)** — Contractual clauses aligned with DORA Article 30(2) and 30(3) is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Access, inspection, audit and ICT testing rights** — Access, inspection, audit and ICT testing rights is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Ongoing service monitoring and incident/service/security reporting** — Ongoing service monitoring and incident/service/security reporting is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Documented exit plan for each C/I supporting ICT contractual arrangement** — Documented exit plan for each C/I supporting ICT contractual arrangement is an entity-level third-party-policy control in the DORA RTS/ITS Pack. - **Subcontracting risk factors determined before use** — Subcontracting risk factors determined before use is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Pre-contract decision whether subcontracting is permitted** — Pre-contract decision whether subcontracting is permitted is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Due diligence on ICT TPP subcontractor selection and assessment processes** — Due diligence on ICT TPP subcontractor selection and assessment processes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Provider capacity to identify all relevant subcontractors and provide information** — Provider capacity to identify all relevant subcontractors and provide information is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Contractual conditions allow the financial entity to comply with DORA** — Contractual conditions allow the financial entity to comply with DORA is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Same access and inspection rights through the chain** — Same access and inspection rights through the chain is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Contract identifies C/I ICT services or material parts eligible for subcontracting** — Contract identifies C/I ICT services or material parts eligible for subcontracting is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Direct ICT TPP remains responsible despite subcontracting** — Direct ICT TPP remains responsible despite subcontracting is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Ongoing monitoring and reporting of subcontracted C/I services** — Ongoing monitoring and reporting of subcontracted C/I services is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Location, data-processing and data-storage risk assessment through chain** — Location, data-processing and data-storage risk assessment through chain is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Advance notification of intended material subcontracting changes** — Advance notification of intended material subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Buyer assessment, objection and modification right for material subcontracting changes** — Buyer assessment, objection and modification right for material subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. - **Termination right for unauthorised or objected subcontracting changes** — Termination right for unauthorised or objected subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack. ### Vendors and products (13) - **ServiceNow** — https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html — ServiceNow is represented as the producer of a vendor-owned DORA support product. - ServiceNow Digital resilience third-party registers (https://docs.servicenow.com/bundle/yokohama-governance-risk-compliance/page/product/grc-digital-operational-resilience/concept/digital-resilience-third-party-registers.html): ServiceNow Digital resilience third-party registers is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. - **ProcessUnity** — https://www.processunity.com/dora-compliance-software/ — ProcessUnity is represented as the producer of a vendor-owned DORA support product. - ProcessUnity DORA compliance software (https://www.processunity.com/dora-compliance-software/): ProcessUnity DORA compliance software is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. - **DocuSign** — https://www.docusign.com/en-gb/solutions/industries/financial-services/dora — DocuSign is represented as the producer of a vendor-owned DORA support product. - DocuSign CLM / IAM for DORA agreement monitoring (https://www.docusign.com/en-gb/solutions/industries/financial-services/dora): DocuSign CLM / IAM for DORA agreement monitoring is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. - **DAPR sp. z o.o.** — https://doraregister.io/ — DAPR sp. z o.o. is represented as the producer of a vendor-owned DORA support product. - DORA Register of Information solution (https://doraregister.io/): DORA Register of Information solution is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. - **Finray Technologies Ltd** — https://finray.tech/ — Finray Technologies Ltd is the publisher of Ordinis, included here only to satisfy product provenance for the recused Ordinis node. - Ordinis (recused) (https://ordinis.io/): Ordinis is a Finray Technologies Ltd compliance-operations product included as a recused vendor-universe entry. - **KPMG (EU member firms)** — https://kpmg.com/xx/en/our-insights/regulatory-insights-financial-services/dora-digital-operational-resilience-act.html — KPMG (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **EY (EU member firms)** — https://www.ey.com/en_gl/financial-services/dora-digital-operational-resilience-act — EY (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **Deloitte (EU member firms)** — https://www2.deloitte.com/global/en/pages/risk/articles/dora-digital-operational-resilience-act.html — Deloitte (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **PwC (EU member firms)** — https://www.pwc.com/gx/en/issues/cybersecurity/digital-operational-resilience-act.html — PwC (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **BDO (EU member firms)** — https://www.bdo.com/insights/regulatory/dora-digital-operational-resilience-act — BDO (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **Grant Thornton (EU member firms)** — https://www.grantthornton.global/en/insights/articles/digital-operational-resilience-act-dora/ — Grant Thornton (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **Forvis Mazars (EU member firms)** — https://www.forvismazars.com/group/en/services/financial-advisory/regulatory-compliance/dora — Forvis Mazars (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. - **RSM Global** — https://www.rsm.global/insights/digital-operational-resilience-act-dora — RSM Global is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. ### Institution classes / Pre-MiCA archetypes (1) - **DORA Article 31(9) CTPP designation** — Status class for first-batch critical ICT third-party providers designated under DORA Article 31(9). ### Jurisdictions (1) - **European Union / European Economic Area** (EU/EEA, 19 entities) — Jurisdiction perimeter for DORA Article 28 RTS/ITS and ESA Article 31(9) CTPP designation. ### Licensed entities (19 total) Status / scope / source-register URL columns are inferences from observable register fields where not directly exposed by the source register; see the editorial methodology page for the inference rules. #### European Union / European Economic Area (19) - **Accenture plc** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Amazon web Services EMEA Sarl** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Bloomberg L.P.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Capgemini SE** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Colt Technology Services** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Deutsche Telekom AG** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Equinix (EMEA) B.V.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Fidelity National Information Services, Inc.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Google Cloud EMEA Limited** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **International Business Machine Corporation** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **InterXion HeadQuarters B.V.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Kyndryl Inc.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **LSEG Data and Risk Limited** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Microsoft Ireland Operations Limited** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **NTT DATA Inc.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Oracle Nederland B.V.** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Orange SA** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **SAP SE** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf - **Tata Consultancy Services Limited** — DORA Article 31(9) CTPP designation; scope: CTPP-designated; https://www.eba.europa.eu/sites/default/files/2025-11/List%20of%20CTPPs%20published%20on%20the%20ESAs%20websites.pdf