Skip to content
In the news TRM Labs × Finray — audit-ready crypto transaction monitoring for banking
Finray
Book a briefing

DORA Article 28 RTS/ITS Pack — entity-level RoI, third-party-policy and subcontracting controls

The DORA Article 28 RTS/ITS Pack — Delegated Regulations 2024/1773 + 2025/532 and Implementing Regulation 2024/2956 — defines entity-level RoI templates, third-party-policy controls and subcontracting controls for ICT services supporting critical or important functions. The radar maps 34 RoI fields, 14 policy controls, 13 subcontracting controls and the 19 first-batch CTPPs. Ordinis recused.

Cluster
Authority
Published
Updated
Version
1.1.0
Disclosure
Finray product recused from ranking

Last reviewed   ·  Version 1.1.0  ·  Evidence cutoff 

DORA Article 28 RTS/ITS Pack — entity-level RoI, third-party-policy and subcontracting controls

The DORA Article 28 RTS/ITS Pack is the entity-level rule set that tells a financial entity what must sit behind its Register of Information, its policy for ICT services supporting critical or important functions, and its subcontracting-chain controls. The pack comprises Commission Delegated Regulation (EU) 2024/1773 on ICT third-party policy, in force from 15 July 2024; Commission Delegated Regulation (EU) 2025/532 on subcontracting, in force from 22 July 2025; and Commission Implementing Regulation (EU) 2024/2956 on standard RoI templates, in force from 22 December 2024. This radar is the WHAT counterpart to the existing DORA Article 28 RoI tracker, which maps the WHERE surface of NCA submission channels and ESA forwarding.

Ordinis is recused. Finray Technologies Ltd ships Ordinis, the compliance-operations layer for ICT third-party risk and DORA-Article-28-anchored register-of-information workflow. Where Ordinis materials cover one of the controls below, the vendor evidence is captured in the graph with the standard supports edge from product to control; no ranking, scoring, league-table position or “best-of” recommendation is implied. The same disclosure applies on every Finray Intelligence radar where a Finray product evidences a control in scope; see the cluster footer on /intelligence/ for the standing recusal language.

Primary sources: https://eur-lex.europa.eu/eli/reg/2022/2554/oj, accessed 2026-05-10; https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj, accessed 2026-05-10; https://eur-lex.europa.eu/eli/reg_impl/2024/2956/oj, accessed 2026-05-10; https://eur-lex.europa.eu/eli/reg_del/2025/532/oj, accessed 2026-05-10.

The three implementing acts

Commission Delegated Regulation (EU) 2024/1773 is the policy RTS under DORA Article 28(10). It turns the general Article 28 duty to manage ICT third-party risk into a written-policy operating model: management-body adoption, annual review, a method for deciding which ICT services support critical or important functions, named internal responsibilities, lifecycle governance, pre-contract risk assessment, due diligence, conflicts-of-interest assessment, Article 30 clause alignment, ongoing monitoring and exit planning. It is the bridge between a policy document and evidence that the contracting lifecycle actually follows the policy.

Commission Implementing Regulation (EU) 2024/2956 is the Article 28(9) ITS on standard templates for the Register of Information. It is an Implementing Regulation, not a delegated regulation, and it defines the RoI as a relational data product: entity identity, group hierarchy, contractual-arrangement references, provider identifiers, function identifiers, ICT service taxonomy, data locations, supply-chain rank, audits and exit fields. It also sets completion logic, data-quality expectations and the Annex III ICT service taxonomy.

Commission Delegated Regulation (EU) 2025/532 is the subcontracting RTS. It applies when ICT services support a critical or important function, or material parts of such a function, and asks whether subcontracting is permitted, how risk factors are assessed, whether the direct ICT third-party provider can identify and monitor relevant subcontractors, how access and inspection rights flow through the chain, how location and data-processing risks are assessed, and what notification, objection, modification and termination rights exist.

Companion Commission acts

The Article 28 RTS/ITS Pack does not stand alone. Six companion Commission instruments operate inside the same DORA Article 28–35 perimeter and the radar carries complementary-to edges to each: Commission Delegated Regulation (EU) 2024/1502 (criticality criteria for CTPP designation under DORA Article 31(6)), Commission Delegated Regulation (EU) 2024/1505 (Lead Overseer oversight fees under DORA Article 43), Commission Delegated Regulation (EU) 2024/1772 (RTS on ICT-related incident classification under DORA Article 18), Commission Delegated Regulation (EU) 2024/1774 (RTS on ICT risk management under DORA Article 15), Commission Delegated Regulation (EU) 2025/295 (RTS on oversight conduct), and Commission Delegated Regulation (EU) 2025/420 (RTS on Joint Examination Teams under DORA Article 40).

The Treaty basis matters at the legislative-act-class level. Article 290 TFEU empowers the Commission to adopt delegated acts — non-legislative acts of general application that supplement or amend non-essential elements of the legislative act. Article 291 TFEU empowers the Commission to adopt implementing acts — non-legislative acts laying down uniform conditions for implementing legally binding Union acts. In the DORA Article 28 pack, Commission Delegated Regulation (EU) 2024/1773 (third-party policy) and Commission Delegated Regulation (EU) 2025/532 (subcontracting) are Delegated Regulations under Article 290 — they supplement Article 28(10) and Article 30(5) with detailed content the legislator did not specify. Commission Implementing Regulation (EU) 2024/2956 (RoI templates) is an Implementing Regulation under Article 291 — it lays down uniform templates for implementing the Article 28(9) reporting duty. The distinction surfaces in the EUR-Lex ELI URL structure (reg_del versus reg_impl) and in the legislative-act-class field on every node in this radar.

Subcontracting RTS rejection-readoption history

Commission Delegated Regulation (EU) 2025/532 (subcontracting) did not pass on the first attempt. The ESAs delivered draft RTS to the Commission in early 2024 containing an Article 5 chain-wide monitoring requirement: financial entities would have had to monitor every link in the ICT subcontracting chain end-to-end, not just the direct provider’s monitoring of its own subcontractors. The Commission rejected the draft on the basis that chain-wide monitoring sat outside the Article 30(5) empowerment, which limits the RTS to “elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions”. The ESAs issued a revised opinion on 7 March 2025 narrowing Article 5 to the direct-provider monitoring perimeter, and the readopted instrument entered into force as Commission Delegated Regulation (EU) 2025/532 on 22 July 2025.

The operational consequence for financial entities: ongoing monitoring under Article 5 of Commission Delegated Regulation (EU) 2025/532 covers the direct ICT third-party provider’s processes for selecting, governing, supervising and terminating its own subcontractors that perform critical or important functions. It does not require the financial entity itself to monitor every subcontractor several layers down the chain. The contractual flow-through of audit, access and termination rights remains, but the monitoring perimeter at the financial-entity level is bounded.

What the RoI must contain

The RoI field layer starts with the entity table. B_01 requires the financial entity’s LEI at B_01.01.0010, its legal name, country, entity type and, where relevant, group hierarchy and total-asset data. These are not decorative fields; they are the join keys used by the entity, the group and the competent authority to reconcile who is maintaining the register and which licence perimeter the record belongs to.

B_02 then moves to the contractual arrangement. The radar treats the contractual arrangement reference number at B_02.01.0010 as the stable spine of the register, because every later service, provider, cost, date, governing-law, notice-period and data-location field depends on it. B_02 also captures whether the arrangement is standalone, overarching or associated, the annual expense or estimated cost, the identification code of the ICT third-party provider, the type of code used, the function identifier, the ICT service type and the start and end dates.

B_05 is where the RoI stops being a flat vendor list. It records the ICT service supply-chain rank at B_05.02.0050, with the direct provider at rank 1 and subcontractors ranked below it. B_05 also identifies the recipient of subcontracted ICT services. Read with the subcontracting RTS, those fields force a chain view: provider identity, recipient, role, rank and materiality need to be explainable, not merely named.

B_06 connects services to functions. The function identifier links an ICT service to the function it supports, while the criticality or importance assessment and its last-assessment date show whether the service supports a critical or important function. Recovery time objective and recovery point objective fields turn continuity assumptions into reportable data. B_07 then adds the audit and exit layer: substitutability of the ICT third-party provider, date of last audit and exit-plan existence at B_07.01.0090.

Third-party policy and subcontracting controls

The policy RTS controls are lifecycle controls. Before contract signature, the entity should be able to show management-body adoption, annual policy review, a criticality methodology, named internal responsibilities and an independent review or audit plan. Pre-contract diligence then covers legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks, plus due diligence on the provider’s ability, expertise, resources and information-security standards.

At contract stage, the policy RTS looks for DORA Article 30(2) and 30(3) clause alignment. That means clause matrices, negotiated-deviation records, access and inspection rights, audit and ICT testing rights, and evidence that certificates or third-party reports are used with scope controls rather than as a substitute for direct assurance. After signature, ongoing service monitoring, incident reporting, service and security reporting, corrective-action tracking and documented exit planning become the recurring proof points.

The subcontracting RTS overlays the supply chain. It asks for risk factors before subcontracting is used; a pre-contract decision on whether subcontracting is permitted; due diligence on the direct provider’s subcontractor selection and monitoring process; capacity to identify all relevant subcontractors; contractual conditions that let the financial entity comply with DORA; same access and inspection rights through the chain; ongoing reporting; location, data-processing and data-storage assessment; advance notification of material changes; objection or modification rights; and a termination right where subcontracting is unauthorised or objected to.

First-batch CTPP designations

On 18 November 2025, the ESAs published the first DORA Article 31(9) list of critical ICT third-party providers after collecting RoI data, assessing criticality with competent authorities and notifying providers before final decisions. The list is a designation outcome, not a provider-service taxonomy and not a legal-entity identifier register. Primary source: ESA Article 31(9) CTPP designation list, accessed 2026-05-10.

The hyperscaler and enterprise-software group is Amazon web Services EMEA Sarl, Google Cloud EMEA Limited, Microsoft Ireland Operations Limited, International Business Machine Corporation, Oracle Nederland B.V. and SAP SE; the system-integrator and consulting group is Accenture plc, Capgemini SE, Kyndryl Inc., NTT DATA Inc. and Tata Consultancy Services Limited. The data and market-infrastructure group is Bloomberg L.P., LSEG Data and Risk Limited and Fidelity National Information Services, Inc.; the telecom and infrastructure group is Colt Technology Services, Deutsche Telekom AG, Equinix (EMEA) B.V., InterXion HeadQuarters B.V. and Orange SA.

The ESA list does not publish LEIs, and this radar does not infer them. The operator-lane reconciliation register at /tmp/finray-gleif/ctpp-lei-reconciliation-register.md can support a later legal-entity lookup, but no LEI is published in this v1 graph or prose.

How to read the radar

The graph separates regulators, regulations, supervisory standards, controls, vendors, products, CTPP licensed-entity nodes, a CTPP designation status class and the EU/EEA jurisdiction perimeter. Regulator nodes use round rectangles, regulation nodes use hexagons, standards use rectangles, controls use diamonds, vendors use ellipses, products use vee shapes, CTPP nodes use octagons, status classes use triangles and the jurisdiction node uses a star.

The main reading paths are regulation to control, implementing act to parent DORA article, provider designation to status class, provider designation to DORA Article 31, and product to control. Vendor-owned materials appear only as supports edges. A supports edge means the vendor or product page describes functionality relevant to a control surface; it does not mean the ESAs, the Commission or a national competent authority has endorsed that vendor, accepted a buyer’s implementation or validated the buyer’s RoI.

The control layer is deliberately atomic. RoI controls carry field accuracy, data lineage and update-cadence watch concerns. Policy controls carry policy review, management-body approval and owner-evidence watch concerns. Subcontracting controls carry onboarding diligence, chain-visibility refresh and objection-right watch concerns. That distinction keeps the radar from turning a legal pack into a generic outsourcing checklist.

Editorial conclusion

The RTS/ITS Pack makes the entity-side DORA Article 28 obligation concrete: RoI fields define what must be reported, the policy RTS defines how the contractual lifecycle is governed, and the subcontracting RTS defines how chain visibility, rights and exit must flow beyond the direct provider. No public EU/EEA enforcement decision was identified that sanctions a financial entity specifically for DORA Article 28 RoI deficiencies at this cut-off, so the graph treats evidence gaps as public-evidence status, not proof of supervisory silence. Read with the DORA Article 28 RoI tracker, this radar answers what goes into the RoI while the existing tracker answers where the RoI goes.

This radar should be read alongside /intelligence/dora-article-28-roi-tracker/ for the supervisory pathway, NCA portal status and ESA forwarding deadlines; /intelligence/amlr-amla-implementation-tracker/ for the parallel AMLR/AMLD6 implementation map; /intelligence/deployment-topology-regulatory-alignment/ for cloud-deployment-topology overlap with DORA Article 30 contractual provisions; and /intelligence/methodology/ for the source-discipline and recusal policy applied here.

Layout
cose-radar
Nodes
130
Edges
265
Last reviewed
2026-05-10
Evidence cutoff
2026-05-10
Pending outreach
0
Showing 19 / 19
Jurisdiction (1)
CTPP designation class (1)
Service-scope breadth (4)
  • regulator
  • regulation
  • standard
  • control
  • vendor
  • product
  • licensed-entity
  • status-class
  • jurisdiction
  • finray product (COI)

Reference index

The interactive forensic graph above and the tables below cover the same population. The graph is for filtered exploration; the tables index every successful CASP record, every represented jurisdiction, and every pre-MiCA archetype as plain text — for search engines, citation tools and readers who prefer linear reading.

CTPP designation classes (1)

The 1 regulatory classifications observable in the success population. Each row aggregates how many of the 19 records fall into that class. Counts are exact; class boundaries follow the source register's own institution-type field where possible and are editorial inferences only where the register does not expose the classification at row level.

CTPP designation classes observed in the 19-entity first-batch CTPP designation register.
Designation class Description
DORA Article 31(9) CTPP designation Status class for first-batch critical ICT third-party providers designated under DORA Article 31(9).

Jurisdictions (1)

Home Member States represented in the success population. Volume is not a proxy for low or high standards — supervisory rigor is set by ESMA's authorisation briefing and applies irrespective of NCA. Use the count column as evidence of deal-flow gravity, not regulatory permissiveness.

Home jurisdictions with successful first-batch CTPPs authorisations, with record counts.
Jurisdiction Records Description
European Union / European Economic Area 19 Jurisdiction perimeter for DORA Article 28 RTS/ITS and ESA Article 31(9) CTPP designation.

Licensed entities (19)

Every successful record in the ESA Article 31(9) joint CTPP list at the cut-off, grouped by home jurisdiction. Listing is editorial — record naming reflects the public source register and is not a recommendation. LEIs are not stated on the ESA list and are not inferred in this register. See operator-lane reconciliation for GLEIF-derived candidates.

European Union / European Economic Area 19 records

Licensed first-batch CTPPs with European Union / European Economic Area as home jurisdiction.
Entity Designation class Scope Website
Accenture plc DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Amazon web Services EMEA Sarl DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Bloomberg L.P. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Capgemini SE DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Colt Technology Services DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Deutsche Telekom AG DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Equinix (EMEA) B.V. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Fidelity National Information Services, Inc. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Google Cloud EMEA Limited DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
International Business Machine Corporation DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
InterXion HeadQuarters B.V. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Kyndryl Inc. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
LSEG Data and Risk Limited DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Microsoft Ireland Operations Limited DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
NTT DATA Inc. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Oracle Nederland B.V. DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Orange SA DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
SAP SE DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu
Tata Consultancy Services Limited DORA Article 31(9) CTPP designation CTPP-designated eba.europa.eu

Source: the ESA Article 31(9) joint CTPP list, cut-off 2026-05-10. The full forensic pack — first-batch CTPP register, RTS/ITS field mapping, third-party-policy control matrix and subcontracting-chain control taxonomy — is available under briefing scope; email partnership@finray.tech with the subject line "DORA CTPP designation pack".

Regulators (10)

National Competent Authorities, supervisory authorities, and pan-EU European Supervisory Authorities indexed in this radar. Each row links to the regulator's primary-source URL with the date the source was last accessed. Listing is alphabetical by jurisdiction code; inclusion is editorial, not a directive. Volume of regulators per jurisdiction reflects the local supervisory architecture (single-supervisor vs sectoral split) and is not a quality signal.

Regulators indexed in this radar with their jurisdiction and primary-source URLs.
Regulator Jurisdiction Scope Primary source
ACPR DORA portal national competent authority DORA portal ACPR DORA portal is a national competent authority portal for DORA implementation evidence. View source
BaFin DORA implementation portal national competent authority DORA portal BaFin DORA implementation portal is a national competent authority portal for DORA implementation evidence. View source
CSSF DORA pages (Luxembourg) national competent authority DORA portal CSSF DORA pages (Luxembourg) is a national competent authority portal for DORA implementation evidence. View source
ENISA EU public authority or public-source body ENISA is a public authority or public-source body used for DORA RTS/ITS evidence. View source
ESAs Joint Committee EU public authority or public-source body ESAs Joint Committee is a public authority or public-source body used for DORA RTS/ITS evidence. View source
European Banking Authority EU public authority or public-source body European Banking Authority is a public authority or public-source body used for DORA RTS/ITS evidence. View source
European Commission EU public authority or public-source body European Commission is a public authority or public-source body used for DORA RTS/ITS evidence. View source
European Insurance and Occupational Pensions Authority EU public authority or public-source body European Insurance and Occupational Pensions Authority is a public authority or public-source body used for DORA RTS/ITS evidence. View source
European Securities and Markets Authority EU public authority or public-source body European Securities and Markets Authority is a public authority or public-source body used for DORA RTS/ITS evidence. View source
MFSA DORA implementation circulars (Malta) national competent authority DORA portal MFSA DORA implementation circulars (Malta) is a national competent authority portal for DORA implementation evidence. View source

Regulatory anchors and supervisory standards

The legal instruments and supervisory standards an institution in this segment must satisfy. Each row links to the primary source — official journal page, supervisor circular, or standards body — with the date the source was last accessed.

Regulatory anchors and supervisory standards covered in this radar, with primary-source links.
Anchor Scope Primary source
Regulation (EU) 2022/2554 (DORA) Regulation Regulation (EU) 2022/2554 (DORA) is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 28 Regulation DORA Article 28 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 29 Regulation DORA Article 29 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 30 Regulation DORA Article 30 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 31 Regulation DORA Article 31 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 32 Regulation DORA Article 32 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 33 Regulation DORA Article 33 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 34 Regulation DORA Article 34 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
DORA Article 35 Regulation DORA Article 35 is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy Regulation Commission Delegated Regulation (EU) 2024/1773 — RTS on ICT third-party policy is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates Regulation Commission Implementing Regulation (EU) 2024/2956 — ITS on RoI templates is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting Regulation Commission Delegated Regulation (EU) 2025/532 — RTS on subcontracting is a regulatory anchor for the DORA Article 28 RTS/ITS Pack. View source
Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria Regulation Commission Delegated Regulation (EU) 2024/1502 — RTS on criticality criteria is a companion Commission act inside the DORA Article 28-35 perimeter. View source
Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees Regulation Commission Delegated Regulation (EU) 2024/1505 — RTS on Lead Overseer oversight fees is a companion Commission act inside the DORA Article 28-35 perimeter. View source
Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification Regulation Commission Delegated Regulation (EU) 2024/1772 — RTS on ICT-related incident classification is a companion Commission act inside the DORA Article 28-35 perimeter. View source
Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management Regulation Commission Delegated Regulation (EU) 2024/1774 — RTS on ICT risk management is a companion Commission act inside the DORA Article 28-35 perimeter. View source
Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct Regulation Commission Delegated Regulation (EU) 2025/295 — RTS on oversight conduct is a companion Commission act inside the DORA Article 28-35 perimeter. View source
Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams Regulation Commission Delegated Regulation (EU) 2025/420 — RTS on Joint Examination Teams is a companion Commission act inside the DORA Article 28-35 perimeter. View source
Directive (EU) 2022/2555 (NIS2) Standard Directive (EU) 2022/2555 (NIS2) is an adjacent standard or legal framework used for control-context mapping. View source
ISO/IEC 27001 Standard ISO/IEC 27001 is an adjacent standard or legal framework used for control-context mapping. View source

Controls

The control domains those regulatory anchors require. Each control sits at the intersection of one or more regulations and one or more vendor products that implement it.

Control domains required by the regulatory anchors above.
Control What it covers
LEI of the financial entity maintaining the RoI LEI of the financial entity maintaining the RoI is an entity-level RoI field control in the DORA RTS/ITS Pack.
Name of the financial entity Name of the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.
Country of the financial entity Country of the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.
Type of financial entity Type of financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.
Hierarchy within group Hierarchy within group is an entity-level RoI field control in the DORA RTS/ITS Pack.
Value of total assets Value of total assets is an entity-level RoI field control in the DORA RTS/ITS Pack.
Contractual arrangement reference number Contractual arrangement reference number is an entity-level RoI field control in the DORA RTS/ITS Pack.
Type of contractual arrangement Type of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack.
Overarching contractual arrangement reference number Overarching contractual arrangement reference number is an entity-level RoI field control in the DORA RTS/ITS Pack.
Annual expense or estimated cost Annual expense or estimated cost is an entity-level RoI field control in the DORA RTS/ITS Pack.
Identification code of the ICT TPP signing/providing service Identification code of the ICT TPP signing/providing service is an entity-level RoI field control in the DORA RTS/ITS Pack.
Type of code used to identify ICT TPP Type of code used to identify ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack.
Function identifier Function identifier is an entity-level RoI field control in the DORA RTS/ITS Pack.
Type of ICT services Type of ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack.
Start date of contractual arrangement Start date of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack.
End date of contractual arrangement End date of contractual arrangement is an entity-level RoI field control in the DORA RTS/ITS Pack.
Notice period for the financial entity Notice period for the financial entity is an entity-level RoI field control in the DORA RTS/ITS Pack.
Notice period for the ICT TPP Notice period for the ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack.
Country of governing law Country of governing law is an entity-level RoI field control in the DORA RTS/ITS Pack.
Country of ICT service provision Country of ICT service provision is an entity-level RoI field control in the DORA RTS/ITS Pack.
Storage of data Storage of data is an entity-level RoI field control in the DORA RTS/ITS Pack.
Location of data at rest Location of data at rest is an entity-level RoI field control in the DORA RTS/ITS Pack.
Location of data processing and management Location of data processing and management is an entity-level RoI field control in the DORA RTS/ITS Pack.
Data sensitivity Data sensitivity is an entity-level RoI field control in the DORA RTS/ITS Pack.
Level of reliance on ICT service Level of reliance on ICT service is an entity-level RoI field control in the DORA RTS/ITS Pack.
ICT service supply-chain rank ICT service supply-chain rank is an entity-level RoI field control in the DORA RTS/ITS Pack.
Recipient of subcontracted ICT services Recipient of subcontracted ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack.
Criticality or importance assessment Criticality or importance assessment is an entity-level RoI field control in the DORA RTS/ITS Pack.
Date of last criticality assessment Date of last criticality assessment is an entity-level RoI field control in the DORA RTS/ITS Pack.
Recovery time objective (RTO) Recovery time objective (RTO) is an entity-level RoI field control in the DORA RTS/ITS Pack.
Recovery point objective (RPO) Recovery point objective (RPO) is an entity-level RoI field control in the DORA RTS/ITS Pack.
Substitutability of ICT TPP Substitutability of ICT TPP is an entity-level RoI field control in the DORA RTS/ITS Pack.
Date of last audit for ICT services Date of last audit for ICT services is an entity-level RoI field control in the DORA RTS/ITS Pack.
Exit plan existence Exit plan existence is an entity-level RoI field control in the DORA RTS/ITS Pack.
Management-body adoption of written policy Management-body adoption of written policy is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Annual review and timely update cadence Annual review and timely update cadence is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Methodology for determining ICT services supporting critical or important functions Methodology for determining ICT services supporting critical or important functions is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Internal responsibilities and skills for approval, management, control and documentation Internal responsibilities and skills for approval, management, control and documentation is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Independent review or audit plan Independent review or audit plan is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Lifecycle governance for contractual arrangements Lifecycle governance for contractual arrangements is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks Pre-contract risk assessment, including legal, operational, ICT, reputational, confidentiality, data, availability, location and concentration risks is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Due diligence on ICT TPP ability, expertise, resources and information-security standards Due diligence on ICT TPP ability, expertise, resources and information-security standards is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Use and limitation of audits, certifications and third-party reports Use and limitation of audits, certifications and third-party reports is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Conflicts-of-interest assessment, including intra-group arrangements Conflicts-of-interest assessment, including intra-group arrangements is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Contractual clauses aligned with DORA Article 30(2) and 30(3) Contractual clauses aligned with DORA Article 30(2) and 30(3) is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Access, inspection, audit and ICT testing rights Access, inspection, audit and ICT testing rights is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Ongoing service monitoring and incident/service/security reporting Ongoing service monitoring and incident/service/security reporting is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Documented exit plan for each C/I supporting ICT contractual arrangement Documented exit plan for each C/I supporting ICT contractual arrangement is an entity-level third-party-policy control in the DORA RTS/ITS Pack.
Subcontracting risk factors determined before use Subcontracting risk factors determined before use is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Pre-contract decision whether subcontracting is permitted Pre-contract decision whether subcontracting is permitted is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Due diligence on ICT TPP subcontractor selection and assessment processes Due diligence on ICT TPP subcontractor selection and assessment processes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Provider capacity to identify all relevant subcontractors and provide information Provider capacity to identify all relevant subcontractors and provide information is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Contractual conditions allow the financial entity to comply with DORA Contractual conditions allow the financial entity to comply with DORA is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Same access and inspection rights through the chain Same access and inspection rights through the chain is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Contract identifies C/I ICT services or material parts eligible for subcontracting Contract identifies C/I ICT services or material parts eligible for subcontracting is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Direct ICT TPP remains responsible despite subcontracting Direct ICT TPP remains responsible despite subcontracting is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Ongoing monitoring and reporting of subcontracted C/I services Ongoing monitoring and reporting of subcontracted C/I services is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Location, data-processing and data-storage risk assessment through chain Location, data-processing and data-storage risk assessment through chain is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Advance notification of intended material subcontracting changes Advance notification of intended material subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Buyer assessment, objection and modification right for material subcontracting changes Buyer assessment, objection and modification right for material subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.
Termination right for unauthorised or objected subcontracting changes Termination right for unauthorised or objected subcontracting changes is an entity-level subcontracting-chain control in the DORA RTS/ITS Pack.

Vendors and products

Named vendors active in this control space and the specific products each ships. Listing is alphabetical within the graph's evidence set; inclusion is editorial, not commercial, and is not a recommendation. Finray Technologies Ltd ships products in this space and is recused from any ranking — see the methodology page for the conflict-of-interest framework.

Vendors and the specific products each ships into this control space.
Vendor Products Vendor source
ServiceNow ServiceNow is represented as the producer of a vendor-owned DORA support product.
  • ServiceNow Digital resilience third-party registers — ServiceNow Digital resilience third-party registers is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. ( product page )
Vendor site
ProcessUnity ProcessUnity is represented as the producer of a vendor-owned DORA support product.
  • ProcessUnity DORA compliance software — ProcessUnity DORA compliance software is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. ( product page )
Vendor site
DocuSign DocuSign is represented as the producer of a vendor-owned DORA support product.
  • DocuSign CLM / IAM for DORA agreement monitoring — DocuSign CLM / IAM for DORA agreement monitoring is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. ( product page )
Vendor site
DAPR sp. z o.o. DAPR sp. z o.o. is represented as the producer of a vendor-owned DORA support product.
  • DORA Register of Information solution — DORA Register of Information solution is vendor-owned evidence mapped only to supported DORA RTS/ITS controls. ( product page )
Vendor site
Finray Technologies Ltd Finray Technologies Ltd is the publisher of Ordinis, included here only to satisfy product provenance for the recused Ordinis node. Finray Technologies — recused from ranking
  • Ordinis (recused) — Ordinis is a Finray Technologies Ltd compliance-operations product included as a recused vendor-universe entry. ( product page )
Vendor site
KPMG (EU member firms) KPMG (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
EY (EU member firms) EY (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
Deloitte (EU member firms) Deloitte (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
PwC (EU member firms) PwC (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
BDO (EU member firms) BDO (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
Grant Thornton (EU member firms) Grant Thornton (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
Forvis Mazars (EU member firms) Forvis Mazars (EU member firms) is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
RSM Global RSM Global is represented as public DORA advisory evidence for Article 28 RTS/ITS due-diligence questions. No products listed Vendor site
Certificate of Registration NQA · UKAS Management Systems
ISO/IEC 27001:2022 Certificate of Registration issued by NQA to Finray Technologies Ltd, certificate number 215646, valid 21 October 2025 to 21 October 2028
Search
Type to search across Finray, products, company, and journal.

    Press Esc to close · to open the highlighted result.

    Book a briefing 01 / 03

    Step 01

    Identify the institution

    Who is requesting the briefing.