DORA Art. 28 and Third-Party Risk: What banks must ask their IT service providers now
Since 17 January 2025, the Digital Operational Resilience Act (DORA) has been fully applicable in the EU. Article 28 obliges financial institutions to carry out comprehensive third-party risk management for ICT service providers. For banks, insurers, asset managers and payment institutions, that means systematically scrutinizing every critical IT vendor — including personnel security. This guide shows the seven questions that are now standard.
What DORA Art. 28 requires
Article 28 of DORA (Regulation 2022/2554) governs the “general framework" for third-party ICT service providers. Core points:
Pre-contractual due diligence — risk assessment before contract conclusion
Register of Information (RoI) — central register of all third-party ICT service providers at entity, sub-group and group level
Ongoing monitoring — continuous oversight of critical service providers
Exit strategies — documented exit paths for every outsourcing arrangement
A distinction is made between “ordinary" and “critical or important functions" (CIF, Critical or Important Functions). CIFs are subject to significantly stricter requirements — from the depth of due diligence to audit rights.
What the Register of Information (RoI) must contain
The RoI is not a simple contract index. It must document the following for each service provider:
Identity and legal form of the service provider
Type of ICT services and supported business processes
Classification: CIF or non-CIF
Sub-outsourcing chain (fourth-party, fifth-party)
Location of data processing
Access to personal data and business data
Personnel security of the service provider’s employees
This register is submitted annually to the supervisory authorities (FINMA for cross-border services, BaFin, FMA).
Seven questions banks should now ask ICT service providers
1. Which services fall under CIF?
Every service is classified. Core banking cloud = almost always CIF. Marketing email delivery = usually non-CIF. The service provider must provide a service map with risk classification.
2. What does the sub-outsourcing chain look like?
Art. 28 requires transparency throughout the entire chain. The service provider must list all further sub-service providers and document their role — including their data protection and security standards.
3. Where are the servers located?
EU localization is not a DORA mandatory criterion, but it is essential for GDPR compliance. Service providers processing data in the US, UK or Asia must demonstrate Schrems II safeguards (SCCs, TIA, and, where applicable, supplementary measures).
4. Which certifications and audits?
ISO 27001, SOC 2 Type II, CSA STAR, TISAX, BSI C5 — depending on scope. For CIF service providers, continuous audit rights are required (Art. 30 DORA).
5. What does incident management look like?
DORA requires a reporting deadline of 72 hours for “major incidents" in Art. 17. The service provider must support your reporting deadline — in other words, escalate faster than 72 hours so you can file your report in time.
6. How is personnel security handled?
This is where background checks come in. Art. 28 para. 2 lit. e of DORA requires “robust internal governance and controls" at third-party ICT service providers. In practice, that means pre-employment screening, sanctions list checks and ongoing monitoring for employees with access to critical systems.
7. What is the exit strategy?
Every CIF contract needs a documented exit strategy: data repatriation, transitional services, knowledge transfer. DORA supervisors check this on a sample basis.
Personnel security in practice
Art. 28 DORA does not explicitly mention “personnel security" — but the implementing Technical Standards of the EBA (RTS on outsourcing arrangements) and ESMA (Guidelines on outsourcing to cloud service providers) do. In practice, banks now require the following from every CIF service provider:
Background checks for employees with privileged access rights
Ongoing sanctions list monitoring for employees in key roles
Confidentiality agreements with documented compliance training
PEP screening for the service provider’s compliance officer and data protection officer
Any ICT service provider serving financial institutions must be able to provide this documentation proactively. If it cannot, it loses deals.
What applies in Switzerland?
Switzerland has not adopted DORA. For institutions supervised by FINMA, the FINMA Circular 2018/3 “Outsourcing" applies in conjunction with banking and insurance supervisory law. The requirements are aligned with DORA — particularly with regard to access security, incident reporting and personnel security. Swiss banks that source ICT services from EU providers must still observe DORA requirements, because EU providers will implement them anyway.
What applies in Austria?
DORA applies directly. The FMA is the supervisory authority together with the OeNB. In addition, FMA minimum standards on outsourcing risk management apply.
Indicium for DORA compliance
Indicium supports banks in two roles:
As a tool for ICT service provider assessment: Banks use Indicium to automate background checks for critical service provider employees — including ongoing sanctions and PEP monitoring
As a DORA-compliant service provider itself: On request, Indicium provides complete DORA documentation (exit strategy, sub-outsourcing chain, personnel security, EU server localization). All compliance documents are in the Trust Center.
Conclusion
DORA Art. 28 turns third-party assessment into an ongoing task. Banks need structured processes — from the RoI to due diligence and ongoing monitoring. For ICT service providers, the rule is simple: if you are DORA-ready, you win. If not, you lose banking customers.
Talk to us about your DORA implementation in third-party risk management.
Further reading — related articles
Nabil El Berr
