DORA Art. 28 Implementation: The 7-Step Checklist for Banks

Since 17 January 2025, the Digital Operational Resilience Act (DORA) has been directly applicable Union law. For banks, investment firms, payment institutions, e-money institutions, and other financial undertakings within the meaning of Art. 2 DORA, this means that dealing with third-party ICT providers is no longer an operational outsourcing issue, but a prudentially regulated mandatory program with reporting obligations, register maintenance, and binding contractual requirements. In practice, the gap between formal acknowledgment and actual compliance depth is still significant at most institutions — especially at mid-sized banks that have so far worked with a pragmatic MaRisk outsourcing register.

This article builds on the previously published introductory piece on Art. 28 DORA and provides a concrete, audit-ready implementation checklist in seven steps. Each step includes a link to the relevant articles of Regulation (EU) 2022/2554, the associated Regulatory Technical Standards (RTS), and — particularly relevant for DACH firms — the national and European counterparts.

Starting point: Why Art. 28 DORA raises the bar

The previous outsourcing framework under Section 25b KWG and MaRisk AT 9 was primarily risk-based and left institutions with room for judgment when classifying materiality, drafting contracts, and planning exits. Art. 28 DORA largely replaces this flexibility with prescriptive requirements: there is a uniform Register of Information (RoI), an obligation to distinguish between functions that are "critical or important" and those that are not (Art. 3 No. 22 DORA), and a minimum catalogue of contractual terms in Art. 30 DORA.

The Federal Financial Supervisory Authority (BaFin) clarified in its December 2024 circular on DORA implementation that legacy contracts which do not meet the requirements of Art. 30 DORA must be adjusted by the next regular contract renewal cycle at the latest, and in any event effective by the time of the audit. Anyone hoping for a transition period will be disappointed.

The 7-Step Checklist

Step 1: Build the Register of Information (RoI)

Under Art. 28(3) DORA, the RoI is mandatory and must be submitted to the competent national authority — in Germany, the BaFin; in Austria, the FMA; in Switzerland, the FINMA under its own regime — upon request and at regular intervals. The European Supervisory Authorities (ESAs), through Implementing Regulation (EU) 2024/2956 of 29 November 2024, published a standardized ITS reporting template with 15 forms.

• Complete capture of all third-party ICT providers: Not only cloud providers, but also SaaS tools, managed security providers, outsourcing partners in back-office functions, and — often overlooked — subcontractors at the fourth and fifth tier.

• Minimum fields per entry: provider LEI, service description, CIF classification, contract term, data categories, geographical data processing, subcontractor chain.

• Reporting frequency to BaFin: Annually by 30 April of the following year, first on a regular basis in 2025 for the 2024 reporting year.

Practical tip: If you keep the RoI in an Excel spreadsheet, you will hit limits by the third audit at the latest. The ITS data model requirements are relational and require referential integrity between entities, contracts, and functions.

Step 2: CIF Classification (Critical or Important Functions)

Classifying a function as "critical or important" triggers the strictest substantive obligations: enhanced due diligence, expanded contractual content under Art. 30(3) DORA, ongoing risk monitoring, and — where a third-party provider has been designated as "critical" (CTPP) — direct supervision by the ESAs.

1. Use the definition in Art. 3 No. 22 DORA: a function is critical or important if its disruption would materially impair the institution’s financial performance, regulatory compliance, or continuity of financial services.

2. Create a criteria catalogue: market impact, provider substitutability, data sensitivity, regulatory embeddedness.

3. Documented case-by-case decision for each contract — no blanket classification.

4. Review cycle at least annually and on an ad hoc basis (new subcontractor, service expansion, incident).

Step 3: Pre-Contractual Due Diligence

Art. 28(4) DORA requires risk-appropriate due diligence before entering into the contract. For CIF services, the ESAs RTS (finalized in July 2024) require a significantly expanded review catalogue.

• Reputation and integrity check: background screening of the provider’s managing persons and key function holders. Here, the requirements interact with Section 25c KWG (reliability and professional suitability) — thorough background checks, especially for labor-intensive managed service providers, are not a nice-to-have, but a prudential obligation.

• Financial soundness: at least three annual financial statements, a credit report, and, where applicable, a rating.

• Operational and technical capacity: ISO 27001, SOC 2 Type II, penetration test reports, business continuity evidence.

• Concentration risk: market overview, single point of failure analysis, geographic concentration risks.

• Sub-outsourcing chain: full disclosure, not just of direct subcontractors.

A HireRight survey from 2017 found that around 85% of employers discovered material discrepancies in at least one screened résumé — a data point that underscores why DORA does not rely on self-disclosure at this point, but on documented verification.

Step 4: Minimum Contract Requirements (Art. 30 DORA)

Art. 30 DORA contains an exhaustive catalogue of contractual terms. For non-CIF contracts, the basic catalogue in paragraph 2 applies; for CIF contracts, the expanded catalogue in paragraph 3 is added.

A particular pitfall: many standard contracts from US cloud providers contain clauses that limit audit rights to third-party auditors or make locations of data processing subject to change. Such clauses are not compatible with Art. 30(3)(e) and (i) DORA.

Step 5: Ongoing Monitoring

Art. 28(1)(c) DORA requires "ongoing monitoring" throughout the entire term of the contract. In practice, this means an operational annual cycle with clearly assigned first-, second-, and third-line responsibilities.

• First line (business owner): SLA tracking, operational incident handling, quarterly business reviews with the provider.

• Second line (risk and compliance): risk assessment, concentration analysis, due diligence updates, contract reviews.

• Third line (internal audit): annual audit of the entire outsourcing process with sample testing at individual contract level.

• Reporting to the management board: quarterly for CIF contracts, semi-annually in aggregate for the overall portfolio.

Step 6: Incident Reporting Process

Art. 19 DORA introduces a four-stage reporting system for major ICT incidents. The deadlines are tight and non-negotiable: the Initial Notification must be reported to the competent authority within 4 hours of classification as a "major incident." The Intermediate Report follows within 72 hours, and the Final Report within one month.

1. Implement classification criteria under Art. 18 DORA: number of affected customers, duration, geographical reach, reputational damage, financial loss.

2. Reporting chain playbook with named responsible persons and 24/7 availability.

3. Contractual obligation for the third-party provider to report incidents within a defined timeframe (in practice, 1 hour after discovery) — otherwise the institution cannot structurally meet its own 4-hour deadline.

4. Template-based reporting via the ESAs portals, which have been live since mid-2025.

Step 7: Document the Exit Strategy

Art. 28(8) DORA requires CIF contracts to include a documented exit strategy that can be implemented regardless of the provider’s willingness to cooperate. The institution must be able to demonstrate that it can either take over the critical or important function internally or migrate it to an alternative provider within a defined period.

• Scenario analysis: insolvency, termination for cause, regulatory intervention, cyber incident at the provider.

• Alternative providers identified: at least one, ideally two, with documented onboarding effort.

• Data portability: contractually secured return in market-standard formats, no proprietary lock-in.

• Test run: at least every two years, a tabletop exercise or partial migration to validate the exit plan.

Legal counterparts in CH, AT, and across the EU

Switzerland

Switzerland is not within DORA’s scope, but it follows a structurally similar approach with the FINMA Circular 2018/3 "Outsourcing — Banks and Insurers". Since the 2023 revision, the requirements for contractual content, inventory management, and risk control have been substantially aligned with international standards. The basis remains Art. 3 BankA (licensing requirements for banks, especially assurance of proper business conduct) and the Banking Ordinance (BankV). In March 2025, the FINMA clarified in a supervisory communication that it expects de facto DORA equivalence for institutions with EU subsidiaries or customers, even though Circular 2018/3 has not formally been amended. For Swiss groups with an EU presence, this means: two regimes, one process.

Austria

In Austria, DORA applies directly and is supplemented by the Banking Act (BWG), in particular Section 5 BWG (licensing requirements) and Section 39 BWG (general duties of care of executive directors). With the FMA minimum standards for outsourcing management from 2024, the FMA has specified the national framework and explicitly aligned it with DORA terminology. One special point: for CIF outsourcing arrangements, the FMA requires prior notification, which in practice takes three to six weeks to process — this time buffer must be built into Austrian project plans.

Across the EU

At Union level, the RTS and ITS developed by the ESAs supplement the DORA text. Central here are the RTS under Art. 28(9) DORA (finalized in July 2024, in force from January 2025) specifying the policy framework for third-party ICT providers, and the ITS technical specifications for the RoI. The EBA-ESMA Joint Guidelines 2024 on governance overlap in substance with the CIF definition and must be observed in parallel. For institutions subject to the CRD VI, an expanded fit-and-proper assessment of outsourcing responsible persons will also apply from 2026 — further tightening the interface between outsourcing control and personnel compliance.

What supervisors actually examine

A PwC analysis from the first quarter of 2025 on the DORA readiness of European banks shows a consistent pattern in supervisory reviews: the RoI is checked for completeness and ITS compliance, CIF classification is examined for depth of documentation and consistency with MaRisk AT 9, and contract amendments are matched against the Art. 30 catalogue in sample checks. Anyone showing gaps here must expect audit findings and — in the case of CIF-relevant violations — sanctions under Art. 50 DORA of up to 1% of global annual total turnover.

The 2024 Kienbaum compliance study confirms that the bottleneck in implementation rarely sits at board level, but in the operational middle layer: in the coordination between procurement, contract management, risk, compliance, and IT. Institutions that have appointed a central DORA coordinator with effective authority are progressing measurably faster.

Conclusion and recommendation

Art. 28 DORA is not an isolated provision, but the anchor point of a highly structured regulatory system that covers every stage of the third-party lifecycle, from contract design and incident reporting to exit capability. The 7-step checklist provides a pragmatic implementation path — but it does not replace institution-specific risk analysis or close alignment with existing MaRisk, BAIT, and KWG structures.

Especially at the interface with Section 25c KWG (reliability and professional suitability of executive directors and key persons), the growing need for audit-ready, GDPR-compliant background checks becomes clear — not only for your own employees, but also for key individuals on the provider side. Indicium Technologies supports banks across the DACH region and the EU with a regulatory-aligned, audit-ready platform for background checks and fit-and-proper documentation.

Book a demo and speak with our team about how to integrate it concretely into your DORA and KWG process landscape.

Read more — related articles

• BaFin Fit-and-Proper 2026

• Fit-and-Proper KWG Section 25c

• Fit & Proper Assessment: BaFin Requirements

• Sanctions list screening for companies

• EU UN OFAC sanctions lists