Skip to main content
DORA Auditor

Article 28: General principles for sound management of ICT third-party risk

Last updated: 1 authoritative sourceDORA Auditor Editorial Team

Article 28 sets the general principles for managing ICT third-party risk, requiring entities to manage it as an integral part of the ICT risk framework and to maintain a register of information on all contractual arrangements for the use of ICT services.

Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk

Key points

  • ICT third-party risk managed within the ICT risk framework
  • Mandates the register of information on ICT arrangements
  • Register reportable to competent authorities

How this fits DORA

Article 28 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.

Read the official text

This is an editorial summary. Read the binding text of Article 28 in the consolidated regulation on EUR-Lex.

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex