Article 28: General principles for sound management of ICT third-party risk
Last updated: 1 authoritative sourceDORA Auditor Editorial Team
Article 28 sets the general principles for managing ICT third-party risk, requiring entities to manage it as an integral part of the ICT risk framework and to maintain a register of information on all contractual arrangements for the use of ICT services.
Chapter V, Managing of ICT third-party risk · Pillar: ICT Third-Party Risk
Key points
- ICT third-party risk managed within the ICT risk framework
- Mandates the register of information on ICT arrangements
- Register reportable to competent authorities
How this fits DORA
Article 28 sits within the ICT Third-Party Risk pillar. For the full set of obligations and how they interlock, see the DORA requirements overview.
Read the official text
This is an editorial summary. Read the binding text of Article 28 in the consolidated regulation on EUR-Lex.