Framework — DORA
ICT third-party risk management
The Digital Operational Resilience Act requires financial entities to identify, monitor, and manage ICT third-party service providers. Sudory maps your vendor landscape to DORA's requirements — continuously.
Key articles
What DORA requires for ICT providers
Chapter V of DORA establishes a comprehensive framework for managing ICT third-party risk. These are the articles that matter most for vendor due diligence.
Article 28
ICT third-party risk management
Financial entities must identify, classify, and document all contractual arrangements with ICT third-party service providers. Sudory maintains this register automatically from scan data and vendor profiles.
Article 29
Preliminary assessment
Before entering into a contractual arrangement, entities must assess whether the ICT service provider meets security requirements. Sudory's vendor profiles provide due diligence data before the contract is signed.
Article 30
Key contractual provisions
Contracts must include provisions on data processing locations, sub-outsourcing, and audit rights. Sudory tracks data processing regions, subprocessor chains, and DPA availability for every vendor.
Article 31
Concentration risk
Entities must identify dependencies on critical ICT providers. Sudory's vendor directory surfaces which providers appear across your stack — and across your clients' stacks.
Terminology
DORA speaks its own language
DORA introduces specific terminology for ICT risk management. Understanding these terms is essential for compliance — and for knowing what auditors will ask for.
ICT third-party service provider
Any undertaking providing ICT services — cloud, software, data analytics, or data centre services. What most people call "SaaS vendors".
Sub-outsourcing
When an ICT provider delegates parts of its service to another provider. DORA requires entities to monitor the full chain — not just their direct provider.
Register of information
Article 28(3) mandates a register of all contractual arrangements with ICT providers. This is the DORA equivalent of a vendor register.
Critical or important functions
ICT services that support critical functions require enhanced due diligence, stricter contractual terms, and ongoing monitoring.
Concentration risk
Over-reliance on a single ICT provider or a small number of providers. DORA requires entities to assess and mitigate this at both entity and sector level.
Exit strategy
Article 28(8) requires exit plans for every ICT provider arrangement. Entities must be able to migrate away without disruption to critical functions.
How Sudory helps
From vendor directory to DORA register
Sudory's vendor database and scanning engine produce the data DORA requires. Every vendor profile, every scan result, every subprocessor chain — structured for regulatory reporting.
Register of ICT providers
Sudory's vendor directory contains 1,500+ ICT service provider profiles. Each profile tracks the data DORA's register requires — subprocessors, data processing regions, certifications, and DPA links.
Sub-outsourcing chains
Every vendor profile lists subprocessors — the full sub-outsourcing chain. See who your vendor shares data with, where it's processed, and what safeguards are in place.
Data processing locations
Filter vendors by data processing regions. Know exactly which providers process data within the EU, which use US infrastructure, and which offer data residency guarantees.
Concentration risk detection
For MSPs managing multiple clients, Sudory surfaces which ICT providers appear across client portfolios — revealing sector-wide concentration risk before regulators do.
Continuous monitoring
Sudory scans vendor security posture from the outside — DNS, TLS, headers, email authentication. When a provider's posture degrades, you know before the next audit cycle.
Due diligence evidence
Every scan result enters a compliance ledger as timestamped evidence. Policies enforce freshness — stale evidence triggers findings automatically.
For MSPs
DORA compliance across your financial clients
Financial entities need help building and maintaining their ICT provider registers. As an MSP, you can deliver DORA compliance as a managed service.
DORA register across clients
Financial entities are your clients. Sudory builds the Article 28 register for each client from their vendor usage — and shows you concentration risk across the portfolio.
Pre-contract due diligence
When a client wants to adopt a new ICT provider, pull the vendor profile from Sudory. Subprocessors, certifications, data regions — all the Article 29 assessment data in one place.
Regulatory reporting
DORA requires entities to report their ICT provider arrangements to competent authorities. Sudory's structured data makes this export straightforward.
Build your DORA register from real data
Start with the vendor directory. 1,500+ ICT service provider profiles with subprocessor chains, data processing regions, and compliance certifications — the foundation of your Article 28 register.