DORA Article 28 requires documented ICT third-party risk assessments with ongoing monitoring and a complete audit trail. FiorLab generates the exact evidence your national competent authority demands — in minutes, not months.
No credit card · Live in 5 minutes · We score your first 20 suppliers free
Trusted by regulated companies across the EU for DORA, CBI, and GxP compliance
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) entered into force on 17 January 2025. Article 28 sets mandatory obligations for managing ICT third-party risk. Here is what your regulator expects.
You must maintain an up-to-date, structured register of every ICT third-party service provider, including the nature of services, contract dates, and criticality classification. This register must be available to your national competent authority on request. A spreadsheet with inconsistent fields will not pass inspection.
Before entering into any ICT outsourcing arrangement, you must perform a documented risk assessment covering the provider's financial stability, operational resilience, compliance posture, and concentration risk. This assessment must be evidenced, not assumed. The regulator will ask for the methodology, the data sources, and the scoring rationale.
DORA requires continuous monitoring of ICT third-party providers, not annual reviews. You must track changes in financial health, compliance status, and operational performance throughout the contract lifecycle. Exit strategies and substitution plans must be documented and tested for critical providers.
Every risk assessment, scoring decision, document upload, and status change must be logged in an immutable, timestamped audit trail. When the CBI, BaFin, AFM, or AMF requests evidence of your ICT third-party risk management process, you must produce it — with full provenance — within the timeframe they specify. Typically 48 hours. Often less.
Non-compliance penalties: up to €10,000,000 or 2% of total annual worldwide turnover, whichever is higher.
National competent authorities (CBI, BaFin, AFM, AMF, FMA, and others) have the power to impose administrative fines, issue public reprimands, require remediation within fixed deadlines, and restrict or withdraw authorisation. Enforcement is not theoretical — inspections are underway across the EU.
FiorLab was purpose-built for regulated industries. Every feature exists because a specific regulatory requirement demands it.
| DORA Requirement | FiorLab Capability | Evidence Produced |
|---|---|---|
| ICT provider register Art. 28(1)(a) |
Structured supplier registry with company details, service classification, contract metadata, and criticality tags. CSV import for bulk onboarding. Verified against CRO Ireland, Companies House, Handelsregister, VIES, and GLEIF. | ✓ Exportable register ✓ Registry verification timestamps ✓ Provider classification |
| Pre-contractual risk assessment Art. 28(2)-(4) |
6-dimension scoring engine: financial health (Altman Z-Score, Piotroski F-Score, debt-to-equity), compliance, sustainability, delivery, quality, and innovation. Sub-metric evidence chain for every score. Assessment-type weights for CBI/EU, GxP, and Hybrid frameworks. | ✓ Scored assessment report (PDF) ✓ Per-dimension breakdown ✓ Scoring methodology reference |
| Ongoing monitoring Art. 28(5)-(7) |
Daily registry re-check cron (30-day cadence). Document staleness decay across 5 tiers (fresh, aging, stale, very stale, expired). Anomaly detection pipeline with 6 alert types and 3 severity levels. Financial early warning via real-time indicator tracking. | ✓ Monitoring alerts log ✓ Score change history ✓ Staleness reports |
| Verification and cross-referencing Art. 28(3), RTS |
5-tier graduated verification: registry_verified, verified, partially_verified, unverified, self_declared. Cross-reference integrity checks (OCR name vs. registry name, status matching). Verification multiplier applied to raw scores. | ✓ Trust tier classification ✓ Verification source attribution ✓ Cross-reference audit log |
| Immutable audit trail Art. 28(8), Art. 15 |
Every action — assessment creation, score change, document upload, status update, user decision — recorded with timestamp, user identity, and before/after state. Tamper-resistant by design. Full-text search across audit history. | ✓ Complete audit trail export ✓ Per-action evidence chain ✓ Regulatory inspection report |
| Concentration risk awareness Art. 28(1)(b), Art. 29 |
Portfolio-level risk dashboard showing supplier distribution across risk tiers, industries, and geographies. Compliance gap identification with severity classification. RFP and contract lifecycle tracking per supplier. | ✓ Portfolio risk overview ✓ Risk distribution analysis ✓ Gap remediation tracking |
DORA applies to over 22,000 financial entities and ICT third-party providers across the EU. If your organisation holds a financial services licence and relies on external ICT providers, this is for you.
DORA applies to all credit institutions licensed under the CRD. Whether you are regulated by the CBI, BaFin, DNB, or ACPR, your ICT third-party risk register must meet Article 28 standards. FiorLab generates the evidence these supervisors require.
Solvency II entities are now also subject to DORA. Insurers relying on third-party claims platforms, underwriting engines, or data analytics providers must document their ICT risk assessments with the same rigour as banks. FiorLab provides the structured framework.
PSD2 and EMD2-licensed firms fall squarely within DORA scope. If you process payments, issue e-money, or operate payment infrastructure, your ICT third-party risk management must be auditable. FiorLab automates the assessment and monitoring cycle.
MiFID II investment firms and AIFMD/UCITS fund managers are in scope. Portfolio management systems, trading platforms, and risk analytics providers must all be assessed under DORA. FiorLab scores them across six dimensions with full evidence chains.
FiorLab serves regulated entities across Ireland, Germany, the Netherlands, France, Austria, and the broader EU. Registry verification covers CRO Ireland, UK Companies House, German Handelsregister, VIES, and GLEIF. One platform, every jurisdiction.
DORA compliance is not an IT project alone. It requires procurement, compliance, and risk teams to work from the same data. FiorLab provides a single source of truth that all three functions can rely on — with role-based access and an immutable audit trail.
Every month without a structured ICT third-party risk register is a month you are exposed to regulatory action. FiorLab starts at €0 for your first 5 suppliers. The question is not cost — it is whether you can produce evidence when the regulator asks.
Start Your DORA Compliance PilotDORA Article 28 requires financial entities to maintain a documented register of all ICT third-party service providers, conduct risk assessments before entering outsourcing arrangements, implement ongoing monitoring with defined risk indicators, and maintain a complete audit trail of all third-party risk decisions. National competent authorities — including the CBI, BaFin, AFM, and AMF — can request this documentation at any time. Fines for non-compliance reach up to €10 million or 2% of global annual turnover.
FiorLab automates DORA Article 28 compliance by providing 6-dimension supplier risk scoring (financial health, compliance, sustainability, delivery, quality, and innovation), automated registry verification against CRO Ireland, UK Companies House, German Handelsregister, VIES, and GLEIF, document verification with staleness tracking, and an immutable audit trail that records every assessment, score change, and decision. Select the CBI/EU assessment type and FiorLab generates the exact evidence your regulator requires — exportable as audit-ready PDF reports.
DORA is enforced by national competent authorities across all 27 EU member states. Key regulators include the Central Bank of Ireland (CBI), BaFin in Germany, the AFM (Autoriteit Financiele Markten) in the Netherlands, the AMF (Autorite des Marches Financiers) in France, and the FMA in Austria. FiorLab's assessment framework is designed to meet the requirements of all EU national competent authorities, as DORA sets a harmonised standard across jurisdictions. The European Supervisory Authorities (EBA, EIOPA, ESMA) provide Regulatory Technical Standards that FiorLab incorporates.
Yes. A spreadsheet cannot provide the automated scoring, registry verification, document staleness tracking, or immutable audit trail that DORA demands. FiorLab replaces manual supplier risk registers with a structured, auditable system that scores suppliers across six dimensions, verifies data against live government registries, tracks document freshness with a 5-tier decay model, and generates PDF assessment reports on demand. Registration takes under 5 minutes, CSV import is supported, and your first 20 suppliers are scored free.
DORA applies to all regulated financial entities in the EU: banks and credit institutions (CRD), insurance and reinsurance undertakings (Solvency II), investment firms (MiFID II), payment institutions (PSD2), e-money institutions (EMD2), fund managers (AIFMD/UCITS), crypto-asset service providers (MiCA), central securities depositories, trading venues, and credit rating agencies. Additionally, critical ICT third-party providers designated by the ESAs are directly subject to the oversight framework. If your organisation holds any EU financial services licence and uses external ICT providers, DORA Article 28 applies to you.
Most procurement teams are generating their first DORA-ready supplier assessments within 24 hours of registration. The process: register (2 minutes), import your supplier list via CSV or manual entry (5 minutes), select the CBI/EU assessment type, and run assessments. FiorLab automatically scores each supplier across all six dimensions, verifies company data against government registries, applies document staleness decay, and generates audit-ready PDF reports. No IT integration, onboarding calls, or implementation project required. Your first 20 suppliers are scored free.
DORA enforcement is live across every EU member state. The CBI, BaFin, AFM, and AMF are conducting readiness inspections. Every week without a structured ICT third-party risk register is a week your organisation is exposed to regulatory action.
No credit card · Live in 5 minutes · We score your first 20 suppliers free