EU-DORA-28-09
Reporting
28 — General principles
Report yearly on new ICT service arrangements
Description
Full Analysis & Evidence Requirements
Sign in to view the full obligation text, AI-generated applicability analysis, evidence checklists, and compliance mapping.
Sign In to ViewRelated Obligations
EU-DORA-28-01
Risk Management
Manage ICT third-party risk as integral component of ICT risk management
EU-DORA-28-02
Requirement
Remain fully responsible for compliance despite third-party arrangements
EU-DORA-28-03
Risk Management
Implement ICT third-party risk management proportionally
EU-DORA-28-04
Requirement
Adopt and regularly review ICT third-party risk strategy
EU-DORA-28-05
Documentation
Include policy on critical/important ICT services in third-party risk strategy
EU-DORA-28-06
Monitoring
Management body regular risk review for critical/important functions
EU-DORA-28-07
Documentation
Maintain and update register of ICT service contractual arrangements
EU-DORA-28-08
Documentation
Appropriately document contractual arrangements with distinction
EU-DORA-28-10
Transparency
Make register available to competent authority upon request
EU-DORA-28-11
Transparency
Inform competent authority of planned critical/important arrangements
Map this obligation to your AI systems
ReguLume automatically maps regulatory obligations to your system inventory, identifies compliance gaps, and generates remediation plans.
Get Started