EU-DORA-28-25
Requirement
28 — General principles
Identify alternative solutions and develop transition plans
Description
Full Analysis & Evidence Requirements
Sign in to view the full obligation text, AI-generated applicability analysis, evidence checklists, and compliance mapping.
Sign In to ViewRelated Obligations
EU-DORA-28-01
Risk Management
Manage ICT third-party risk as integral component of ICT risk management
EU-DORA-28-02
Requirement
Remain fully responsible for compliance despite third-party arrangements
EU-DORA-28-03
Risk Management
Implement ICT third-party risk management proportionally
EU-DORA-28-04
Requirement
Adopt and regularly review ICT third-party risk strategy
EU-DORA-28-05
Documentation
Include policy on critical/important ICT services in third-party risk strategy
EU-DORA-28-06
Monitoring
Management body regular risk review for critical/important functions
EU-DORA-28-07
Documentation
Maintain and update register of ICT service contractual arrangements
EU-DORA-28-08
Documentation
Appropriately document contractual arrangements with distinction
EU-DORA-28-09
Reporting
Report yearly on new ICT service arrangements
EU-DORA-28-10
Transparency
Make register available to competent authority upon request
Map this obligation to your AI systems
ReguLume automatically maps regulatory obligations to your system inventory, identifies compliance gaps, and generates remediation plans.
Get Started