Glossary · DORA Art. 28
DORA Article 28 — critical ICT third-party providers for European banking
Article 28 of EU Regulation 2022/2554 (DORA) governs contractual arrangements with external ICT service providers for European financial entities. It is the most operational article of the regulation: it grounds the digital resilience policy in concrete obligations of provider governance. Applicable since 17 January 2025.
Scope
DORA Art. 28 applies to all entities subject to the regulation: banks, insurers, asset managers, investment firms, central securities depositories, central counterparties, crypto-asset providers (under MiCAR) and others. It covers contracts with external providers (including public cloud) as well as intra-group entities.
The 5 operational obligations
- ICT registry of arrangements: a living document with all current arrangements, their criticality, the location of the service (including subcontractors) and the contractual details. Available to the supervisor at any time.
- Pre-engagement assessment: technical, regulatory and financial due diligence on the provider before contracting. For services supporting critical functions, includes concentration and country risk analysis.
- Mandatory contractual content: the clauses from Art. 30 (complete description, locations, subcontracting, availability, rights of access / audit / termination, incident notification and exit assistance).
- Exit strategy: a documented and tested plan to migrate the service to another provider or to in-house it, without operational disruption, within reasonable timeframes. Mandatory for services supporting critical functions.
- Continuous monitoring: performance monitoring against SLAs throughout the lifetime of the contract, periodic review of criticality and concentration risk, incident logging and regular audit.
What it means when contracting Vermont or other providers
Vermont Solutions has operated as an ICT provider to tier 1 banking and insurance since before DORA. For contracts post-January 2025 we provide:
- Contractual templates ready for the Art. 30 minimum content — ready for review by your legal team.
- Technical documentation for the arrangements registry: service description, subcontractors (cloud, tools), processing locations.
- Documented exit-strategy plan for professional services and proprietary products (Monitor HPC, IBM Spectrum Symphony Add-on, Baram).
- Audit access at reasonable cost and operational continuity information available to the client or to the supervisory authority on request.
Related services
Legacy modernization and AI Governance
Vermont supports European financial institutions in technological modernization aligned with DORA Art. 28 and in the implementation of ISO 42001 AIMS for AI systems.
Official sources
- EU Regulation 2022/2554 (DORA) — consolidated text on EUR-Lex
- EBA · Digital Operational Resilience (RTS and ITS on DORA)
- Bank of Spain · national DORA supervision
Last updated: 2026-05-27. Editorial content by Vermont Solutions, citable with attribution. Does not constitute legal advice.