Third-party and ICT supplier management posts
Modern software applications rely on hundreds of third-party libraries and dependencies. A single application might use dozens of open-source packages, each with its own nested dependencies. When a vulnerability emerges in any one of these components, it can cascade through your entire technology stack in hours. Log4j demonstrated the pattern clearly: a transitive library in … Read more
If you're working with non-EU ICT service providers that don't have a Legal Entity Identifier, you face a practical compliance challenge. The Implementing Technical Standards (ITS) on the DORA register of information requires LEI for all legal persons established outside the EU, but many providers simply don't have one. This article explains the regulatory workaround … Read more
Recording ICT supplier contracts is a fundamental DORA requirement. But there's significant confusion about which contracts are actually in scope. This guide cuts through the complexity to give you clear, actionable answers about what needs to be in your DORA information register. 1. Which contracts are in scope? The simple answer: Every contract with a … Read more
The challenge When completing the Digital Operational Resilience Act (DORA) information register, you must specify the type of each contractual arrangement: standalone, overarching, or subsequent/associated. This classification must be recorded in template RT.02.01, column RT.02.01.0020 'Type of contractual arrangement'. But how should you handle this for a typical ICT service where agreements are spread across … Read more
The purpose of RT.03 RT.03 is the cornerstone of mapping contractual relationships in your ICT service landscape. It’s designed to create a clear picture of who’s signing what, who’s providing services, and how these services flow within your organization or group. The ITS divides RT.03 into three essential templates, each serving a specific purpose in … Read more
