Appearance
Testing and third-party risk
DORA places strong emphasis on resilience testing and third-party risk control. Modulos covers these duties across OFF-16 governance and MFF-16 execution.
Testing requirements
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-318 | Resilience testing and TLPT governance | Art. 24, 25, 26, 26(11), 27 |
MRF-287 | AI system resilience testing programme execution | Art. 24, 25 |
MRF-288 | AI system TLPT participation and tester-assurance execution | Art. 26, 26(11), 27 |
ICT third-party risk requirements
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-319 | ICT third-party risk and contractual governance | Art. 28(1)-(10), 29, 30(1)-(5) |
MRF-289 | AI system ICT third-party due diligence and concentration-risk execution | Art. 28(4), 28(5), 29, 30(5) |
MRF-290 | AI system ICT third-party contractual safeguards and exit execution | Art. 28(6)-(8), 30(1)-(5) |
MRF-291 | AI system ICT third-party register evidence workflow | Art. 28(3), 28(9) |
Operational evidence baseline
- annual and scenario-based testing plan with outcomes
- TLPT scope decisions, tester assurance, and remediation records
- third-party due diligence and concentration-risk analyses
- contract baseline checks and exit/transition test evidence
- register data completeness and submission readiness evidence
Critical ICT third-party oversight framework (Art. 31-44)
DORA Articles 31 to 44 establish an EU-level oversight framework for critical ICT third-party service providers. Most direct obligations in this section apply to oversight authorities and designated critical providers, not to every financial entity as standalone requirement objects.
In Modulos, customer-facing execution is covered through ORF-319 and MRF-289 to MRF-291:
- maintain complete, defensible ICT third-party registers and reporting readiness
- evidence due diligence, concentration-risk assessment, and contract baseline compliance
- retain traceable records that support competent-authority and lead-overseer information requests
Related pages
ICT risk and resilience operations
Incident lifecycle and resilience control execution
Information sharing and secondary legislation
Threat sharing and delegated/implementing act obligations
Operationalizing in Modulos
Practical implementation sequence for OFF-16 and MFF-16
Disclaimer
This page is for general informational purposes and does not constitute legal advice.