Appearance
Testing and third-party risk
DORA places strong emphasis on resilience testing and ICT third-party risk control. Modulos covers these duties across OFF-16 governance and MFF-16 execution.
Testing requirements
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-382 | Digital operational resilience testing programme governance | Art. 24, 25 |
ORF-383 | TLPT governance and authority-coordination readiness | Art. 26, 27 |
MRF-305 | Digital operational resilience testing execution | Art. 24, 25 |
MRF-306 | TLPT participation, tester-assurance, and remediation execution | Art. 26, 27 |
ICT third-party risk requirements
| Requirement | Topic | Regulation reference |
|---|---|---|
ORF-384 | ICT third-party risk strategy and lifecycle governance | Art. 28, 29 |
ORF-385 | ICT third-party contractual baseline governance | Art. 30(1)-(5) |
ORF-386 | Register of information governance and reporting readiness | Art. 28(3), 28(9) |
ORF-387 | Subcontracting of ICT services supporting critical or important functions governance | Art. 30(5) |
MRF-307 | ICT third-party due diligence and concentration-risk execution | Art. 28, 29 |
MRF-308 | ICT third-party contractual safeguards and exit-support execution | Art. 30 |
MRF-309 | Register-of-information evidence workflow execution | Art. 28(3), 28(9) |
MRF-310 | Subcontracting assessment and flow-down execution | Art. 30(5) |
Modeling choices worth knowing
- Article
25testing remains universal for in-scope entities; the fuller Article24programme posture is treated as an overlay, not as the condition for testing to exist at all. - TLPT remains a separate conditional family because the DORA workflow is too specific to hide inside generic testing.
- ICT third-party risk is deliberately split into lifecycle governance, contractual baseline, register readiness, and subcontracting instead of one broad supplier requirement.
Operational evidence baseline
- annual and scenario-based testing plan with outcomes
- TLPT scope decisions, tester assurance, and remediation records
- third-party due diligence and concentration-risk analyses
- contract baseline checks and exit/transition test evidence
- register data completeness and submission readiness evidence
- subcontracting assessments and downstream flow-down review records
Critical ICT third-party oversight framework (Art. 31-44)
DORA Articles 31 to 44 establish an EU-level oversight framework for critical ICT third-party service providers. Most direct obligations in this section apply to oversight authorities and designated critical providers, not to every financial entity as standalone requirement objects.
In Modulos, customer-facing execution is covered indirectly through ORF-384 to ORF-387 and MRF-307 to MRF-310:
- maintain complete, defensible ICT third-party registers and reporting readiness
- evidence due diligence, concentration-risk assessment, and contract baseline compliance
- retain traceable records that support competent-authority and lead-overseer information requests
Related pages
ICT risk and resilience operations
Incident lifecycle and resilience control execution
Information sharing and Level 2 acts
Threat sharing and the threaded Level 2 act model
Operationalizing in Modulos
Practical implementation sequence for OFF-16 and MFF-16
Disclaimer
This page is for general informational purposes and does not constitute legal advice.