v2.4.0 | Report Errata
docs security docs security

Every AI-related service provider should appear in the third-party register. The register covers five provider categories. Foundation model providers supply the core model, whether accessed via API or downloaded for local deployment. Embedding model providers supply the embedding models used in vector search, semantic similarity, or retrieval-augmented generation.

Annotation and labelling services provide human labelling for training data. Cloud infrastructure providers host the AI workloads, including compute, storage, networking, and managed services. Managed ML services (SageMaker, Vertex AI, Azure ML) provide platform-level capabilities including training orchestration, model hosting, and experiment tracking.

For DORA-scoped entities, the register satisfies DORA Article 28(3)'s requirement for a comprehensive ICT third-party register. For all organisations, it satisfies the Annex IV requirement to document the system’s components and third-party dependencies. The register should be maintained as a structured dataset, not embedded in prose, to support querying, reporting, and automated compliance checks.

Key outputs

  • Five-category third-party register (foundation models, embeddings, annotation, cloud, managed ML)
  • Structured dataset format for querying and reporting
  • DORA Article 28(3) compliance (where applicable)
  • Module 9 AISDP evidence

Per-Entry Contractual & Risk Information

Each entry in the third-party register carries structured risk and contractual information. The risk information includes the vendor risk assessment outcome, the provider’s criticality classification (critical, important, or standard), the concentration risk assessment (whether multiple services depend on this provider), and the most recent security posture evaluation.

The contractual information includes the contract reference, the contractual provisions covering the six domains described above, the contract renewal date, the exit strategy summary, and the status of any audit rights exercised. For DORA-scoped entities, additional fields capture the DORA-specific contractual requirements: the provider’s cooperation obligation with the financial supervisor, the sub-outsourcing notification status, and the provider’s participation in resilience testing.

The register is reviewed annually. The AI Governance Lead reviews the register to confirm that all current providers are listed, that risk assessments are current, that contractual provisions remain adequate, and that ongoing monitoring arrangements are operational. The review outcome is documented as Module 9 evidence.

Key outputs

  • Per-entry risk assessment, criticality classification, and concentration risk
  • Per-entry contractual provisions across six domains
  • DORA-specific fields where applicable
  • Module 9 AISDP evidence
On This Page