The DORA third-party register is retained as a standalone Module 9 artefact for financial entities. Each entry contains the provider identity, service description, criticality classification, risk assessment outcome, contractual provisions summary, concentration risk assessment, and monitoring status.

The associated vendor risk assessments are retained alongside the register. Each assessment documents the provider’s security certifications, data handling commitments, financial stability evaluation, business continuity capabilities, and the assessment date. Assessments are reviewed annually and re-conducted when the provider’s service scope or security posture changes.

If the system is not subject to DORA, this artefact is documented as not applicable. For non-DORA entities, the equivalent artefact is a simplified third-party register satisfying Annex IV’s component documentation requirements without DORA’s prescriptive contractual and risk fields.

Key outputs

• DORA third-party register with structured per-entry information
• Associated vendor risk assessments with annual review
• DORA Article 28(3) compliance documentation
• Module 9 AISDP evidence