The supply chain risk assessment archive contains the vendor risk assessments for every third-party component, the ongoing monitoring records, and the sentinel test results that verify provider behaviour stability. Each assessment is dated, version-controlled, and linked to the corresponding entry in the third-party register.

The archive enables trend analysis of supply chain risk: are providers improving or degrading their security posture? Are new dependencies introducing concentration risk? The trend data informs the annual supply chain risk reassessment.

For DORA-scoped entities, the archive also contains the DORA-specific contractual provision documentation, the concentration risk assessments, and the critical provider contingency plans. The archive is retained for the ten-year period.

Key outputs

• Vendor risk assessment archive per third-party component
• Ongoing monitoring records and sentinel test results
• DORA-specific documentation where applicable
• Module 9 AISDP evidence