General principles

Article 28 lays the foundational principles for Pillar IV, which is DORA's most extensive section and reflects the critical importance of third-party ICT dependencies in modern financial services. The article establishes that outsourcing ICT services does not outsource responsibility — financial entities remain fully accountable for compliance regardless of how many functions they delegate to third parties.

The management body must approve an ICT third-party risk strategy that addresses the entity's approach to using ICT third-party services, including which functions may be outsourced, how providers are selected and monitored, and how concentration risk is managed. This strategy must be reviewed regularly and aligned with the overall ICT risk management framework.

A critical requirement is the register of information on all ICT third-party contractual arrangements. This register must capture details about each arrangement including the provider, the services covered, whether critical or important functions are supported, and the jurisdictions involved. The register serves both the entity's internal risk management and regulatory oversight purposes.

Pre-contractual due diligence is mandatory before entering into any ICT third-party arrangement. Entities must assess the provider's ability to meet security requirements, business continuity standards, and regulatory obligations. For arrangements supporting critical or important functions, this due diligence must be particularly thorough, covering the provider's financial stability, operational resilience, and ability to support audit and supervisory access.