Banks, insurers, and investment firms subject to DORA must document every ICT third-party relationship, assess concentration risk, and hold structured evidence for ECB, BaFin, FINMA, and ACPR supervisors. Supplier Shield gives you the register, the assessments, and the supervisory evidence, built around Articles 28–44.
Trusted by global organisations
§ The challenge
DORA enforcement is live. Supervisors are already requesting ICT third-party registers. Most financial entities are not ready.
DORA Article 28 requires a documented inventory of all ICT third-party providers, including sub-contractors and fourth parties. Most teams rely on spreadsheets with no version control, missing entries, and no criticality scoring.
DORA mandates identification of single-provider dependencies across critical functions. Without structured data, risk committees cannot see geographic or provider concentration, which is exactly what EBA and ESMA supervisors will ask for.
Article 30 requires exit strategies, audit rights, SLA definitions, and sub-contracting transparency in every critical ICT contract. Most legal teams have no systematic way to verify these provisions exist and are current.
§ How we help
Structured workflows covering every ICT third-party requirement, from initial vendor registration through to annual supervisory reporting.
Build and maintain the authoritative ICT third-party inventory required by DORA.
Import your supplier list, auto-tier by criticality (critical, important, standard), document sub-contracting chains, and attach contractual evidence. The register is always export-ready for supervisory submission.
Identify systemic dependencies on single providers, geographic regions, or service lines.
Run concentration risk reports aligned to EBA and ESMA guidance. Flag providers that support multiple critical functions, exactly the data your risk committee and supervisors will request.
Scan ICT contracts for mandatory DORA provisions before audits surface the gaps.
Structured checklists verify exit strategies, audit rights, SLA clauses, and sub-contracting disclosure per contract. Findings feed directly into a remediation queue with owner assignments and deadlines.
§ Why us
Our team has delivered 500+ audits and advised entities regulated by ECB, BaFin, FINMA, and ACPR. We built Supplier Shield to solve the DORA compliance gaps we encounter in real client engagements, not gaps described in a requirements document.
No custom development, no infrastructure project, no professional services engagement. Import your vendor list, configure DORA criticality tiers, and run your first full assessment cycle. Most teams close their first supervisory gap within a quarter.
Unlike enterprise GRC suites that require an RFP just to get a quote, Acuna GRC platform tiers are published on the pricing page. Supplier Shield TPRM is an add-on module priced on top of the platform. Annual fee by vendor count. No per-user fees, no negotiation required.
§ Regulatory obligations
These are the specific DORA articles that supervisors, internal auditors, and Big 4 reviewers will test against. Supplier Shield maps your vendor program to each one.
Document the policy, roles, and register for all ICT third-party relationships. Must include criticality tiers and sub-contracting chains.
All critical ICT contracts must include: access and audit rights, service level definitions, exit strategies, sub-contracting transparency, and data location clauses.
Identify dependencies on single providers. Financial entities must report concentration risk data annually to their competent authority (ECB, BaFin, FINMA, ACPR, etc.).
For each critical ICT provider, document a tested exit strategy covering service substitution, transition timeline, and data portability. Must be reviewed annually.
§ Acuna GRC
Supplier Shield is the TPRM module inside Acuna GRC. Your ICT vendor register connects directly to your broader risk register, data protection framework, and internal audit workflows, all Swiss-hosted, all on one platform.
§ Platform capabilities
Supplier Shield is the TPRM module inside Acuna GRC. Here is what that means in practice for a DORA-regulated entity, beyond questionnaires.
Every ICT vendor in your register is continuously scanned for DNS hygiene, TLS configuration, web security headers, breach exposure, and threat intelligence feeds. Composite A–F grades update automatically. Your risk committee sees live posture, not a snapshot from the last assessment cycle.
DORA Art. 30 contractual provisions, GDPR Art. 28 DPAs, and ISO 27001 A.15 supplier controls are the same underlying obligation. In Acuna, one control maps to all three frameworks simultaneously. No duplicated assessments, no conflicting evidence, no inconsistent scoring between your ICT and data protection registers.
Ask Aiko: "Which ICT vendors are missing exit strategy documentation?" or "Show me concentration risk by provider for our trading systems." Answers come from your live vendor register, structured and ready to pull into a risk committee briefing without manual data extraction.
DORA requires annual review of your ICT third-party register, concentration risk assessments, and exit strategy tests. The Acuna compliance calendar schedules these automatically, assigns owners, and tracks completion, ensuring supervisory deadlines do not catch your team by surprise.
For financial entities with a broader enterprise risk program, the Enterprise Risk Management module connects ICT third-party risk findings directly to your operational risk register. A vendor concentration finding surfaces in your ORSA. No manual bridge between TPRM and ERM.
Full platform overview: Acuna GRC cloud platform
§ FAQ
DORA applies to all EU-regulated financial entities: credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, AIFMs, UCITS management companies, and more. Swiss-headquartered firms with EU branches or subsidiaries are also in scope.
The DORA hub explains the full regulation, all five pillars. This page focuses specifically on how financial institutions use Supplier Shield to meet the ICT third-party risk requirements in Articles 28–44. It is the operational application, not the regulatory overview.
Most teams complete their initial register within two to four weeks using Supplier Shield. The platform imports your existing supplier list, applies automated criticality scoring, and surfaces the highest-priority gaps immediately.
Yes. The platform generates a structured export aligned to the EBA/ESMA register template (Annex III) for the annual supervisory submission. No manual data extraction required.
Acuna GRC is hosted in Switzerland, which satisfies data residency requirements for Swiss FINMA-regulated entities. For EU supervisors, we provide documented data processing agreements and can discuss jurisdiction-specific requirements.
Book a focused session with our team. We will map your current ICT third-party posture to Articles 28–44 and show you exactly where Supplier Shield closes the gaps.