DORA third-party risk register (Articles 28-44)
Maintain the DORA register of ICT third-party service providers — criticality classification, exit strategies, and subcontractor tracking.
DORA Articles 28–44 require every in-scope financial entity to maintain a register of every ICT third-party service provider it relies on, classified by criticality, with an exit strategy on file for critical providers.
Aira models this register directly, keyed by vendor and service description so a single vendor (e.g. AWS) can have multiple entries if it supplies multiple discrete services.
Criticality levels
| Value | Typical example |
|---|---|
critical | Primary cloud region, core payments rail, authoritative identity provider |
non_critical | Secondary analytics vendor, internal tool |
supporting | A vendor providing enabling tech for a critical service (e.g. CDN in front of core banking) |
A provider marked critical without an exit_strategy_summary triggers
a validation warning — DORA Article 28(8) requires documented exit
planning for every critical dependency.
Service types
The service_type field classifies the nature of the dependency for
regulator filings:
cloud_compute, cloud_storage, saas, payment_processor,
identity_provider, data_provider, network, other.
Full field list
| Field | Required | Notes |
|---|---|---|
vendor_name | yes | Legal entity name (e.g. Amazon Web Services EMEA SARL) |
service_description | yes | What they provide for you specifically |
service_type | yes | See service types above |
criticality | yes | critical / non_critical / supporting |
contract_start_date | no | ISO 8601 date |
contract_end_date | no | ISO 8601 date (null = open-ended) |
exit_strategy_summary | conditionally | Required for critical |
subcontractors | no | List of named subcontractors (Article 29) |
data_categories | no | Categories of customer data the provider processes |
jurisdiction | no | Primary hosting / contracting jurisdiction |
is_active | yes | Defaults to true; use PUT to soft-retire |
Example
from aira import Aira
client = Aira(api_key="aira_live_...")
# Register a critical cloud provider
aws = client.create_ict_third_party(
vendor_name="Amazon Web Services EMEA SARL",
service_description="Primary compute and storage for core banking",
service_type="cloud_compute",
criticality="critical",
jurisdiction="EU-CENTRAL-1",
exit_strategy_summary=(
"12-month migration plan to secondary provider (GCP "
"Frankfurt) pre-contracted. RTO 72h, RPO 4h."
),
data_categories=["account-balances", "transaction-history"],
contract_start_date="2024-06-01",
)
# List critical providers
critical = client.list_ict_third_parties(criticality="critical")
for tp in critical["items"]:
print(tp.vendor_name, "—", tp.service_description)
# Soft-retire (contract ended)
client.update_ict_third_party(aws.uuid, is_active=False)import { Aira } from "aira-sdk";
const aira = new Aira({ apiKey: "aira_live_..." });
const aws = await aira.createIctThirdParty({
vendorName: "Amazon Web Services EMEA SARL",
serviceDescription: "Primary compute and storage for core banking",
serviceType: "cloud_compute",
criticality: "critical",
jurisdiction: "EU-CENTRAL-1",
exitStrategySummary:
"12-month migration plan to secondary provider (GCP Frankfurt). RTO 72h, RPO 4h.",
dataCategories: ["account-balances", "transaction-history"],
contractStartDate: "2024-06-01",
});
// List critical providers
const critical = await aira.listIctThirdParties({ criticality: "critical" });
// Soft-retire when the contract ends
await aira.updateIctThirdParty(aws.uuid, { is_active: false });Linking third parties to incidents
When an incident is caused by a third party (category =
third_party_failure), the classify endpoint requires the
third_party_uuid pointing into this register. That cross-reference
flows through into the Article 19 PDF so regulators can trace the
incident chain back to a named provider.
Retention
The register is append-only plus soft-delete — is_active=false hides
a vendor from default list_ict_third_parties() calls but keeps the
record for the full DORA retention window (10 years under Article 28).
DORA incident reporting (Articles 17-19)
How Aira models the DORA incident lifecycle — detection, classification, resolution, and Article 19 ESA-submission PDFs signed with Ed25519.
Behavioral Drift Detection
Per-agent behavioral baselines, KL divergence scoring, and alerts when an agent's behavior shifts away from its expected pattern.