DORA Article 28 requires financial entities to maintain, as part of their ICT risk-management framework, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, and to identify which provider supports which function.
What the clause asks for
A register kept up to date with information on each contractual arrangement, distinguishing those supporting critical or important functions, and traceable evidence of third-party involvement per function.
Receipt-field mapping
modelNames the model invoked (e.g. claude-3-7-sonnet, gpt-4o)
provider (when present)Names the ICT third-party that hosted the model
policy_appliedPolicy version under which the third-party call was authorised
request_hashAnchor that ties the third-party call to the original decision
signatureNon-repudiable record the financial entity emitted, not the third party
Receipts give the register row-level evidence. A regulator asking “which provider handled this decision” gets a signed answer, not a pointer to a vendor dashboard.
Read Article 28 on EUR-Lex or read the full open spec at github.com/Aqta-ai/attestation-spec.
← Back to the verifier