Founder voice · 12 May 2026
DORA Article 28 Is Not a Vendor Management Checkbox.
Regulators don't audit your DORA register. They audit the operational reality behind it. After building Article 28 capability into the Finray platform stack from day one, the gap between the two is the part most ICT third-party programmes underweight.
DORA Article 28 reads like a vendor management framework: register your ICT third-party providers, classify by criticality, monitor concentration risk, plan for exit. The institutions that treat it as exactly that — a Tier-N supplier inventory with quarterly reviews and an annual concentration report — are the ones I'd expect to receive Joint Examination Procedure (JEP) findings through the 2026-2027 supervisory cycle.
What Article 28 actually requires is a continuous control surface: live concentration metrics, exit-plan rehearsal evidence, contractual right-of-audit invocation records, and a register that updates when the underlying contract changes — not when the GRC team gets around to reviewing it. The ROI tracker radar at Finray Intelligence maps the Article 28 capability surface against the actual NCA priorities and the operating cost of each posture. If you're scoping a DORA programme, the radar tells you which of the five Article 28 capability tiers you're aiming for, and what each tier actually costs to operate (not just to set up).
Short version: the register isn't the artefact regulators audit. The operational system that keeps the register honest in real time is.