Meridian Capital Partners — Wednesday, 10:14 AM — Frankfurt
An interactive scenario about an ICT third-party register with 83 undocumented providers, a BaFin reporting window of 10 days, and the question of how much you disclose.
83 providers undocumented. The register is a live regulatory document. Material inaccuracies are a breach.
Amira Osei
Katharina. Found a sub-processor clause in the NexCore renewal. NexCore uses Helix for European compute. Helix uses ApexCloud for storage.
Katharina Engel
ApexCloud is already in the register as a direct provider for risk analytics. I pushed the cloud-first consolidation to the board eighteen months ago. EU-West was my call.
Amira Osei
It's not just risk analytics. It's compliance reporting. Client reporting. Four of our seven critical services, through routes we never traced. NexCore, Helix, two other sub-processors nobody audited. We stopped at the first tier.
Katharina Engel
How many total?
Amira Osei
A hundred and thirty. The register has forty-seven. Twelve run through ApexCloud EU-West, the same region that went down for six hours last December. BaFin thinks we're exposed to forty-seven providers. We're exposed to a hundred and thirty.
📋 Amira's Audit Summary — Meridian ICT Register
47
Documented
83
Undocumented
12
ApexCloud
⚠ ApexCloud EU-West — same region as Dec outage. 4 of 7 critical services exposed via unaudited sub-processors.
One of the exposed services: SME payroll processing — ~3,200 small employers, including Lena Okonkwo, a Berlin bakery owner who pays 14 staff on the 15th of each month. If ApexCloud EU-West fails again, her payroll doesn't run.
Quick check — what's the real risk?
Before you escalate this — what's the single most dangerous finding here?
The concentration is what kills you. 83 missing entries is a paperwork problem you can fix with a sprint. Four critical services on one infrastructure provider — that's a single point of failure. DORA Article 29 was written specifically to catch this pattern.
Wednesday, 11:42 AM
The heatmap
Amira pulls up the dependency map on the war-room display. Forty tiles, colour-coded by where each service ultimately runs.
ApexCloud lights up in the centre and starts pulling the grid red beneath it — portfolio management, compliance reporting, client reporting, settlement. Four of seven critical services, one infrastructure provider, three layers of contract nobody audited.
This isn't a documentation gap. It's a concentration risk — and it's been sitting in the register hidden behind an "EU-West consolidation" label you signed off eighteen months ago.
DORA Art. 28 · Third-Party Risk Classification
Classify Meridian's ICT Services
For each service, select its DORA risk tier.
0 of 5 classified
Core payment processing infrastructure
Real-time transaction monitoring
Trading execution platform
HR payroll software (cloud)
Email and document management
All services classified. Critical services require documented exit strategies, concentration risk assessment, and supervisory notification under Art. 28. Standard services need standard contractual provisions only.
⚖
Decision Point
10:47 AM
The Filing Problem
The register you submitted to BaFin three weeks ago is materially incomplete. What do you do?
DORA Article 28 requires the register to be comprehensive and accurate. An incomplete register isn't a technicality — it means your concentration risk assessment is wrong. BaFin has your current register on file. The next supervisory window is in 10 working days.
Self-report the gap to BaFin immediately
Notify BaFin proactively that the register requires a material correction, explain the gap, and provide a revised timeline for the complete filing. Transparency before they find it themselves.
§ View legal reference
Update the register internally and refile at the next window
Get the register right, then submit the corrected version at the next reporting window in 10 days. No need to flag the original gap — the corrected version will simply replace it.
§ View legal reference
Wait for Lukas to assess whether it actually matters
The CTO built the architecture. Before you notify anyone, get his assessment of whether this concentration risk is real or whether the sub-processors have independent failover capability that mitigates it.
§ View legal reference
11:30 AM
Notification Filed — +3 points
Katharina Engel
BaFin notified. Told them the register needs a material correction, that we found the gap ourselves, and that a revised filing follows within five working days.
Amira Osei
How did they respond?
Katharina Engel
Acknowledged. They asked for the revised timeline in writing and noted that self-reporting is considered positively in supervisory assessments. Their exact words.
Proactive disclosure is the approach regulators reward. An entity that identifies and reports its own compliance gaps before the supervisor does demonstrates the governance culture DORA is designed to create.
Article 28 sets no specific timeline for correcting a register, but the duty to keep it accurate is continuous. Filing a correction with an explanation beats hoping the gap goes unnoticed.
DORA Article 28 — The Register Is Not a Snapshot
Article 28(3) requires financial entities to maintain an up-to-date register of information on all contractual arrangements on the use of ICT services. The register is not a one-time filing — it is a live document. A material inaccuracy is a continuous breach for as long as it exists. Self-reporting a gap converts a potential supervisory finding into a demonstration of governance maturity.
10 Days Later
Quiet Correction — -1 point
Amira Osei
The corrected register is filed. 130 providers, fully mapped.
Katharina Engel
Good. And the original gap?
Amira Osei
Not mentioned. The new filing just... replaces the old one.
The corrected register is better than the original. But the supervisory examiners will compare the October and November filings. They will see 83 providers appear in one month, and they will ask why.
Filing a correction without flagging the gap treats the supervisor as someone to be managed, not informed. When BaFin asks about the discrepancy, that conversation will be harder than it needed to be.
DORA Article 28 — Regulators Read Change Logs
Supervisory authorities maintain records of all register versions. An 83-provider increase in one reporting window is not invisible — it is a flag. If the examiner asks 'why did your register grow by 83 providers between October and November' and the answer is 'we found a mapping error' without proactive disclosure, the follow-up question is 'why wasn't this disclosed to us when you found it?' The gap between discovering a problem and reporting it to the supervisor is always a question.
3 Days Later
Waiting for Lukas — -2 points
Lukas Bauer
I looked at it. Yes, ApexCloud is in the stack for several services. But that's how cloud architecture works. Every major provider uses the same three or four infrastructure players. Industry standard.
Katharina Engel
DORA Article 29 still requires us to assess and document concentration risk. If EU-West goes down, we lose four critical services at once. 'Industry standard' isn't a compliance defence.
Lukas Bauer
You're going to notify BaFin that our architecture matches every other asset manager in Frankfurt?
Lukas is right about the pattern. He's wrong that the pattern makes the concentration compliant. DORA does not carve out 'industry standard' as an exception.
Three days to confirm what Amira already found has burned a third of the supervisory window, and the gap still needs to be reported.
DORA Article 29 — Concentration Risk Must Be Assessed, Not Defended
Article 29 requires financial entities to assess ICT concentration risk arising from third-party dependencies, including from sub-outsourcing chains. The assessment is not a judgment about whether the concentration is reasonable or market-standard — it is a documented analysis of what would happen if the concentrated provider failed. If four critical services share a single infrastructure dependency and that dependency has no documented failover outside the affected region, the concentration risk is real regardless of whether other firms have the same architecture.
Katharina Engel
Stefan. DORA Article 30(2)(a). We have a contractual right to audit NexCore's ICT resilience arrangements, including sub-outsourcing. I need your complete sub-processor list, sub-outsourcing agreements, and twelve months of resilience testing records. Today.
Stefan Weidner
Katharina, I hear you. But our sub-processor relationships involve commercially sensitive details, and we have confidentiality obligations to our own providers. Give me ten business days to get legal across it.
Katharina Engel
Stefan, the audit right is Section 14.3 of your MSA. You signed it. There's no legal complexity, only a right you either honour or breach. Ten days won't work. My supervisory window is in seven.
Stefan Weidner
I'll do what I can. No guarantees without legal sign-off.
2:15 PM
📧 Email — sent 14:22
From: katharina.engel@meridian-capital.eu
To: stefan.weidner@nexcore-systems.com
Subject: Formal Audit Request — DORA Art. 30(2)(a) — Response Required by [Date+5]
Stefan — this constitutes a formal request under Article 30(2)(a) and Section 14.3 of our MSA. Non-response within 5 business days will be reported to BaFin as a contractual breach. Ten business days is not acceptable.
NexCore has 7 working days before Meridian's supervisory window opens.
Read the room
What is Stefan actually buying time for?
He's buying time to build documentation that should already exist. Under Art. 30(2)(a) the audit right is unambiguous — there is no "legal review" required. Ten business days is the classic delay when a vendor doesn't have its records in order.
⚖
Decision Point
2:45 PM
The Vendor Stonewalls
NexCore's compliance director is stalling. He knows your audit right exists — he's invoking 'legal review' as delay. The supervisory window is in 7 working days. What's your lever?
DORA Article 30(2)(a) gives you audit rights over ICT third-party providers. But a contractual right you can't enforce in time is no right at all. Stefan has a pattern of this — the last audit request took six weeks.
Issue a formal Article 30 audit request with a 5-day compliance deadline
Put the request in writing, cite the contractual clause and the DORA obligation, set a 5-day deadline, and state that non-compliance will be reported to BaFin as a contractual breach.
§ View legal reference
Escalate to NexCore's CEO via Lukas
Use the CTO relationship to go above Stefan. Lukas knows NexCore's CEO from industry events. An informal escalation might move faster than a formal request.
§ View legal reference
Accept a high-level assurance letter for now
Stefan offers to provide a written assurance that NexCore's sub-processors meet DORA-equivalent standards. Accept it as temporary documentation while the full audit is scheduled.
§ View legal reference
4 Days Later
The Deadline Works — +3 points
Stefan Weidner
Katharina. Legal review done. Sub-processor list and resilience testing summaries coming over now. Some of it is commercially sensitive.
Katharina Engel
Noted. Handled under the MSA confidentiality provisions. What's NexCore's RTO for an ApexCloud EU-West failure?
Stefan Weidner
Four hours. Full failover to EU-Central within twelve if the outage extends past two.
Katharina Engel
That's a 12-hour window with four critical services degraded. Goes in the register and the concentration risk assessment.
A written request with a consequence attached is what moved Stefan. 'Legal review' stalls informal requests, not formal ones where non-compliance has a documented cost.
The 4-hour RTO turns the concentration risk from theoretical into quantified: four critical services down for up to 12 hours in a worst-case EU-West failure.
DORA Article 30(2)(a) — Audit Rights Must Be Exercised
Article 30(2)(a) requires contracts to include rights for the financial entity to conduct audits, inspections, and assessments of the ICT third-party service provider, including the right to audit sub-outsourcers. A right that is never exercised provides no protection. When a vendor delays, the correct response is a written request that makes the obligation and the consequence of non-compliance explicit. Vendors who resist audits are telling you something about what the audit would find.
3 Days Later
The Informal Route — +1 point
Lukas Bauer
Spoke to NexCore's CEO. He said Stefan was being overcautious and they'd get us what we need. Expect something by end of week.
Katharina Engel
End of week is 8 days. Our supervisory window is in 4.
Lukas Bauer
He'll try for earlier. But Katharina, you're asking them to expose their whole supply chain. That takes time, even with goodwill.
The informal escalation moved faster than a fresh legal review, but not fast enough. The supervisory window will arrive before the documentation does.
CEO-level relationships solve some problems formal requests can't, and vice versa. Here, the formal route would have been faster because it created a documented obligation.
DORA Article 30 — Rights Need Enforcement Mechanisms
Contractual audit rights are only as useful as your ability to enforce them in the time you actually need them. A vendor who provides documentation when it's convenient to them rather than when your regulatory obligations require it is a vendor whose governance practices need to be in your risk assessment. For regulatory purposes, 'we asked and they're working on it' is not equivalent to 'we received the documentation and validated it.'
Next Day
The Assurance Letter — -2 points
Stefan Weidner
Sent over our standard third-party assurance letter. Confirms NexCore and all sub-processors comply with applicable standards, including DORA-equivalent resilience requirements.
Katharina Engel
Stefan, 'DORA-equivalent.' DORA applies to Meridian, not NexCore. What standards are you actually certifying against?
Stefan Weidner
We'd need a more detailed conversation about that with legal and compliance.
An assurance letter from a vendor stalling your audit is meaningless. It creates the appearance of documentation without the substance. The BaFin examiner asks: 'What does this letter certify?' The answer: nothing specific.
Accepting any documentation rather than pushing for what DORA actually requires is exactly what auditors look for. 'We accepted a vendor's self-assessment in lieu of an audit' is a finding, not a mitigation.
DORA Article 30 — Self-Certification Is Not Audit Evidence
A vendor-provided assurance letter is not an audit. Article 30(2)(a) gives financial entities the right to conduct their own audits and assessments — not to rely on vendor-drafted certifications. An assurance letter that uses vague language like 'DORA-equivalent' without reference to specific standards, testing results, or operational metrics cannot be used as evidence that your DORA obligations have been met. If BaFin asks for your audit documentation and you produce a vendor letter, they will ask why you did not exercise your Article 30 audit rights.
Hildegard Fuchs
Katharina. Walk me through what happened.
Katharina Engel
Something to say first. Eighteen months ago I recommended the cloud-first consolidation. ApexCloud EU-West was the anchor. The board approved it. My team has now found four of our seven critical services run through ApexCloud, via three sub-outsourcing chains we never traced. The October register shows forty-seven providers. The real number is a hundred and thirty. That gap is mine.
Hildegard Fuchs
You submitted an incomplete register to BaFin three weeks ago, and you're telling me this morning.
Katharina Engel
My analyst found it forty-eight hours ago. I've already notified BaFin. I'm not asking permission, I'm briefing you on what I've done and what comes next.
Hildegard Fuchs
1,200 people, EUR 14 billion in assets. I understand why you moved fast. But the board needs to understand how a hundred and thirty dependencies became forty-seven on paper, and whether this is the only register we should be worried about.
Which answer to Hildegard's question will cost Katharina most credibility?
"Out of scope" is the wrong answer to a board chair. DORA Article 28(1) explicitly requires the management body to oversee the full ICT third-party chain, including sub-outsourcing. A board that understands its Art. 28 accountability will hear "out of scope" as either a gap in competence or a deflection — neither is survivable.
⚖
Decision Point
Thursday, 9:15 AM
The Board Wants to Understand
Hildegard Fuchs is not angry. She's thorough. The question isn't who to blame, it's what the board should understand about how this happened and what it means for the firm's DORA posture.
Under DORA Article 28(1), the management body has direct accountability for ICT third-party risk. How Katharina frames this determines whether they approve the budget and governance changes needed to stop it happening again.
Present the full concentration risk picture with the remediation plan
Show the board the actual dependency map — all 130 providers, the ApexCloud concentration, the quantified resilience gap — and present a three-step remediation plan with budget and timeline.
§ View legal reference
Present the mitigated view — gap found, gap being fixed, no immediate risk
Frame it as a documentation gap that has been identified and is being corrected. The concentration risk exists but has mitigants. Emphasise that the firm found this itself.
§ View legal reference
Defer to Lukas for the technical assessment
The architecture questions are the CTO's domain. Present the regulatory gap and let Lukas explain the technical picture. Share the stage.
§ View legal reference
Thursday, 10:30 AM
The Full Picture — +3 points
Hildegard Fuchs
The 12-hour failover window. Is that on our operational resilience assessment as acceptable?
Katharina Engel
It wasn't, because we didn't know it existed. Now we do, we choose: require NexCore to reduce it, build our own failover, or diversify away from ApexCloud-dependent providers for at least two of the four services.
Hildegard Fuchs
Your recommendation?
Katharina Engel
Diversify. Costs more. But the concentration risk is structural, not patchable with a vendor SLA.
Hildegard Fuchs
Bring the budget proposal to next month's risk committee. Approved in principle.
Presenting the full picture, including the uncomfortable 12-hour RTO, gives the board what they need to make a real governance decision. The result: budget approval for a structural fix, not a patch.
DORA Article 28(1) holds the management body directly responsible for ICT third-party risk oversight. A board that has seen the full concentration picture can demonstrate that oversight in a supervisory exam. A board shown a 'mitigated view' cannot.
DORA Article 28(1) — The Board Is Accountable, Not Just Informed
Article 28(1) places the responsibility for implementing and overseeing ICT third-party risk management directly on the management body. This means the board is not a passive recipient of risk reports — it is accountable for the decisions made with that information. If the board's understanding of concentration risk is incomplete, their oversight is by definition inadequate. Presenting the full picture, including findings that reflect poorly on previous governance, is the only way to give the board the standing to exercise genuine oversight.
Thursday, 10:30 AM
The Managed Narrative — 0 points
Hildegard Fuchs
So there are mitigants. What are they?
Katharina Engel
NexCore has a 4-hour RTO for ApexCloud EU-West, with full failover to EU-Central within 12 hours.
Hildegard Fuchs
So four of our critical services could be impaired for up to 12 hours. That's not a mitigation. That's the risk.
The board chair was sharper than the 'mitigated view' narrative assumed. The RTO figures aren't mitigants, they are the exposure. Softening the picture had the opposite effect: it read as spin.
The board will still want a budget proposal. The difference: Katharina has lost a little credibility in the room, and the remediation plan now develops under more scrutiny.
DORA Article 28 — Boards Ask Follow-Up Questions
A management body that is fulfilling its DORA Article 28(1) responsibilities will test any risk summary presented to it. Describing a concentration risk exposure as 'mitigated' when the mitigation is a 12-hour failover window will not survive a single follow-up question. The instinct to manage the narrative in a board presentation is understandable but counterproductive when the board's mandate includes direct oversight of the risk you are describing.
Thursday, 10:30 AM
Shared Stage, Confused Message — -2 points
Lukas Bauer
The ApexCloud concentration is industry-standard architecture. Every major firm in Frankfurt runs on the same three or four infrastructure providers. NexCore's 4-hour RTO is better than market average.
Hildegard Fuchs
Lukas, DORA doesn't have a 'market average' exception. Katharina, does the concentration risk meet DORA Article 29 as documented?
Katharina Engel
No. The documentation was incomplete. That's being corrected.
Hildegard Fuchs
So the CTO says this is fine and the CRO says it was non-compliant. I need one view from senior leadership.
Lukas's 'industry standard' line is the wrong message in a DORA governance discussion. It conflates operational normalcy with regulatory compliance. The board chair caught the contradiction immediately.
A risk function that can't present a unified view with the CTO has a governance problem. The remediation conversation will now include a request for better alignment between risk and technology leadership.
DORA Article 28(1) — Management Body Oversight Requires Alignment
The management body cannot exercise effective oversight of ICT third-party risk if the CRO and CTO present contradictory assessments of the same risk. DORA places responsibility on the management body to ensure the ICT risk framework is properly implemented — which requires risk and technology functions to operate with a shared understanding of what the regulatory requirements are and whether the firm meets them. 'Industry standard' is not a regulatory defence; 'we assessed it and it's acceptable given our risk appetite' is.
Scenario Complete
Two Weeks Later
The corrected register has been filed. 130 providers, fully mapped, with the ApexCloud concentration documented under Article 29. Amira Osei's contract review that found the gap has become the basis for a new sub-outsourcing mapping protocol — every critical ICT contract will now require a three-tier dependency trace before signature. The supervisory window passed. BaFin acknowledged the corrected filing. The board approved a budget for infrastructure diversification at the November risk committee.
Six weeks later · Berlin
Lena Okonkwo's bakery payroll runs on the 15th. Her staff are paid on time. She never learns that one of the diversification projects on page 34 of Meridian's board pack was put there because of her — or that the SME payroll service her bank contracts in would have been one of the 4 exposures if Meridian hadn't mapped the concentration. The register is a piece of paper in an examiner's folder. It is also fourteen paychecks that arrived on a Thursday.
Your Score
—
DORA Art. 28 · ICT Register Audit
Redline the Register
⚠ Your task
Click every row that would fail BaFin's DORA Article 28 review. You will get feedback for every click — both correct and incorrect.
This is the ICT register entry for CloudVault Systems, Meridian's critical payment provider. Four entries below are non-compliant.
0 of 4 issues found
Field
CloudVault Systems
Provider name
CloudVault Systems Ltd.
Service type
Critical ICT Service — Payment Infrastructure
Contract start date
2021-03-15
Termination notice period
90 days
Substitutability assessment
N/A
Last audit date
Not recorded
SLA uptime commitment
99.5% monthly
Concentration risk rating
Low
Data residency
EU-West (primary), EU-Central (DR)
Exit strategy last tested
Never
All four issues identified. A BaFin examiner would flag each of these as Art. 28 non-compliance. The substitutability gap and untested exit strategy are the most serious — they indicate Meridian could not exit CloudVault safely under regulatory pressure.
