YOUR DECISIONS AFFECT
Regulator
BaFin
Board
Reputation

DORA — Digital Operational Resilience

The Register

Meridian Capital Partners — Wednesday, 10:14 AM — Frankfurt

An interactive scenario about an ICT third-party register with 83 undocumented providers, a BaFin reporting window of 10 days, and the question of how much you disclose.

83 providers undocumented. The register is a live regulatory document. Material inaccuracies are a breach.

Amira Osei
Amira Osei

Katharina — I need to show you something. I was reviewing the NexCore contract for the portfolio management system renewal and I found a sub-processor clause. NexCore uses Helix Infrastructure for their European compute layer. Helix uses ApexCloud for storage.

Katharina Engel

ApexCloud. That's in the register — as a direct provider for risk analytics. I know ApexCloud. I recommended the cloud-first consolidation to the board eighteen months ago. ApexCloud EU-West was my call.

Amira Osei

Then you need to see this. It's not just risk analytics. It's compliance reporting. Client reporting. Four of our seven critical services — through different routes we never traced. NexCore, Helix, two other sub-processors nobody audited. It's not in the register because we stopped at the first tier.

Katharina Engel

How many total?

Amira Osei

A hundred and thirty. The register has forty-seven. Eighty-three undocumented. Twelve run through ApexCloud EU-West — the same region that went down for six hours last December. We were lucky that time. The register BaFin has says we're exposed to forty-seven providers. We're exposed to a hundred and thirty.

📋 Amira's Audit Summary — Meridian ICT Register
47
Documented
83
Undocumented
12
ApexCloud
⚠ ApexCloud EU-West — same region as Dec outage. 4 of 7 critical services exposed via unaudited sub-processors.
One of the exposed services: SME payroll processing — ~3,200 small employers, including Lena Okonkwo, a Berlin bakery owner who pays 14 staff on the 15th of each month. If ApexCloud EU-West fails again, her payroll doesn't run.
Quick check — what's the real risk?
Before you escalate this — what's the single most dangerous finding here?
The concentration is what kills you. 83 missing entries is a paperwork problem you can fix with a sprint. Four critical services on one infrastructure provider — that's a single point of failure. DORA Article 29 was written specifically to catch this pattern.
Wednesday, 11:42 AM

The heatmap

Amira pulls up the dependency map on the war-room display. Forty tiles, colour-coded by where each service ultimately runs.

ApexCloud lights up in the centre and starts pulling the grid red beneath it — portfolio management, compliance reporting, client reporting, settlement. Four of seven critical services, one infrastructure provider, three layers of contract nobody audited.

This isn't a documentation gap. It's a concentration risk — and it's been sitting in the register hidden behind an "EU-West consolidation" label you signed off eighteen months ago.

DORA Art. 28 · Third-Party Risk Classification

Classify Meridian's ICT Services

For each service, select its DORA risk tier.

0 of 5 classified

Core payment processing infrastructure
Real-time transaction monitoring
Trading execution platform
HR payroll software (cloud)
Email and document management
Decision Point
10:47 AM

The Filing Problem

The register you submitted to BaFin three weeks ago is materially incomplete. What do you do?

DORA Article 28 requires the register to be comprehensive and accurate. An incomplete register isn't a technicality — it means your concentration risk assessment is wrong. BaFin has your current register on file. The next supervisory window is in 10 working days.

Self-report the gap to BaFin immediately
Notify BaFin proactively that the register requires a material correction, explain the gap, and provide a revised timeline for the complete filing. Transparency before they find it themselves.
§ View legal reference
Update the register internally and refile at the next window
Get the register right, then submit the corrected version at the next reporting window in 10 days. No need to flag the original gap — the corrected version will simply replace it.
§ View legal reference
Wait for Lukas to assess whether it actually matters
The CTO built the architecture. Before you notify anyone, get his assessment of whether this concentration risk is real or whether the sub-processors have independent failover capability that mitigates it.
§ View legal reference
Katharina Engel
11:30 AM

Notification Filed — +3 points

Katharina Engel

BaFin notified. I've told them the register requires a material correction, that we identified the gap ourselves, and that a revised filing will follow within five working days.

Amira Osei

That's a bold call. How did they respond?

Katharina Engel

Acknowledged. They asked for the revised timeline in writing and noted that self-reporting is considered positively in supervisory assessments. Their exact words.

Proactive disclosure is the correct approach and, critically, the one regulators reward. An entity that identifies and reports its own compliance gaps before the supervisor does demonstrates the kind of governance culture DORA is designed to create.

Article 28 does not have a specific timeline for correcting a register — but the obligation to maintain an accurate, up-to-date register is continuous. Filing a correction with an explanation is better than hoping the original gap goes unnoticed.

DORA Article 28 — The Register Is Not a Snapshot

Article 28(3) requires financial entities to maintain an up-to-date register of information on all contractual arrangements on the use of ICT services. The register is not a one-time filing — it is a live document. A material inaccuracy is a continuous breach for as long as it exists. Self-reporting a gap converts a potential supervisory finding into a demonstration of governance maturity.

Amira Osei
10 Days Later

Quiet Correction — -1 point

Amira Osei

The corrected register is filed. 130 providers, fully mapped.

Katharina Engel

Good. And the original gap?

Amira Osei

Not mentioned. The new filing just... replaces the old one.

The corrected register is better than the original. But the supervisory examination team will compare the October and November filings. They will see that 83 providers appeared in one month. They will ask why.

Presenting a corrected register without disclosing the gap treats the supervisor as someone to be managed rather than informed. When BaFin asks about the discrepancy — and they will — the conversation will be harder than it needed to be.

DORA Article 28 — Regulators Read Change Logs

Supervisory authorities maintain records of all register versions. An 83-provider increase in one reporting window is not invisible — it is a flag. If the examiner asks 'why did your register grow by 83 providers between October and November' and the answer is 'we found a mapping error' without proactive disclosure, the follow-up question is 'why wasn't this disclosed to us when you found it?' The gap between discovering a problem and reporting it to the supervisor is always a question.

Lukas Bauer
3 Days Later

Waiting for Lukas — -2 points

Lukas Bauer

I looked at it. Yes, ApexCloud is in the stack for several services. But that's how cloud architecture works. Every major provider uses the same three or four underlying infrastructure players. This is industry standard.

Katharina Engel

That may be true. But DORA Article 29 requires us to assess and document concentration risk. If ApexCloud's EU-West goes down, we lose four critical services simultaneously. That's the concentration risk. Whether it's 'industry standard' doesn't make it compliant.

Lukas Bauer

You're going to notify BaFin that our architecture follows the same pattern as every other asset manager in Frankfurt?

Lukas is factually correct about industry architecture patterns. He is wrong that this makes the concentration risk compliant. DORA does not carve out 'industry standard' as an exception to the register requirements.

Waiting three days to confirm what Amira already found has consumed nearly a third of the supervisory window — and produced a conversation that doesn't change the regulatory obligation. The gap still needs to be reported.

DORA Article 29 — Concentration Risk Must Be Assessed, Not Defended

Article 29 requires financial entities to assess ICT concentration risk arising from third-party dependencies, including from sub-outsourcing chains. The assessment is not a judgment about whether the concentration is reasonable or market-standard — it is a documented analysis of what would happen if the concentrated provider failed. If four critical services share a single infrastructure dependency and that dependency has no documented failover outside the affected region, the concentration risk is real regardless of whether other firms have the same architecture.

Katharina Engel
Katharina Engel

Stefan. Article 30(2)(a) of DORA. We have a contractual right to audit NexCore's ICT resilience arrangements, including sub-outsourcing. I need your complete sub-processor list, sub-outsourcing agreements, and resilience testing records for the past twelve months. Today.

Stefan Weidner

Katharina — I hear you. And I want to be helpful. But our sub-processor relationships involve commercially sensitive infrastructure details, and we have confidentiality obligations to our own providers. This isn't obstruction — it's a legitimate legal complexity. Give me ten business days to get our legal team across it properly.

Katharina Engel

Stefan, the audit right is in Section 14.3 of your master services agreement. We negotiated it. You signed it. There is no legal complexity to resolve — there is a right that you either exercise or breach. Ten business days is not a timeline I can accept. I have a supervisory window in seven.

Stefan Weidner

I'll... do what I can. But I can't guarantee a timeline without legal sign-off.

2:15 PM
📧 Email — sent 14:22
From: katharina.engel@meridian-capital.eu
To: stefan.weidner@nexcore-systems.com
Subject: Formal Audit Request — DORA Art. 30(2)(a) — Response Required by [Date+5]
Stefan — this constitutes a formal request under Article 30(2)(a) and Section 14.3 of our MSA. Non-response within 5 business days will be reported to BaFin as a contractual breach. Ten business days is not acceptable.
NexCore has 7 working days before Meridian's supervisory window opens.
Read the room
What is Stefan actually buying time for?
He's buying time to build documentation that should already exist. Under Art. 30(2)(a) the audit right is unambiguous — there is no "legal review" required. Ten business days is the classic delay when a vendor doesn't have its records in order.
Decision Point
2:45 PM

The Vendor Stonewalls

NexCore's compliance director is stalling. He knows your audit right exists — he's invoking 'legal review' as delay. The supervisory window is in 7 working days. What's your lever?

DORA Article 30(2)(a) gives you audit rights over ICT third-party providers. But a contractual right you can't enforce in time is no right at all. Stefan has a pattern of this — the last audit request took six weeks.

Issue a formal Article 30 audit request with a 5-day compliance deadline
Put the request in writing, cite the contractual clause and the DORA obligation, set a 5-day deadline, and state that non-compliance will be reported to BaFin as a contractual breach.
§ View legal reference
Escalate to NexCore's CEO via Lukas
Use the CTO relationship to go above Stefan. Lukas knows NexCore's CEO from industry events. An informal escalation might move faster than a formal request.
§ View legal reference
Accept a high-level assurance letter for now
Stefan offers to provide a written assurance that NexCore's sub-processors meet DORA-equivalent standards. Accept it as temporary documentation while the full audit is scheduled.
§ View legal reference
Stefan Weidner
4 Days Later

The Deadline Works — +3 points

Stefan Weidner

Katharina. We've completed our legal review. I'm sending over the sub-processor list and the resilience testing summaries now. I should note that some of the documentation is commercially sensitive.

Katharina Engel

Noted. Everything received will be handled under the confidentiality provisions in the MSA. What's NexCore's RTO for an ApexCloud EU-West failure?

Stefan Weidner

Four hours. With a 12-hour full failover to EU-Central if the EU-West outage extends beyond 2 hours.

Katharina Engel

That's a 12-hour window where four of our critical services are degraded. That needs to be in the register and in our concentration risk assessment.

The formal written request with a consequence attached is what moved Stefan. 'Legal review' is a delay tactic that works against informal requests — it doesn't work when non-compliance has a documented cost.

The 4-hour RTO data is essential. It changes the concentration risk picture from 'theoretical' to 'quantified': four critical services offline for up to 12 hours in a worst-case ApexCloud EU-West failure.

DORA Article 30(2)(a) — Audit Rights Must Be Exercised

Article 30(2)(a) requires contracts to include rights for the financial entity to conduct audits, inspections, and assessments of the ICT third-party service provider, including the right to audit sub-outsourcers. A right that is never exercised provides no protection. When a vendor delays, the correct response is a written request that makes the obligation and the consequence of non-compliance explicit. Vendors who resist audits are telling you something about what the audit would find.

Lukas Bauer
3 Days Later

The Informal Route — +1 point

Lukas Bauer

I spoke to NexCore's CEO. He said Stefan was being overly cautious and they'd get us what we need. Expect something by end of week.

Katharina Engel

End of week. That's 8 days from now. Our supervisory window is in 4.

Lukas Bauer

He said he'd try for earlier. But Katharina — you're asking them to expose their entire supply chain. That takes time even with goodwill.

The informal escalation moved things faster than a new legal review would have — but not fast enough. The supervisor window will arrive before the documentation does.

CEO-level relationship management can solve problems that formal requests cannot, and vice versa. Here, the formal route would have been faster because it created a documented obligation.

DORA Article 30 — Rights Need Enforcement Mechanisms

Contractual audit rights are only as useful as your ability to enforce them in the time you actually need them. A vendor who provides documentation when it's convenient to them rather than when your regulatory obligations require it is a vendor whose governance practices need to be in your risk assessment. For regulatory purposes, 'we asked and they're working on it' is not equivalent to 'we received the documentation and validated it.'

Stefan Weidner
Next Day

The Assurance Letter — -2 points

Stefan Weidner

I've sent over our standard third-party assurance letter. It confirms that NexCore and all sub-processors comply with applicable regulatory standards including DORA-equivalent resilience requirements.

Katharina Engel

Stefan, this says 'DORA-equivalent.' DORA itself applies to Meridian, not NexCore. What standards are you actually certifying against?

Stefan Weidner

We'd need to have a more detailed conversation about that with our legal and compliance teams.

An assurance letter from a vendor who is stalling your audit request is meaningless. It creates the appearance of documentation without the substance. The BaFin examiner will ask: 'What does this letter certify?' The answer is: nothing specific.

The instinct to accept something — anything — rather than push for what DORA actually requires is exactly what auditors look for. 'We accepted a vendor's self-assessment in lieu of an audit' is a finding, not a mitigation.

DORA Article 30 — Self-Certification Is Not Audit Evidence

A vendor-provided assurance letter is not an audit. Article 30(2)(a) gives financial entities the right to conduct their own audits and assessments — not to rely on vendor-drafted certifications. An assurance letter that uses vague language like 'DORA-equivalent' without reference to specific standards, testing results, or operational metrics cannot be used as evidence that your DORA obligations have been met. If BaFin asks for your audit documentation and you produce a vendor letter, they will ask why you did not exercise your Article 30 audit rights.

Hildegard Fuchs
Hildegard Fuchs

Katharina. Walk me through what happened.

Katharina Engel

I want to say something before I do. Eighteen months ago I recommended a cloud-first infrastructure consolidation to this board. ApexCloud EU-West was the anchor of that proposal. The board approved it. What my team has now found is that four of our seven critical services run through ApexCloud — through three different sub-outsourcing chains that we never fully traced. The register I submitted to BaFin in October reflects forty-seven providers. The real number is a hundred and thirty. That gap is mine to account for.

Hildegard Fuchs

You submitted an incomplete register to BaFin three weeks ago, and you're telling me this morning.

Katharina Engel

My analyst found it forty-eight hours ago. I've already notified BaFin directly. That's why this is on the agenda this morning — I'm not here to ask permission, I'm here to brief you on what I've done and what comes next.

Hildegard Fuchs

This firm has 1,200 people and EUR 14 billion in assets. I understand why you moved quickly. But the board needs to understand how a hundred and thirty dependencies became forty-seven on paper — and whether this is the only register we should be worried about.

Thursday, 9:00 AM
📅 Board Risk Committee — Agenda
09:00 — ICT Register Gap: root cause
09:15 — Decision: disclosure approach ←
09:30 — Budget approval: infrastructure diversification
⏱ BaFin Supervisory Window
Register filed Incomplete
Corrected filing Due today
Art. 28 penalty exposure Up to 2% revenue
Board instinct
Which answer to Hildegard's question will cost Katharina most credibility?
"Out of scope" is the wrong answer to a board chair. DORA Article 28(1) explicitly requires the management body to oversee the full ICT third-party chain, including sub-outsourcing. A board that understands its Art. 28 accountability will hear "out of scope" as either a gap in competence or a deflection — neither is survivable.
Decision Point
Thursday, 9:15 AM

The Board Wants to Understand

Hildegard Fuchs is not angry — she's thorough. The question isn't who to blame. It's what the board should understand about how this happened and what it means for the firm's DORA posture.

The management body has direct accountability under DORA Article 28(1) for ICT third-party risk management. How Katharina frames this matters — not for her career, but because the board's understanding will determine whether they approve the budget and governance changes needed to prevent it happening again.

Present the full concentration risk picture with the remediation plan
Show the board the actual dependency map — all 130 providers, the ApexCloud concentration, the quantified resilience gap — and present a three-step remediation plan with budget and timeline.
§ View legal reference
Present the mitigated view — gap found, gap being fixed, no immediate risk
Frame it as a documentation gap that has been identified and is being corrected. The concentration risk exists but has mitigants. Emphasise that the firm found this itself.
§ View legal reference
Defer to Lukas for the technical assessment
The architecture questions are the CTO's domain. Present the regulatory gap and let Lukas explain the technical picture. Share the stage.
§ View legal reference
Hildegard Fuchs
Thursday, 10:30 AM

The Full Picture — +3 points

Hildegard Fuchs

The 12-hour window for full failover. That's in our operational resilience assessment as acceptable?

Katharina Engel

It wasn't, because we didn't know it existed. Now that we do, we need to decide whether to require NexCore to reduce it, to build our own failover capability, or to diversify away from ApexCloud-dependent providers for at least two of the four services.

Hildegard Fuchs

What's your recommendation?

Katharina Engel

Diversify. It costs more. But the concentration risk is structural — we can't patch it with a vendor SLA.

Hildegard Fuchs

Bring the budget proposal to next month's risk committee. Approved in principle.

Presenting the full picture — including the uncomfortable 12-hour RTO — gives the board what they need to make a real governance decision. The result is budget approval for a structural fix, not a temporary patch.

DORA Article 28(1) holds the management body directly responsible for ICT third-party risk oversight. A board that has seen the full concentration risk picture can demonstrate that oversight in a supervisory examination. A board that was shown a 'mitigated view' cannot.

DORA Article 28(1) — The Board Is Accountable, Not Just Informed

Article 28(1) places the responsibility for implementing and overseeing ICT third-party risk management directly on the management body. This means the board is not a passive recipient of risk reports — it is accountable for the decisions made with that information. If the board's understanding of concentration risk is incomplete, their oversight is by definition inadequate. Presenting the full picture, including findings that reflect poorly on previous governance, is the only way to give the board the standing to exercise genuine oversight.

Hildegard Fuchs
Thursday, 10:30 AM

The Managed Narrative — 0 points

Hildegard Fuchs

So there are mitigants in place. What are they?

Katharina Engel

NexCore has a 4-hour RTO for ApexCloud EU-West failures, with full failover to EU-Central within 12 hours.

Hildegard Fuchs

That means four of our critical services could be impaired for up to 12 hours. That's not a mitigation — that's the risk.

The board chair is sharper than the 'mitigated view' narrative assumed. She understood that the RTO figures are not mitigants — they are the exposure. The attempt to soften the picture has the opposite effect: it looks like spin.

The board will want a budget proposal anyway. The difference is that Katharina has lost a small amount of credibility in the room, and the remediation plan will now be developed under slightly more scrutiny.

DORA Article 28 — Boards Ask Follow-Up Questions

A management body that is fulfilling its DORA Article 28(1) responsibilities will test any risk summary presented to it. Describing a concentration risk exposure as 'mitigated' when the mitigation is a 12-hour failover window will not survive a single follow-up question. The instinct to manage the narrative in a board presentation is understandable but counterproductive when the board's mandate includes direct oversight of the risk you are describing.

Lukas Bauer
Thursday, 10:30 AM

Shared Stage, Confused Message — -2 points

Lukas Bauer

Look, the ApexCloud concentration is industry-standard architecture. Every major firm in Frankfurt runs on the same three or four infrastructure providers at the bottom of the stack. NexCore's 4-hour RTO is actually better than market average.

Hildegard Fuchs

Lukas, DORA doesn't have a 'market average' exception. Katharina — does the concentration risk meet DORA Article 29 requirements as documented?

Katharina Engel

No. The documentation was incomplete. That's being corrected.

Hildegard Fuchs

So the CTO is telling me this is fine and the CRO is telling me the documentation was non-compliant. I need one view from the senior leadership team.

Lukas's 'industry standard' argument is exactly the wrong message in a DORA governance discussion. It conflates operational normalcy with regulatory compliance. The board chair noticed the contradiction immediately.

A risk function that cannot present a unified view with the CTO in a board meeting is a risk function with a governance problem. The remediation conversation will now include a request for better alignment between risk and technology leadership.

DORA Article 28(1) — Management Body Oversight Requires Alignment

The management body cannot exercise effective oversight of ICT third-party risk if the CRO and CTO present contradictory assessments of the same risk. DORA places responsibility on the management body to ensure the ICT risk framework is properly implemented — which requires risk and technology functions to operate with a shared understanding of what the regulatory requirements are and whether the firm meets them. 'Industry standard' is not a regulatory defence; 'we assessed it and it's acceptable given our risk appetite' is.

Scenario Complete

Two Weeks Later

The corrected register has been filed. 130 providers, fully mapped, with the ApexCloud concentration documented under Article 29. Amira Osei's contract review that found the gap has become the basis for a new sub-outsourcing mapping protocol — every critical ICT contract will now require a three-tier dependency trace before signature. The supervisory window passed. BaFin acknowledged the corrected filing. The board approved a budget for infrastructure diversification at the November risk committee.

Six weeks later · Berlin

Lena Okonkwo's bakery payroll runs on the 15th. Her staff are paid on time. She never learns that one of the diversification projects on page 34 of Meridian's board pack was put there because of her — or that the SME payroll service her bank contracts in would have been one of the 4 exposures if Meridian hadn't mapped the concentration. The register is a piece of paper in an examiner's folder. It is also fourteen paychecks that arrived on a Thursday.

Your Score
DORA Art. 28 · ICT Register Audit

Redline the Register

⚠ Your task

Click every row that would fail BaFin's DORA Article 28 review. You will get feedback for every click — both correct and incorrect.

This is the ICT register entry for CloudVault Systems, Meridian's critical payment provider. Four entries below are non-compliant.

0 of 4 issues found

Field CloudVault Systems
Provider nameCloudVault Systems Ltd.
Service typeCritical ICT Service — Payment Infrastructure
Contract start date2021-03-15
Termination notice period90 days
Substitutability assessmentN/A
Last audit dateNot recorded
SLA uptime commitment99.5% monthly
Concentration risk ratingLow
Data residencyEU-West (primary), EU-Central (DR)
Exit strategy last testedNever
Debrief

Register Review

Legal References