Working through DORA Article 28: third-party obligations, the contract checklist, and what the auditor asks for
DORA Article 28 sets the ICT third-party risk obligations — register of information, termination grounds, exit strategies — but the contract clause checklist lives in Article 30. We map each subsection to ISO 27001 and SCF controls and to the evidence a supervisor will request, with every article verified through the gateway.