Post Oak Labs Showcase · #26 of 33 DORA ICT Risk Gap Analyser · Article 28 Depth
RegTech Hub → Pair with #3 Dedup → Tool Chain → Source Engine T300 ↗
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Demo #26 · DORA Art. 28 · Third-Party ICT Concentration · RegTech Hub
Five-pillar maturity DORA Live · since 17 Jan 2025 @ainumbers.co/dora-gap-v1

The third-party concentration question DORA Article 28 actually asks.

Score your institution's five-pillar DORA maturity (Risk Mgmt · Incident · Resilience Testing · Third-Party · Information Sharing), then drill into the part the EBA's joint RTS on ICT third-party risk really cares about: Article 28 concentration, sub-outsourcing depth and which providers support Critical or Important Functions (CIFs). The mandate emits a remediation roadmap sorted by penalty exposure — the artifact a CRO can sign.

Zero PII · Client-side Deeper than #3 Deduplicator — same regime, third-party depth focus Last Reviewed · 2026-05-13
DORA · in force since 17 January 2025 LIVE

DORA (Regulation (EU) 2022/2554) entered application on 17 January 2025. Articles 28–44 set the ICT third-party risk regime; the EBA / EIOPA / ESMA Joint Final RTS (2024/1773) defines what constitutes a critical-or-important function and the sub-outsourcing oversight expected. The Critical Third-Party Provider (CTPP) designation regime is live with the European Supervisory Authorities and direct oversight of the first cohort is underway.

Sources: EU 2022/2554 Art. 5–49 · Joint Final RTS 2024/1773 · EBA Guidelines on outsourcing arrangements · ESAs CTPP designation register
§1 · Five-Pillar Maturity — / 100

Set each pillar 0 → 4

0 Initial · 1 Repeatable · 2 Defined · 3 Managed · 4 Optimised. The composite is the simple sum × 5; the AP2 mandate emits each pillar separately so an agentic remediation runtime can target the weakest pillar first.

§2 · Article 28 — Third-Party Concentration EBA RTS 2024/1773

Critical ICT providers & sub-outsourcing depth

Allocate the share of critical-or-important function coverage across your top ICT third parties. The composer computes a Herfindahl-Hirschman-style concentration index and flags providers whose sub-outsourcing chain goes beyond two layers — the threshold where EBA RTS oversight expectations escalate.

Provider Share of CIF coverage Sub-outsourcing depth CIF tier
HHI concentration index

Sub-outsourcing oversight gaps

§3 · Scorecard Live · Heatmap + remediation

Composite, heatmap, remediation priority

Composite maturity
Article 28 risk band
HHI + sub-outsourcing depth
Pillar heatmap
I · Risk
II · Incident
III · Testing
IV · 3rd-Party
V · Info-Share
Remediation priorities
PriorityPillarAction
§4 · Mandate Preview @ainumbers.co/dora-gap-v1

AP2 output

Schema includes the pillar matrix, Article 28 concentration metrics, and an ordered remediation roadmap an agentic compliance runtime can execute against.



        
AP2 v1.0 · valid · @ainumbers.co/dora-gap-v1


        

          
          
          
          
        

      

    

  


  

    
Compose with

    

      Pair with #3 — DORA / NIS2 Dual-Compliance Deduplicator
      to first surface the control overlap, then run #26 to go deep on Article 28 third-party concentration. The
      AP2 mandate from #26 is consumable by any agentic compliance runtime via the
      #7 — AP2 Visual Policy Guardrail.
      Position in the 259-tool atlas: Tool Chain Composer, T300 node.
    

  










  

    
RegTech

    
Turning a compliance clock into an operating plan?

    
We help institutions operationalize obligations like DORA, MiCA, the EU AI Act, CFPB §1033 and AML — past the checklist and into production. Tell us what's on your enforcement calendar.

    Talk to our team →
    
Post Oak Labs · production deployments in the Caribbean & South Asia · works with a limited number of institutions at a time

  







Exported