DORA Article 28 Architecture: Third-Party ICT Risk Controls Across CI/CD and Cloud

by

DORA Article 28 requires regulated organizations to treat ICT third-party providers as part of their operational risk perimeter. In practice, this means your CI/CD and cloud delivery chain must be designed so that:

  • third-party services are identified and classified,
  • contracts and controls are enforceable,
  • risks are monitored continuously,
  • and auditors can verify evidence (not statements).

This page provides a practical architecture view: where third-party dependencies sit, which controls apply, and what evidence you should be able to produce.

The real CI/CD supply chain under DORA

Even for “internal” delivery, enterprise pipelines typically rely on external services:

  • Source code hosting (Git SaaS / managed Git)
  • CI/CD orchestration (SaaS or managed CI platform)
  • Runners / build execution (self-hosted or managed runners)
  • Artifact & container registries
  • Dependency ecosystem (packages, mirrors, SBOM generators)
  • Cloud runtime / managed platforms
  • Observability (logs, traces, SIEM)
  • ITSM / ticketing / approvals tooling (change management)

Article 28 applies because each of these suppliers can affect:

integrity (supply chain), availability (delivery), confidentiality (secrets), and auditability (evidence).

DORA Article 28 Architecture (CI/CD + Cloud Third-Party Risk) Architecture view mapping CI/CD and cloud delivery stages to third-party ICT providers, with DORA Article 28 cross-cutting controls and expected evidence. DORA Article 28 Architecture Third-party ICT risk controls across CI/CD and cloud delivery (inventory • contracts • monitoring • exit • evidence). ARTICLE 28 CROSS-CUTTING CONTROLS Supplier inventory & criticality Contract clauses Subprocessors Monitoring Exit strategy INTERNAL DELIVERY CHAIN (YOUR CONTROL PLANE) THIRD-PARTY ICT PROVIDERS (ARTICLE 28 SCOPE) EXPECTED EVIDENCE (AUDIT-READY OUTPUTS) 1. PLAN Threat model • Risk Third-party risk assessment 2. CODE PR • Review Access + SoD boundaries 3. BUILD CI • Artifacts SCA + SBOM + Signing 4. TEST QA • Staging Security validation gates 5. RELEASE Approvals • Policy Contract-backed enforcement 6. DEPLOY & RUN Cloud • Runtime Monitoring + incident evidence Git / Source Hosting (SaaS) Identity • Branch protection • Audit logs CI/CD Platform + Runners Build isolation • Token scope • Runner governance Registries + Dependencies Artifacts • Containers • Mirrors • SBOM tooling Cloud Runtime + Observability Availability • DR • Logs/Traces • SIEM integration Supplier inventory + tiering Contract clauses + audit rights SBOM + provenance + signing Access logs + pipeline audit trails Exit plan + DR/BCP test evidence
Figure: DORA Article 28 architecture — where third-party ICT providers sit, which controls apply, and what evidence must be produced.

This architecture is intentionally control-driven. It does not describe tools, but responsibilities, enforceable controls, and auditable evidence as expected under DORA Article 28.

Architecture principles for Article 28 compliance

1) Treat third-party tooling as production-grade assets

CI/CD platforms and registries must follow production rules: hardening, access control, logging, monitoring, and tested continuity.

2) Make contracts enforce controls

You need contract clauses that enable (or at least support): audit rights, incident notification, evidence retention, data processing transparency, and exit strategies.

3) Evidence must be designed, not “collected later”

Evidence should be generated by the platform and retained automatically:

logs, approvals, SBOM/provenance, access records, incident timelines, and exit tests.

What auditors typically ask for (Article 28 lens)

Auditors usually want to see:

  • a clear supplier inventory (classified by criticality),
  • contract excerpts demonstrating required clauses,
  • ongoing monitoring (not annual checkboxes),
  • evidence of subprocessor visibility,
  • and a realistic exit plan (with testing, not just a PDF).

How this architecture maps to concrete controls and evidence

This architecture is the foundation for the following practical guides:

Audit-ready context

Written for regulated environments: controls before tools, policy enforcement in CI/CD, and evidence-by-design for audits.

Focus areas include traceability, approvals, exception governance, and evidence retention across build, release, and operations.

See methodology on the About page.