Payments
The e-money firm ran on three critical ICT providers and could not answer the question its regulator opened with: show us the contracts, the concentration risk and the exit plan.
DORA treats ICT third parties as a first-class risk. An entity must maintain a register of information on every ICT contractual arrangement, classify which providers support critical or important functions, hold specific contract terms, and understand concentration and exit. The EMI had outsourced the business to a handful of providers with none of that structure behind it.
Finding 01
Contracts existed, but there was no structured register a supervisor could be handed, and no link from a provider to the function it supports.
Finding 02
Nobody had decided which arrangements support critical or important functions, so a smaller SaaS tool and the core processor looked equally important.
Finding 03
Audit and access rights, subcontracting limits, incident cooperation and exit assistance were absent from key agreements.
Finding 04
Two critical functions depended on the same cloud region, with no documented view of that shared exposure.
Finding 05
There was no plan to move off the core processor if it failed or the relationship ended - the firm was locked in without knowing it.
The EMI could respond with a register of information, a criticality classification and a concentration and exit view, plus a contract-remediation list - instead of a drive full of PDFs. What supervisors do with a submission is their call; the aim was to answer the question properly.
DORA turns your vendor list into a governed register. The firms that struggle are not the ones with many providers - they are the ones who cannot say which providers would take the business down, or how they would exit.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.