tprm.mlab.sh tprm.mlab.sh
Overview
Features
Workflow
Pricing
Docs
Changelog
  Sign in
Docs / Operate

Glossary

DORA and TPRM terms used across the product.

DORA

The Digital Operational Resilience Act (Regulation (EU) 2022/2554). Pillar IV governs ICT third-party risk — the scope tprm.mlab.sh implements.

TPRM

Third-Party Risk Management. The discipline of identifying, assessing and monitoring risk arising from external service providers.

ICT third-party service provider

An undertaking providing ICT services to a financial entity. Each one is recorded as a provider and feeds template B_05.01.

LEI

Legal Entity Identifier (ISO 17442) — a 20-character code uniquely identifying a legal entity. Mandatory for the reporting entity and used throughout the register.

EBA ITS

The European Banking Authority's Implementing Technical Standards. They define the register's structure: 15 templates (B_01.01 … B_99.01) under Reporting Framework 4.0.

Register of information

The consolidated record of all ICT third-party contractual arrangements required by DORA Article 28(3). tprm.mlab.sh builds it from every module.

xBRL-CSV

The CSV-based variant of the xBRL reporting standard. The deposit package wraps the 15 CSVs with the official taxonomy metadata into a single .zip.

Controlled (EBA) code

An enumerated value from a DORA 4.0 vocabulary (eba_CT, eba_TA, eba_GA, eba_CU, etc.). Selected in the UI, emitted on export.

Concentration risk

Over-dependence on a small number of providers, categories or geographies. Analysed by category and country with thresholds (>50% high, >30% medium).

RTO / RPO

Recovery Time Objective and Recovery Point Objective — how quickly a function must recover and how much data loss is tolerable. Captured per business function.

Exit strategy

A documented plan to wind down or substitute a critical ICT dependency, including test dates and versioning. Required under Article 30 for critical/important functions.

Subcontracting chain

The cascade of subcontractors behind a direct provider, ranked by tier (rank 1 = direct, rank 2+ = indirect). Mapped in template B_05.02.

Critical / important function

A function whose disruption would materially impair the financial entity's operations or regulatory compliance. Drives the Art. 30(3) clause requirements.

Article 28

DORA's general principles for ICT third-party risk — including due diligence (28(4)), audit rights (28(5-6)) and the register of information (28(3)).

Article 30

DORA's mandatory contractual provisions. 30(2) clauses apply to all contracts; 30(3) clauses add requirements for critical/important functions.

Due diligence

The pre-contractual assessment of a prospective provider (criticality, supervision, concentration, security, continuity, exit) under Article 28(4).

RBAC

Role-based access control. tprm.mlab.sh uses a 12-bit permission model spanning team, providers, contracts, assessments, incidents, register/compliance and settings.

Grace period

The 48-hour window during which a cached license keeps the instance running if mlab.sh is unreachable. See Licensing.