From onboarding to a deposit-ready register.
tprm.mlab.sh structures the full third-party risk lifecycle into four stages. Each one feeds the next — and all of them feed the DORA register of information. Here's exactly what happens at every step.
One platform, one continuous flow
Every provider you register, every risk you score and every contract you track converges into the EBA register.
Register
Onboard ICT providers with full DORA identification: category, criticality, services, data-access level and LEI.
Assess
Score risk across five dimensions, run B_07.01 service assessments and analyse concentration.
Contract
Track arrangements, verify the Article 30 clause checklist, map subcontracting and exit strategies.
Report
Generate the 15 EBA ITS templates, validate the register and produce the deposit-ready xBRL-CSV package.
Onboard every ICT provider, the DORA way
The provider record is the root of the whole register. Get the identification right once, and templates B_01.* and B_05.01 fill themselves.
Provider profile
Name, category, criticality (critical / important / standard), status, contact, services provided and data-access level — the operational picture of every third party.
DORA identification (B_05.01)
LEI plus identification-code type (LEI / National code / EUID / CRN / VAT / Passport, eba_qCO:), person type (legal entity or individual, CT7), country of head office (ISO2 → eba_GA:) and ultimate parent LEI with its code type.
Reporting entity (B_01.01)
Your own financial entity: LEI (ISO 17442), name, country, entity type (CT6, 22 eba_CT: codes), competent authority and the register reference date.
Scope & branches (B_01.02 / B_01.03)
Group entities within the consolidation scope — type (CT61), group hierarchy (RP8), direct parent LEI, asset values — and the branches of those entities, each with its identification code and country.
Output: a clean, fully identified provider in the register, ready to be assessed and contracted.
Score it, don't guess it
Every provider gets a defensible, repeatable risk score — with history, review dates and the DORA service-level assessment that drives template B_07.01.
A global score from 1 to 100 rolls up five category scores:
Five-dimension scoring
Score operational, security, compliance, financial and concentration risk independently. Status moves draft → in progress → completed → overdue, with an assessment date, next-review date, detailed findings and recommendations — all kept in a per-provider history.
ICT-service assessment (B_07.01)
The DORA fields that matter: provider substitutability (ZZ110) and reason (ZZ111), last-audit date, reintegration possibility (ZZ112), discontinuity impact (ZZ113), identified alternative providers (BT13) and the alternative's identification. Exit-plan existence is derived automatically from the provider's exit strategies.
Concentration risk
Analyse dependency concentration by category (doughnut + table) and by geography (bar + table). Thresholds flag the danger zones: >50% high, >30% medium, <30% low — so you see where you're over-exposed before a regulator does.
Due diligence & audits
Pre-contractual due diligence under Art. 28(4) — critical-function support, supervision conditions, concentration, conflicts of interest, suitability, information security, business continuity, exit strategy — plus audit-right tracking under Art. 28(5-6): audit types, findings severity, corrective actions and deadlines.
Output: a scored, audited provider with a complete B_07.01 service assessment.
Contracts that feed the register directly
The contract record is wired straight into templates B_02.01/02/03, B_03.01/03 and B_04.01. Fill it once; the register stays correct.
Contractual arrangements
Mandatory unique contract reference (the register key), arrangement type (CO1: standalone / overarching / subsequent, eba_CO:), currency (eba_CU:), annual cost and total value — feeding B_02.01.
DORA specifics (B_02.02)
Entity/provider notice periods, governing-law country, country of provision, data storage and locations (at rest / processing), data sensitivity (ZZ92), reliance level (ZZ91) and termination reason (CO2).
Signing & using entities
Signing entity (B_03.01), the group entity providing the service (B_03.03) and the entity making use of the service with its branch / non-branch nature (B_04.01).
Article 30 checklist
Art. 30(2) clauses for every contract (service description, subcontracting, data location, protection, access & recovery, incident support, authority cooperation, termination, security training) and Art. 30(3) clauses for critical functions (continuity, TLPT participation, audit rights, exit strategy).
SLAs & expiration alerts
Track start, end and renewal dates with statuses (draft, active, expired, renewed, terminated) and automatic 90-day expiration alerts — no contract slips through silently.
Subcontracting & exits
Map subcontracting chains (B_05.02) with rank, ICT service type (TA4, eba_TA:S01–S19) and processing country, and document exit strategies under Art. 30 with versioning and test dates.
Output: a compliant contract record powering five EBA templates and the Art. 30 checklist.
A register you can deposit
Everything from the previous three stages aggregates into the DORA register of information required by Article 28(3) — consolidated, validated and packaged.
- DORA register (Art. 28(3)): an aggregated view of every provider — criticality, status, last assessment, risk score, contract status and exit-plan existence — with CSV export and direct print.
- 15 EBA ITS templates: B_01.01 through B_99.01 generated from your data with controlled
eba_*codes, each previewable as itsc00xxcolumn table. - Register validation: referential integrity (contract / provider / function keys), formats (LEI 20 chars, dates yyyy-mm-dd, EBA codes), mandatory fields and uniqueness — an errors / warnings / infos report per template.
- Deposit package: the official xBRL-CSV
.zip, ready to file.
Output: a validated register and a single .zip you hand to your regulator.
Run the full lifecycle on your own infrastructure.
Register, assess, contract and report — free tier included, up in under 5 minutes.