Skip to main content
For FCA-authorised UK fintech

DORA Article 28 —
Register, TIA, Sanctions, Done

Built for the fintech CISO whose CTO walks in on Tuesday afternoon asking to onboard a vendor by Friday. The platform assembles the third-party risk register, runs the sanctions screening, drafts the Schrems II TIA, and queues the chase-up emails — while you actually read the SOC 2 cover to cover.

Tuesday 14:22. The CTO walks in. The CISO opens a third tab. A fourth tab. A fifth. Twelve pages. Forty pages. Three new vendors last month, two audit reports overdue, one SOC 2 expiring.

"Friday." The CTO is still in the doorway.

We built the platform for exactly this conversation.

Article 28 Register — Auto-Maintained

Every ICT third-party provider catalogued: services received, criticality tier, location of data processing, sub-contractors, contract clauses present. The register updates when a vendor signs a new SCC or expires a SOC 2.

Schrems II TIA — Drafted, Not Templated

For each non-EU vendor we draft the Transfer Impact Assessment with the actual jurisdictional surveillance analysis (Mumbai, Singapore, Tel Aviv, US east-coast). You review and sign.

Sanctions + Adverse Media — Live

OFSI Consolidated List + EU Sanctions + OFAC SDN + UK NCA red-flag database, screened on every new vendor and re-checked weekly. Hits surface as inbox tasks, not buried log lines.

SOC 2 / ISO 27001 Chase-Up

When a vendor SOC 2 expires in 30 days, we email the vendor account manager, log the request in the register, and escalate to you if no response in 14 days. Audit trail attached.

How an Engagement Runs

Day 0 — Discovery call

Twenty minutes. Bring your current vendor list (or a sample) and the most recent FCA Operational Resilience self-assessment.

Week 1 — Register ingest

We ingest your existing vendor records, normalise to DORA Article 28 fields, flag the gaps, and produce the first delta report.

Week 2-4 — Live workflow

New vendor onboarding moves to the platform. DD form + TIA + sanctions screening + criticality classification in a single audited workflow.

Ongoing — Quarterly board pack

The board report — third-party risk posture, register changes, control failures, remediation — generates automatically from the audit log.

What We Will Not Do

  • We are not an FCA-authorised firm. We are a UK-incorporated technology provider. Regulatory attestations and Senior Manager certifications remain with you and your responsible SMF.
  • We do not replace your judgement. The TIA we draft is for your review. The SOC 2 we received is for your review. You sign the register entry. You still make the call (DORA Article 1, EU AI Act Article 14).
  • We do not promise a guaranteed FCA inspection outcome. We give you an audit-ready evidence trail. The FCA examiner makes the determination.

Book a 20-Minute DORA Readiness Call

Free of charge. Bring a sample vendor list and your current register format. We will give you an honest read on automation scope and a written proposal within five business days.

Book the readiness call

SummitBridge Horizon Ltd · Companies House 16419201 · ICO ZC112810 · 71-75 Shelton Street, Covent Garden, London WC2H 9JQ · Frankfurt data residency