DORA Article 28 —
Register, TIA, Sanctions, Done
Built for the fintech CISO whose CTO walks in on Tuesday afternoon asking to onboard a vendor by Friday. The platform assembles the third-party risk register, runs the sanctions screening, drafts the Schrems II TIA, and queues the chase-up emails — while you actually read the SOC 2 cover to cover.
Tuesday 14:22. The CTO walks in. The CISO opens a third tab. A fourth tab. A fifth. Twelve pages. Forty pages. Three new vendors last month, two audit reports overdue, one SOC 2 expiring.
"Friday." The CTO is still in the doorway.
We built the platform for exactly this conversation.
Article 28 Register — Auto-Maintained
Every ICT third-party provider catalogued: services received, criticality tier, location of data processing, sub-contractors, contract clauses present. The register updates when a vendor signs a new SCC or expires a SOC 2.
Schrems II TIA — Drafted, Not Templated
For each non-EU vendor we draft the Transfer Impact Assessment with the actual jurisdictional surveillance analysis (Mumbai, Singapore, Tel Aviv, US east-coast). You review and sign.
Sanctions + Adverse Media — Live
OFSI Consolidated List + EU Sanctions + OFAC SDN + UK NCA red-flag database, screened on every new vendor and re-checked weekly. Hits surface as inbox tasks, not buried log lines.
SOC 2 / ISO 27001 Chase-Up
When a vendor SOC 2 expires in 30 days, we email the vendor account manager, log the request in the register, and escalate to you if no response in 14 days. Audit trail attached.
How an Engagement Runs
Twenty minutes. Bring your current vendor list (or a sample) and the most recent FCA Operational Resilience self-assessment.
We ingest your existing vendor records, normalise to DORA Article 28 fields, flag the gaps, and produce the first delta report.
New vendor onboarding moves to the platform. DD form + TIA + sanctions screening + criticality classification in a single audited workflow.
The board report — third-party risk posture, register changes, control failures, remediation — generates automatically from the audit log.
What We Will Not Do
- We are not an FCA-authorised firm. We are a UK-incorporated technology provider. Regulatory attestations and Senior Manager certifications remain with you and your responsible SMF.
- We do not replace your judgement. The TIA we draft is for your review. The SOC 2 we received is for your review. You sign the register entry. You still make the call (DORA Article 1, EU AI Act Article 14).
- We do not promise a guaranteed FCA inspection outcome. We give you an audit-ready evidence trail. The FCA examiner makes the determination.
Book a 20-Minute DORA Readiness Call
Free of charge. Bring a sample vendor list and your current register format. We will give you an honest read on automation scope and a written proposal within five business days.
Book the readiness callSummitBridge Horizon Ltd · Companies House 16419201 · ICO ZC112810 · 71-75 Shelton Street, Covent Garden, London WC2H 9JQ · Frankfurt data residency