ICT Third-Party Vendor Assessor
Regulatory anchor: DORA Art. 28 / 29 / 30
Pulls a third-party vendor through the DORA assessment workflow. Classifies criticality (Art. 28), scores concentration risk (Art. 29), reviews exit plans (Art. 30), flags sovereignty concerns against BSI-Grundschutz, and produces a GO / CAUTION / PIVOT recommendation. Every finding carries its regulatory citation so the compliance team can defend the verdict in the next audit.
Agent topology
3 levels · 5 agentsDecomposes the vendor assessment into regulatory + operational tracks, sequences the sub-leads, and produces the final recommendation with citations.
Owns DORA Art. 28 and Art. 29 evaluation. Sequences the criticality and concentration analysts and forwards a structured finding.
Reads the vendor profile + bank's process-impact map. Decides DORA Art. 28 criticality (critical / important / supporting).
compliance.vendor_assessCounts other critical processes on this vendor / parent group. Scores concentration risk per DORA Art. 29.
compliance.concentration_checkOwns DORA Art. 30 and the data-sovereignty review. Sequences the exit-plan reviewer and the sovereignty auditor.
Checks whether a documented + tested exit / substitutability plan exists per DORA Art. 30. Flags missing or stale artefacts.
Cross-checks data-residency, sub-processor list and encryption against BSI-Grundschutz baseline and DSGVO Art. 28.
Builds the citation pack — exact article, paragraph, one-sentence quote — for every finding from both leads. Makes the assessment audit-ready.
compliance.citations_lookup