Eigen Networks·Finance & Banking
Back to ICT Third-Party Vendor Assessor
Run run-dora-vendor-001 · ICT Third-Party Vendor Assessor
CAUTION

Critical DORA classification. Exit plan and US sub-processor flags require remediation before contract renewal.

NorthCloud GmbH provides infrastructure for the core banking system, which classifies as a critical ICT third-party under DORA Art. 28. Concentration risk is moderate (single-region dependency in Frankfurt eu-central-1). The exit plan exists but is older than 24 months and was last tested in 2023. Two US-based sub-processors raise data-sovereignty concerns under DSGVO Art. 28.

Duration
31s
Tokens
11.5k
Cost
0.087
Citations
4

Output

Criticality classification

NorthCloud GmbH is classified CRITICAL under DORA Art. 28(3) because the managed Kubernetes service supports the core banking system. A 4-hour disruption would breach the bank's RTO of 2 hours for P1 processes.

Concentration risk

Score 6/10 (moderate). 4 critical workloads currently run on NorthCloud across two regions, with no multi-vendor failover. Recommended action: introduce a documented multi-vendor strategy for at least one of the 4 workloads within 12 months.

Exit plan

An exit plan exists (revision 2023-08) but has not been tested for 24+ months. DORA Art. 30(3)(e) requires periodic testing. Required action: schedule and document an exit-plan dry-run within Q3 2026.

Data sovereignty

Two US-based sub-processors are listed (NorthCloud Support LLC, NorthCloud Analytics Inc.). Standard Contractual Clauses are in place but the transfer impact assessment from 2022 predates the EU-US Data Privacy Framework. Required action: refresh the TIA against the current framework before the next contract milestone.

Final recommendation

CAUTION — proceed with contract renewal contingent on (a) documented exit-plan testing schedule by Q3 2026, and (b) refreshed transfer impact assessment by end of Q2 2026. Both items are tracked in the open-issues register.

Reasoning timeline

Criticality Classifierqwen-2.5-7b6.2s · 1720 tok

Task: Classify NorthCloud GmbH against DORA Art. 28 criticality criteria using the bank's process-impact map.

CRITICAL — the service supports the core banking system (process category P1) and a 4h+ disruption would breach the bank's recovery time objective.

DORA Art. 28 (3)

ICT services supporting critical or important functions … shall be subject to enhanced contractual and oversight requirements.

Concentration Analystqwen-2.5-7b5.8s · 1480 tok

Task: Score concentration risk per DORA Art. 29 using the third-party register.

MODERATE — 4 critical workloads already run on NorthCloud (3 in eu-central-1, 1 in eu-west-3). No multi-vendor backup is in place. Score 6 / 10.

DORA Art. 29 (1)

Financial entities shall assess whether the conclusion of contractual arrangements … leads to concentration risk.

Exit Plan Reviewerphi-4-mini4.1s · 1120 tok

Task: Check the documented exit plan for DORA Art. 30 compliance.

GAP — Exit plan exists (rev. 2023-08) but has not been tested in the last 24 months. DORA requires periodic testing. Document the testing schedule before renewal.

DORA Art. 30 (3)(e)

Financial entities shall include in the contractual arrangements … exit strategies, including a transition period.

Sovereignty Auditorphi-4-mini5.4s · 1410 tok

Task: Cross-check sub-processor list, data residency, and encryption posture.

FLAG — Two US sub-processors (NorthCloud Support LLC and NorthCloud Analytics Inc.) process metadata. Standard Contractual Clauses are in place but transfer impact assessment is from 2022 and predates the EU-US Data Privacy Framework.

DSGVO Art. 28 (3)

The processor shall not engage another processor without prior specific or general written authorisation of the controller.

BSI-Grundschutz CON.6

Daten dürfen nur in Drittländer übertragen werden, wenn ein angemessenes Datenschutzniveau gewährleistet ist.

Citation Composerphi-4-mini1.9s · 740 tok

Task: Assemble the final citation pack from all sub-findings.

Citation pack assembled — 4 unique regulatory references, all traceable to source paragraphs.

Vendor Assessment Leadgemma-3-4b-it7.6s · 2680 tok

Task: Compose the final recommendation and rationale.

Verdict: CAUTION. Critical vendor classification confirmed, concentration risk is workable but two remediations required before contract renewal.