Critical DORA classification. Exit plan and US sub-processor flags require remediation before contract renewal.
NorthCloud GmbH provides infrastructure for the core banking system, which classifies as a critical ICT third-party under DORA Art. 28. Concentration risk is moderate (single-region dependency in Frankfurt eu-central-1). The exit plan exists but is older than 24 months and was last tested in 2023. Two US-based sub-processors raise data-sovereignty concerns under DSGVO Art. 28.
Output
Criticality classification
NorthCloud GmbH is classified CRITICAL under DORA Art. 28(3) because the managed Kubernetes service supports the core banking system. A 4-hour disruption would breach the bank's RTO of 2 hours for P1 processes.
Concentration risk
Score 6/10 (moderate). 4 critical workloads currently run on NorthCloud across two regions, with no multi-vendor failover. Recommended action: introduce a documented multi-vendor strategy for at least one of the 4 workloads within 12 months.
Exit plan
An exit plan exists (revision 2023-08) but has not been tested for 24+ months. DORA Art. 30(3)(e) requires periodic testing. Required action: schedule and document an exit-plan dry-run within Q3 2026.
Data sovereignty
Two US-based sub-processors are listed (NorthCloud Support LLC, NorthCloud Analytics Inc.). Standard Contractual Clauses are in place but the transfer impact assessment from 2022 predates the EU-US Data Privacy Framework. Required action: refresh the TIA against the current framework before the next contract milestone.
Final recommendation
CAUTION — proceed with contract renewal contingent on (a) documented exit-plan testing schedule by Q3 2026, and (b) refreshed transfer impact assessment by end of Q2 2026. Both items are tracked in the open-issues register.
Reasoning timeline
Task: Classify NorthCloud GmbH against DORA Art. 28 criticality criteria using the bank's process-impact map.
CRITICAL — the service supports the core banking system (process category P1) and a 4h+ disruption would breach the bank's recovery time objective.
“ICT services supporting critical or important functions … shall be subject to enhanced contractual and oversight requirements.”
Task: Score concentration risk per DORA Art. 29 using the third-party register.
MODERATE — 4 critical workloads already run on NorthCloud (3 in eu-central-1, 1 in eu-west-3). No multi-vendor backup is in place. Score 6 / 10.
“Financial entities shall assess whether the conclusion of contractual arrangements … leads to concentration risk.”
Task: Check the documented exit plan for DORA Art. 30 compliance.
GAP — Exit plan exists (rev. 2023-08) but has not been tested in the last 24 months. DORA requires periodic testing. Document the testing schedule before renewal.
“Financial entities shall include in the contractual arrangements … exit strategies, including a transition period.”
Task: Cross-check sub-processor list, data residency, and encryption posture.
FLAG — Two US sub-processors (NorthCloud Support LLC and NorthCloud Analytics Inc.) process metadata. Standard Contractual Clauses are in place but transfer impact assessment is from 2022 and predates the EU-US Data Privacy Framework.
“The processor shall not engage another processor without prior specific or general written authorisation of the controller.”
“Daten dürfen nur in Drittländer übertragen werden, wenn ein angemessenes Datenschutzniveau gewährleistet ist.”
Task: Assemble the final citation pack from all sub-findings.
Citation pack assembled — 4 unique regulatory references, all traceable to source paragraphs.
Task: Compose the final recommendation and rationale.
Verdict: CAUTION. Critical vendor classification confirmed, concentration risk is workable but two remediations required before contract renewal.