bmad-plus 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -425
  2. package/LICENSE +21 -21
  3. package/README.md +555 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -222
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,349 +1,349 @@
1
- # DORA — ICT Third-Party Risk Management Reference
2
-
3
- Chapter V, Articles 28–44, Regulation (EU) 2022/2554.
4
- Key implementing measures: CDR (EU) 2024/1773, CIR (EU) 2024/2956, CDR (EU) 2025/532,
5
- CDR (EU) 2024/1502, CDR (EU) 2024/1505, CDR (EU) 2025/295, CDR (EU) 2025/420.
6
-
7
- ---
8
-
9
- ## Overview: Two-Track Structure
10
-
11
- Chapter V operates on two parallel tracks:
12
-
13
- **Track 1 — Entity-level obligations (Art. 28–30):**
14
- Every financial entity must manage its own ICT third-party risks — regardless of
15
- whether its TPSPs are designated critical.
16
-
17
- **Track 2 — Systemic oversight of designated CTPPs (Art. 31–44):**
18
- ESAs designate and oversee ICT TPSPs that are systemically important to the
19
- EU financial sector. This is a supervisory regime, not an entity-level compliance task.
20
-
21
- ---
22
-
23
- ## Art. 28 — General Principles for ICT Third-Party Risk
24
-
25
- ### Art. 28(1) — ICT Third-Party Risk Policy
26
- Every financial entity must adopt, regularly review, and update an **ICT third-party
27
- risk policy** covering:
28
- - Objectives and principles for managing ICT third-party risk
29
- - Criteria for identifying critical and important functions (CIF) vs. non-critical
30
- - Pre-contractual due diligence requirements
31
- - Contract lifecycle management (onboarding, monitoring, exit)
32
- - ICT concentration risk management
33
- - Governance roles and responsibilities
34
-
35
- **Key RTS:** CDR (EU) 2024/1773, Art. 1–12 (detailed policy content)
36
-
37
- ### Art. 28(2) — Maintaining the Register of Information
38
- Financial entities must maintain and update the **Register of Information** (RoI)
39
- covering **all** ICT service arrangements (not only those supporting critical
40
- functions). See the Register of Information section below for full field details.
41
-
42
- ### Art. 28(3) — Annual Submission of Register of Information
43
- The RoI must be submitted to the competent authority **at least annually** and
44
- upon specific request. The submission format follows CIR (EU) 2024/2956 templates.
45
-
46
- ### Art. 28(4) — Pre-Contractual Due Diligence
47
- Before entering any new ICT service arrangement supporting a critical or important
48
- function, financial entities must:
49
- - **(a)** Assess whether the ICT service arrangement supports a critical or important function
50
- - **(b)** Assess the risks of the arrangement, including ICT concentration risk
51
- - **(c)** Carry out appropriate due diligence on prospective ICT TPSPs
52
-
53
- The due diligence must be documented and commensurate with the criticality of
54
- the function.
55
-
56
- ### Art. 28(5) — Ongoing Monitoring of ICT TPSPs
57
- - Monitor the performance, security posture, and compliance of ICT TPSPs
58
- throughout the contract lifecycle
59
- - Conduct regular reviews aligned with the contract terms and risk profile
60
- - Verify that ICT TPSPs continue to meet agreed service levels and security standards
61
-
62
- ### Art. 28(6) — ICT Concentration Risk Assessment
63
- Financial entities must:
64
- - Assess the **concentration risk** arising from reliance on a single or limited
65
- number of ICT TPSPs for critical functions
66
- - Determine whether the failure or unavailability of any TPSP would threaten the
67
- entity's ability to maintain critical functions
68
- - Document this assessment and factor it into risk appetite and strategy
69
-
70
- **Common scenario:** A bank using a single hyperscaler (e.g., one major cloud
71
- provider) for core banking, treasury, and fraud detection creates high concentration
72
- risk even if the TPSP is not designated critical.
73
-
74
- ### Art. 28(7) — Exit Strategy
75
- For each ICT arrangement supporting a critical or important function, financial entities must:
76
- - Develop and maintain an **exit strategy** covering:
77
- - Conditions and triggers for exit
78
- - Minimum notice period required to migrate services
79
- - Data portability and return procedures
80
- - Transition assistance obligations of the departing TPSP
81
- - Test exit strategies periodically (frequency: risk-based)
82
-
83
- ---
84
-
85
- ## Art. 29 — Preliminary Assessment of ICT Concentration Risk
86
-
87
- Before entering a new arrangement that would cause an entity's concentration in
88
- a single TPSP to increase for critical functions:
89
- - Conduct a specific **concentration risk assessment**
90
- - Document the assessment outcome and risk mitigation measures (if any)
91
- - Consider the systemic implications if the concentrated TPSP were to fail
92
-
93
- This is a transaction-specific obligation (triggered by entering a new arrangement)
94
- rather than an ongoing monitoring obligation (which is covered by Art. 28(6)).
95
-
96
- ---
97
-
98
- ## Art. 30 — Key Contractual Provisions
99
-
100
- ### Scope: When does Art. 30(2) apply?
101
-
102
- Art. 30(2) applies to contracts for ICT services that support **critical or important
103
- functions**. A lighter set of provisions applies to non-critical arrangements
104
- (Art. 30(3)).
105
-
106
- ### Critical or Important Function (CIF)
107
-
108
- A function is critical or important if its disruption would:
109
- - Materially impair the financial entity's compliance with legal obligations
110
- - Materially impair its financial performance, or
111
- - Materially impair the soundness or continuity of its services
112
-
113
- The criteria for identifying CIF are further specified in CDR (EU) 2024/1773.
114
-
115
- ### Mandatory Contractual Provisions — Art. 30(2)(a)–(i)
116
-
117
- | Provision | DORA Requirement |
118
- |-----------|-----------------|
119
- | **(a)** Service description | Clear and complete description of the ICT services to be provided |
120
- | **(b)** Data locations | Location(s) where services will be provided and data stored/processed, including notification obligations if locations change |
121
- | **(c)** Data protection | Provisions ensuring data protection; compliance with applicable data protection law (GDPR where applicable) |
122
- | **(d)** Availability, authenticity, integrity, security | Service level specifications; security standards; incident response obligations of the TPSP |
123
- | **(e)** Audit and access rights | **Full and unrestricted audit rights** for the financial entity, its competent authorities (including ECB for significant institutions), and resolution authorities — including on-site inspection rights at the TPSP's premises |
124
- | **(f)** Termination rights | Conditions under which the financial entity may terminate; minimum notice periods; the TPSP's obligation to provide transition services |
125
- | **(g)** Reporting and monitoring | ICT incident reporting by the TPSP to the financial entity; performance monitoring; regular service reviews |
126
- | **(h)** Data portability and migration | On termination, the TPSP must provide all data in machine-readable format; migration assistance; data deletion certification |
127
- | **(i)** Sub-contracting | Conditions under which the TPSP may sub-contract ICT services; prior written consent requirement; equivalent contractual provisions in sub-processor contracts; right to audit sub-processors |
128
-
129
- **Key RTS:** CDR (EU) 2024/1773 specifies the detailed content of each provision.
130
- **Key RTS:** CDR (EU) 2025/532 specifies sub-contracting provisions in detail.
131
-
132
- ### The Audit Rights Problem (Art. 30(2)(e))
133
-
134
- The most common contractual gap: large cloud providers offer only third-party
135
- audit reports (e.g., SOC 2, ISO 27001 certificates) rather than direct audit
136
- rights. DORA Art. 30(2)(e) requires:
137
- - **Full and unrestricted** audit rights for the financial entity
138
- - **Access rights for competent authorities** — including the right to inspect
139
- the TPSP's premises
140
-
141
- ESA guidance has clarified that:
142
- - Pooled or third-party audits (SOC 2, ISO 27001 certification) may partially
143
- satisfy the **entity's own audit right** where direct audit is genuinely
144
- impracticable at hyperscale TPSPs — but only if the entity documents in writing
145
- why direct audit is impracticable and confirms the pooled audit outputs are
146
- meaningful and sufficient
147
- - Financial entities must still document their assessment of why pooled audits
148
- are acceptable and ensure they receive meaningful, entity-specific outputs
149
- - **The competent authority's (and resolution authority's) on-site inspection
150
- right under Art. 30(2)(e) is NON-WAIVABLE.** Even where the entity accepts
151
- pooled audits, the contract must contain an express, unconditional clause
152
- preserving the competent authority's right to inspect the TPSP's premises
153
- directly. A clause that routes the authority's access through the TPSP's
154
- third-party audit programme does NOT satisfy Art. 30(2)(e). This is a common
155
- failure in standard cloud provider contracts.
156
- - Acceptance of pooled audits must be documented with a written risk acceptance
157
- approved at an appropriate governance level (e.g., CRO or board)
158
-
159
- ### Lighter Provisions for Non-Critical Arrangements (Art. 30(3))
160
-
161
- For ICT service arrangements that do not support critical or important functions:
162
- - Service description
163
- - Data locations
164
- - Basic availability and security commitments
165
- - Incident notification obligations
166
- - Exit/termination provisions
167
-
168
- Full Art. 30(2) provisions are not required.
169
-
170
- ### Art. 30(4) — Review Before Renewal
171
-
172
- Before renewing any contract for ICT services supporting critical functions,
173
- financial entities must review whether:
174
- - Service levels remain adequate
175
- - Audit and access rights remain exercisable
176
- - Exit strategy remains viable
177
- - New risks (concentration, substitutability) have emerged
178
-
179
- ---
180
-
181
- ## Register of Information — Complete Field Reference (CIR (EU) 2024/2956)
182
-
183
- ### When to Maintain and Submit
184
-
185
- - **Ongoing maintenance:** Update when new arrangements are entered, modified,
186
- or terminated; when sub-processors change; when data locations change
187
- - **Annual submission:** At least annually to the competent authority
188
- - **On-demand submission:** Upon specific request from competent authority or ESA
189
- (for the oversight framework of CTPPs under Art. 31)
190
-
191
- ### Complete Field Set
192
-
193
- The RoI is structured around **arrangements** — each row represents one ICT
194
- service arrangement.
195
-
196
- | Field | Field Name (CIR 2024/2956) | Description |
197
- |-------|---------------------------|-------------|
198
- | 1 | Reporting entity LEI | Legal Entity Identifier of the financial entity |
199
- | 2 | Reporting entity name | Legal name |
200
- | 3 | Reporting entity type | Regulated entity type (credit institution, insurer, etc.) |
201
- | 4 | Arrangement reference | Unique internal reference for this arrangement |
202
- | 5 | Arrangement type | Type (outsourcing, SaaS, IaaS, PaaS, data services, etc.) |
203
- | 6 | TPSP legal name | Legal name of the ICT third-party service provider |
204
- | 7 | TPSP LEI | LEI of the TPSP |
205
- | 8 | TPSP country of establishment | Country (ISO 3166-1 alpha-2) |
206
- | 9 | TPSP within group? | Is the TPSP part of the same corporate group as the entity? |
207
- | 10 | ICT service type | Nature of services (per CIR classification codes) |
208
- | 11 | ICT service description | Free-text description of specific services |
209
- | 12 | Critical or important function (CIF)? | Y/N — does this arrangement support a CIF? |
210
- | 13 | Function identifier | Reference to the function(s) supported |
211
- | 14 | Function description | Description of the supported function |
212
- | 15 | Data types processed | Classification of personal/non-personal data processed |
213
- | 16 | Data sensitivity | Sensitivity level of data (e.g., customer PII, financial data) |
214
- | 17 | Primary data storage location | Country(ies) where data is primarily stored |
215
- | 18 | Secondary/backup data storage location | Country(ies) where backup data is stored |
216
- | 19 | Contract start date | Effective date of the arrangement |
217
- | 20 | Contract end date or rolling | End date or indication of indefinite/rolling |
218
- | 21 | Notice period for termination | Minimum notice period (in days) |
219
- | 22 | Sub-processors used? | Y/N — does the TPSP sub-contract any services? |
220
- | 23 | Sub-processor names and LEIs | Name and LEI of each sub-processor |
221
- | 24 | Sub-processor data locations | Country(ies) of data processing by sub-processors |
222
- | 25 | Substitutability assessment | High / Medium / Low — ease of replacing this TPSP |
223
- | 26 | Exit strategy reference | Reference to the exit strategy document for this arrangement |
224
- | 27 | Last due diligence date | Date of most recent due diligence assessment |
225
- | 28 | Audit rights exercisable? | Y/N — can audit rights be exercised per contract? |
226
- | 29 | Audit method | Direct audit / pooled audit / third-party certification |
227
-
228
- ### Register of Information — Key Points
229
-
230
- 1. **All arrangements, not just critical ones.** The RoI covers every ICT service
231
- arrangement, not only those supporting critical or important functions. The
232
- criticality flag (field 12) distinguishes them within the register.
233
-
234
- 2. **Sub-processors must be captured.** For each arrangement, the full chain of
235
- sub-processors must be identified (fields 22–24). This is frequently incomplete
236
- in practice.
237
-
238
- 3. **Not a static document.** The RoI must be updated throughout the year as
239
- arrangements change; the annual submission is a snapshot of the current state.
240
-
241
- 4. **LEIs are mandatory.** Both the reporting entity and all TPSPs must have LEIs.
242
- Where a TPSP does not have an LEI, the entity should document this and use
243
- the TPSP's national business registration number as an alternative.
244
-
245
- ---
246
-
247
- ## ICT Concentration Risk — Practical Assessment
248
-
249
- ### What constitutes concentration risk under DORA?
250
-
251
- **Horizontal concentration:** Multiple critical functions supported by a single TPSP
252
- (e.g., core banking, fraud detection, and AML all on the same cloud provider).
253
-
254
- **Sectoral concentration:** Many financial entities within the EU using the same
255
- TPSP for critical functions — creating systemic risk even if each entity's own
256
- dependency appears manageable.
257
-
258
- **Geographic concentration:** All data and processing in a single geographic region
259
- or data centre cluster, creating correlated failure risk.
260
-
261
- ### Concentration Risk Assessment Template
262
-
263
- For each TPSP supporting critical functions, assess:
264
-
265
- | Assessment Area | Question | Rating (H/M/L) |
266
- |----------------|----------|----------------|
267
- | Dependency depth | How many critical functions depend on this TPSP? | |
268
- | Substitutability | Could this service be replaced within the entity's recovery time objectives? | |
269
- | Contractual exit | Is there a viable exit path with adequate notice period and data portability? | |
270
- | Financial stability | Is there material risk of the TPSP becoming insolvent or discontinuing the service? | |
271
- | Geographic diversification | Are services provided from geographically diverse infrastructure? | |
272
- | Regulatory enforceability | Are audit and competent authority access rights practically exercisable? | |
273
-
274
- A TPSP rated High on any two or more areas should be treated as a concentration
275
- risk concern requiring mitigation action.
276
-
277
- ---
278
-
279
- ## Oversight Framework for Critical ICT TPSPs (Art. 31–44)
280
-
281
- ### Designation of Critical ICT TPSPs (Art. 31)
282
-
283
- ESAs (EBA, ESMA, EIOPA) jointly designate ICT TPSPs as **critical** based on
284
- CDR (EU) 2024/1502 criteria. The designation process:
285
-
286
- 1. Financial entities submit their RoI annually
287
- 2. ESAs aggregate RoI data to map TPSP dependencies across the EU financial sector
288
- 3. ESAs apply CDR 2024/1502 criteria to assess systemic importance
289
- 4. Designated CTPPs are notified and published
290
- 5. ICT TPSPs not established in the EU that serve EU financial entities must
291
- designate an EU-established legal representative (Art. 31(11))
292
-
293
- ### Lead Overseer Assignment (Art. 32)
294
-
295
- Each designated CTPSP is assigned a **Lead Overseer** — one of EBA, ESMA, or EIOPA
296
- — based on the predominant type of financial entity served. The Lead Overseer
297
- coordinates with other ESAs via the **Joint Oversight Network (JON)**.
298
-
299
- **Joint Examination Teams (JETs):** Per CDR (EU) 2025/420, JETs are assembled
300
- from Lead Overseer and national authority staff to conduct on-site and off-site
301
- examinations of CTPPs.
302
-
303
- ### Oversight Powers (Art. 33–38)
304
-
305
- | Power | Description |
306
- |-------|-------------|
307
- | Art. 33 — Information requests | Lead Overseer can require CTTPSs to provide information, data, and documents |
308
- | Art. 34 — General investigations | Including interviews, document reviews |
309
- | Art. 35 — On-site inspections | Physical inspection of CTPSP premises and systems |
310
- | Art. 36 — Recommendations | Lead Overseer issues recommendations for improvement |
311
- | Art. 37 — Follow-up | Follow-up recommendations and potential escalation |
312
- | Art. 38 — Oversight fees | Annual fees per CDR (EU) 2024/1505 |
313
-
314
- ### What CTPSP Designation Means for Financial Entities
315
-
316
- - **No direct obligations change** for the financial entity when its TPSP is
317
- designated critical — the entity's Art. 28–30 obligations apply regardless
318
- - The Lead Overseer interacts with the **CTPSP directly**
319
- - Financial entities must cooperate with information requests from the Lead
320
- Overseer about their use of designated CTPPs (Art. 40)
321
- - Financial entities should note that oversight recommendations to a CTPSP
322
- may result in changes to service terms — monitor this
323
-
324
- ---
325
-
326
- ## Contract Review Checklist — DORA Art. 30(2) Compliance
327
-
328
- Use this checklist when reviewing existing contracts or negotiating new ones:
329
-
330
- | Clause | Required by | Present? | Gap? |
331
- |--------|------------|---------|------|
332
- | Clear service description | Art. 30(2)(a) | | |
333
- | Data location — primary and secondary | Art. 30(2)(b) | | |
334
- | Change notification for data locations | Art. 30(2)(b) | | |
335
- | GDPR/data protection provisions | Art. 30(2)(c) | | |
336
- | Service levels (availability, integrity, security) | Art. 30(2)(d) | | |
337
- | Audit rights — financial entity | Art. 30(2)(e) | | |
338
- | Audit rights — competent authority | Art. 30(2)(e) | | |
339
- | Audit rights — resolution authority | Art. 30(2)(e) | | |
340
- | Termination for cause | Art. 30(2)(f) | | |
341
- | Termination for regulatory reasons | Art. 30(2)(f) | | |
342
- | Minimum notice period on exit | Art. 30(2)(f) | | |
343
- | Incident reporting by TPSP to entity | Art. 30(2)(g) | | |
344
- | Data portability on exit | Art. 30(2)(h) | | |
345
- | Migration assistance commitment | Art. 30(2)(h) | | |
346
- | Data deletion/destruction certificate | Art. 30(2)(h) | | |
347
- | Sub-contracting — prior consent | Art. 30(2)(i) + CDR 2025/532 | | |
348
- | Sub-contracting — equivalent provisions | Art. 30(2)(i) + CDR 2025/532 | | |
349
- | Sub-processor change notification | CDR 2025/532 | | |
1
+ # DORA — ICT Third-Party Risk Management Reference
2
+
3
+ Chapter V, Articles 28–44, Regulation (EU) 2022/2554.
4
+ Key implementing measures: CDR (EU) 2024/1773, CIR (EU) 2024/2956, CDR (EU) 2025/532,
5
+ CDR (EU) 2024/1502, CDR (EU) 2024/1505, CDR (EU) 2025/295, CDR (EU) 2025/420.
6
+
7
+ ---
8
+
9
+ ## Overview: Two-Track Structure
10
+
11
+ Chapter V operates on two parallel tracks:
12
+
13
+ **Track 1 — Entity-level obligations (Art. 28–30):**
14
+ Every financial entity must manage its own ICT third-party risks — regardless of
15
+ whether its TPSPs are designated critical.
16
+
17
+ **Track 2 — Systemic oversight of designated CTPPs (Art. 31–44):**
18
+ ESAs designate and oversee ICT TPSPs that are systemically important to the
19
+ EU financial sector. This is a supervisory regime, not an entity-level compliance task.
20
+
21
+ ---
22
+
23
+ ## Art. 28 — General Principles for ICT Third-Party Risk
24
+
25
+ ### Art. 28(1) — ICT Third-Party Risk Policy
26
+ Every financial entity must adopt, regularly review, and update an **ICT third-party
27
+ risk policy** covering:
28
+ - Objectives and principles for managing ICT third-party risk
29
+ - Criteria for identifying critical and important functions (CIF) vs. non-critical
30
+ - Pre-contractual due diligence requirements
31
+ - Contract lifecycle management (onboarding, monitoring, exit)
32
+ - ICT concentration risk management
33
+ - Governance roles and responsibilities
34
+
35
+ **Key RTS:** CDR (EU) 2024/1773, Art. 1–12 (detailed policy content)
36
+
37
+ ### Art. 28(2) — Maintaining the Register of Information
38
+ Financial entities must maintain and update the **Register of Information** (RoI)
39
+ covering **all** ICT service arrangements (not only those supporting critical
40
+ functions). See the Register of Information section below for full field details.
41
+
42
+ ### Art. 28(3) — Annual Submission of Register of Information
43
+ The RoI must be submitted to the competent authority **at least annually** and
44
+ upon specific request. The submission format follows CIR (EU) 2024/2956 templates.
45
+
46
+ ### Art. 28(4) — Pre-Contractual Due Diligence
47
+ Before entering any new ICT service arrangement supporting a critical or important
48
+ function, financial entities must:
49
+ - **(a)** Assess whether the ICT service arrangement supports a critical or important function
50
+ - **(b)** Assess the risks of the arrangement, including ICT concentration risk
51
+ - **(c)** Carry out appropriate due diligence on prospective ICT TPSPs
52
+
53
+ The due diligence must be documented and commensurate with the criticality of
54
+ the function.
55
+
56
+ ### Art. 28(5) — Ongoing Monitoring of ICT TPSPs
57
+ - Monitor the performance, security posture, and compliance of ICT TPSPs
58
+ throughout the contract lifecycle
59
+ - Conduct regular reviews aligned with the contract terms and risk profile
60
+ - Verify that ICT TPSPs continue to meet agreed service levels and security standards
61
+
62
+ ### Art. 28(6) — ICT Concentration Risk Assessment
63
+ Financial entities must:
64
+ - Assess the **concentration risk** arising from reliance on a single or limited
65
+ number of ICT TPSPs for critical functions
66
+ - Determine whether the failure or unavailability of any TPSP would threaten the
67
+ entity's ability to maintain critical functions
68
+ - Document this assessment and factor it into risk appetite and strategy
69
+
70
+ **Common scenario:** A bank using a single hyperscaler (e.g., one major cloud
71
+ provider) for core banking, treasury, and fraud detection creates high concentration
72
+ risk even if the TPSP is not designated critical.
73
+
74
+ ### Art. 28(7) — Exit Strategy
75
+ For each ICT arrangement supporting a critical or important function, financial entities must:
76
+ - Develop and maintain an **exit strategy** covering:
77
+ - Conditions and triggers for exit
78
+ - Minimum notice period required to migrate services
79
+ - Data portability and return procedures
80
+ - Transition assistance obligations of the departing TPSP
81
+ - Test exit strategies periodically (frequency: risk-based)
82
+
83
+ ---
84
+
85
+ ## Art. 29 — Preliminary Assessment of ICT Concentration Risk
86
+
87
+ Before entering a new arrangement that would cause an entity's concentration in
88
+ a single TPSP to increase for critical functions:
89
+ - Conduct a specific **concentration risk assessment**
90
+ - Document the assessment outcome and risk mitigation measures (if any)
91
+ - Consider the systemic implications if the concentrated TPSP were to fail
92
+
93
+ This is a transaction-specific obligation (triggered by entering a new arrangement)
94
+ rather than an ongoing monitoring obligation (which is covered by Art. 28(6)).
95
+
96
+ ---
97
+
98
+ ## Art. 30 — Key Contractual Provisions
99
+
100
+ ### Scope: When does Art. 30(2) apply?
101
+
102
+ Art. 30(2) applies to contracts for ICT services that support **critical or important
103
+ functions**. A lighter set of provisions applies to non-critical arrangements
104
+ (Art. 30(3)).
105
+
106
+ ### Critical or Important Function (CIF)
107
+
108
+ A function is critical or important if its disruption would:
109
+ - Materially impair the financial entity's compliance with legal obligations
110
+ - Materially impair its financial performance, or
111
+ - Materially impair the soundness or continuity of its services
112
+
113
+ The criteria for identifying CIF are further specified in CDR (EU) 2024/1773.
114
+
115
+ ### Mandatory Contractual Provisions — Art. 30(2)(a)–(i)
116
+
117
+ | Provision | DORA Requirement |
118
+ |-----------|-----------------|
119
+ | **(a)** Service description | Clear and complete description of the ICT services to be provided |
120
+ | **(b)** Data locations | Location(s) where services will be provided and data stored/processed, including notification obligations if locations change |
121
+ | **(c)** Data protection | Provisions ensuring data protection; compliance with applicable data protection law (GDPR where applicable) |
122
+ | **(d)** Availability, authenticity, integrity, security | Service level specifications; security standards; incident response obligations of the TPSP |
123
+ | **(e)** Audit and access rights | **Full and unrestricted audit rights** for the financial entity, its competent authorities (including ECB for significant institutions), and resolution authorities — including on-site inspection rights at the TPSP's premises |
124
+ | **(f)** Termination rights | Conditions under which the financial entity may terminate; minimum notice periods; the TPSP's obligation to provide transition services |
125
+ | **(g)** Reporting and monitoring | ICT incident reporting by the TPSP to the financial entity; performance monitoring; regular service reviews |
126
+ | **(h)** Data portability and migration | On termination, the TPSP must provide all data in machine-readable format; migration assistance; data deletion certification |
127
+ | **(i)** Sub-contracting | Conditions under which the TPSP may sub-contract ICT services; prior written consent requirement; equivalent contractual provisions in sub-processor contracts; right to audit sub-processors |
128
+
129
+ **Key RTS:** CDR (EU) 2024/1773 specifies the detailed content of each provision.
130
+ **Key RTS:** CDR (EU) 2025/532 specifies sub-contracting provisions in detail.
131
+
132
+ ### The Audit Rights Problem (Art. 30(2)(e))
133
+
134
+ The most common contractual gap: large cloud providers offer only third-party
135
+ audit reports (e.g., SOC 2, ISO 27001 certificates) rather than direct audit
136
+ rights. DORA Art. 30(2)(e) requires:
137
+ - **Full and unrestricted** audit rights for the financial entity
138
+ - **Access rights for competent authorities** — including the right to inspect
139
+ the TPSP's premises
140
+
141
+ ESA guidance has clarified that:
142
+ - Pooled or third-party audits (SOC 2, ISO 27001 certification) may partially
143
+ satisfy the **entity's own audit right** where direct audit is genuinely
144
+ impracticable at hyperscale TPSPs — but only if the entity documents in writing
145
+ why direct audit is impracticable and confirms the pooled audit outputs are
146
+ meaningful and sufficient
147
+ - Financial entities must still document their assessment of why pooled audits
148
+ are acceptable and ensure they receive meaningful, entity-specific outputs
149
+ - **The competent authority's (and resolution authority's) on-site inspection
150
+ right under Art. 30(2)(e) is NON-WAIVABLE.** Even where the entity accepts
151
+ pooled audits, the contract must contain an express, unconditional clause
152
+ preserving the competent authority's right to inspect the TPSP's premises
153
+ directly. A clause that routes the authority's access through the TPSP's
154
+ third-party audit programme does NOT satisfy Art. 30(2)(e). This is a common
155
+ failure in standard cloud provider contracts.
156
+ - Acceptance of pooled audits must be documented with a written risk acceptance
157
+ approved at an appropriate governance level (e.g., CRO or board)
158
+
159
+ ### Lighter Provisions for Non-Critical Arrangements (Art. 30(3))
160
+
161
+ For ICT service arrangements that do not support critical or important functions:
162
+ - Service description
163
+ - Data locations
164
+ - Basic availability and security commitments
165
+ - Incident notification obligations
166
+ - Exit/termination provisions
167
+
168
+ Full Art. 30(2) provisions are not required.
169
+
170
+ ### Art. 30(4) — Review Before Renewal
171
+
172
+ Before renewing any contract for ICT services supporting critical functions,
173
+ financial entities must review whether:
174
+ - Service levels remain adequate
175
+ - Audit and access rights remain exercisable
176
+ - Exit strategy remains viable
177
+ - New risks (concentration, substitutability) have emerged
178
+
179
+ ---
180
+
181
+ ## Register of Information — Complete Field Reference (CIR (EU) 2024/2956)
182
+
183
+ ### When to Maintain and Submit
184
+
185
+ - **Ongoing maintenance:** Update when new arrangements are entered, modified,
186
+ or terminated; when sub-processors change; when data locations change
187
+ - **Annual submission:** At least annually to the competent authority
188
+ - **On-demand submission:** Upon specific request from competent authority or ESA
189
+ (for the oversight framework of CTPPs under Art. 31)
190
+
191
+ ### Complete Field Set
192
+
193
+ The RoI is structured around **arrangements** — each row represents one ICT
194
+ service arrangement.
195
+
196
+ | Field | Field Name (CIR 2024/2956) | Description |
197
+ |-------|---------------------------|-------------|
198
+ | 1 | Reporting entity LEI | Legal Entity Identifier of the financial entity |
199
+ | 2 | Reporting entity name | Legal name |
200
+ | 3 | Reporting entity type | Regulated entity type (credit institution, insurer, etc.) |
201
+ | 4 | Arrangement reference | Unique internal reference for this arrangement |
202
+ | 5 | Arrangement type | Type (outsourcing, SaaS, IaaS, PaaS, data services, etc.) |
203
+ | 6 | TPSP legal name | Legal name of the ICT third-party service provider |
204
+ | 7 | TPSP LEI | LEI of the TPSP |
205
+ | 8 | TPSP country of establishment | Country (ISO 3166-1 alpha-2) |
206
+ | 9 | TPSP within group? | Is the TPSP part of the same corporate group as the entity? |
207
+ | 10 | ICT service type | Nature of services (per CIR classification codes) |
208
+ | 11 | ICT service description | Free-text description of specific services |
209
+ | 12 | Critical or important function (CIF)? | Y/N — does this arrangement support a CIF? |
210
+ | 13 | Function identifier | Reference to the function(s) supported |
211
+ | 14 | Function description | Description of the supported function |
212
+ | 15 | Data types processed | Classification of personal/non-personal data processed |
213
+ | 16 | Data sensitivity | Sensitivity level of data (e.g., customer PII, financial data) |
214
+ | 17 | Primary data storage location | Country(ies) where data is primarily stored |
215
+ | 18 | Secondary/backup data storage location | Country(ies) where backup data is stored |
216
+ | 19 | Contract start date | Effective date of the arrangement |
217
+ | 20 | Contract end date or rolling | End date or indication of indefinite/rolling |
218
+ | 21 | Notice period for termination | Minimum notice period (in days) |
219
+ | 22 | Sub-processors used? | Y/N — does the TPSP sub-contract any services? |
220
+ | 23 | Sub-processor names and LEIs | Name and LEI of each sub-processor |
221
+ | 24 | Sub-processor data locations | Country(ies) of data processing by sub-processors |
222
+ | 25 | Substitutability assessment | High / Medium / Low — ease of replacing this TPSP |
223
+ | 26 | Exit strategy reference | Reference to the exit strategy document for this arrangement |
224
+ | 27 | Last due diligence date | Date of most recent due diligence assessment |
225
+ | 28 | Audit rights exercisable? | Y/N — can audit rights be exercised per contract? |
226
+ | 29 | Audit method | Direct audit / pooled audit / third-party certification |
227
+
228
+ ### Register of Information — Key Points
229
+
230
+ 1. **All arrangements, not just critical ones.** The RoI covers every ICT service
231
+ arrangement, not only those supporting critical or important functions. The
232
+ criticality flag (field 12) distinguishes them within the register.
233
+
234
+ 2. **Sub-processors must be captured.** For each arrangement, the full chain of
235
+ sub-processors must be identified (fields 22–24). This is frequently incomplete
236
+ in practice.
237
+
238
+ 3. **Not a static document.** The RoI must be updated throughout the year as
239
+ arrangements change; the annual submission is a snapshot of the current state.
240
+
241
+ 4. **LEIs are mandatory.** Both the reporting entity and all TPSPs must have LEIs.
242
+ Where a TPSP does not have an LEI, the entity should document this and use
243
+ the TPSP's national business registration number as an alternative.
244
+
245
+ ---
246
+
247
+ ## ICT Concentration Risk — Practical Assessment
248
+
249
+ ### What constitutes concentration risk under DORA?
250
+
251
+ **Horizontal concentration:** Multiple critical functions supported by a single TPSP
252
+ (e.g., core banking, fraud detection, and AML all on the same cloud provider).
253
+
254
+ **Sectoral concentration:** Many financial entities within the EU using the same
255
+ TPSP for critical functions — creating systemic risk even if each entity's own
256
+ dependency appears manageable.
257
+
258
+ **Geographic concentration:** All data and processing in a single geographic region
259
+ or data centre cluster, creating correlated failure risk.
260
+
261
+ ### Concentration Risk Assessment Template
262
+
263
+ For each TPSP supporting critical functions, assess:
264
+
265
+ | Assessment Area | Question | Rating (H/M/L) |
266
+ |----------------|----------|----------------|
267
+ | Dependency depth | How many critical functions depend on this TPSP? | |
268
+ | Substitutability | Could this service be replaced within the entity's recovery time objectives? | |
269
+ | Contractual exit | Is there a viable exit path with adequate notice period and data portability? | |
270
+ | Financial stability | Is there material risk of the TPSP becoming insolvent or discontinuing the service? | |
271
+ | Geographic diversification | Are services provided from geographically diverse infrastructure? | |
272
+ | Regulatory enforceability | Are audit and competent authority access rights practically exercisable? | |
273
+
274
+ A TPSP rated High on any two or more areas should be treated as a concentration
275
+ risk concern requiring mitigation action.
276
+
277
+ ---
278
+
279
+ ## Oversight Framework for Critical ICT TPSPs (Art. 31–44)
280
+
281
+ ### Designation of Critical ICT TPSPs (Art. 31)
282
+
283
+ ESAs (EBA, ESMA, EIOPA) jointly designate ICT TPSPs as **critical** based on
284
+ CDR (EU) 2024/1502 criteria. The designation process:
285
+
286
+ 1. Financial entities submit their RoI annually
287
+ 2. ESAs aggregate RoI data to map TPSP dependencies across the EU financial sector
288
+ 3. ESAs apply CDR 2024/1502 criteria to assess systemic importance
289
+ 4. Designated CTPPs are notified and published
290
+ 5. ICT TPSPs not established in the EU that serve EU financial entities must
291
+ designate an EU-established legal representative (Art. 31(11))
292
+
293
+ ### Lead Overseer Assignment (Art. 32)
294
+
295
+ Each designated CTPSP is assigned a **Lead Overseer** — one of EBA, ESMA, or EIOPA
296
+ — based on the predominant type of financial entity served. The Lead Overseer
297
+ coordinates with other ESAs via the **Joint Oversight Network (JON)**.
298
+
299
+ **Joint Examination Teams (JETs):** Per CDR (EU) 2025/420, JETs are assembled
300
+ from Lead Overseer and national authority staff to conduct on-site and off-site
301
+ examinations of CTPPs.
302
+
303
+ ### Oversight Powers (Art. 33–38)
304
+
305
+ | Power | Description |
306
+ |-------|-------------|
307
+ | Art. 33 — Information requests | Lead Overseer can require CTTPSs to provide information, data, and documents |
308
+ | Art. 34 — General investigations | Including interviews, document reviews |
309
+ | Art. 35 — On-site inspections | Physical inspection of CTPSP premises and systems |
310
+ | Art. 36 — Recommendations | Lead Overseer issues recommendations for improvement |
311
+ | Art. 37 — Follow-up | Follow-up recommendations and potential escalation |
312
+ | Art. 38 — Oversight fees | Annual fees per CDR (EU) 2024/1505 |
313
+
314
+ ### What CTPSP Designation Means for Financial Entities
315
+
316
+ - **No direct obligations change** for the financial entity when its TPSP is
317
+ designated critical — the entity's Art. 28–30 obligations apply regardless
318
+ - The Lead Overseer interacts with the **CTPSP directly**
319
+ - Financial entities must cooperate with information requests from the Lead
320
+ Overseer about their use of designated CTPPs (Art. 40)
321
+ - Financial entities should note that oversight recommendations to a CTPSP
322
+ may result in changes to service terms — monitor this
323
+
324
+ ---
325
+
326
+ ## Contract Review Checklist — DORA Art. 30(2) Compliance
327
+
328
+ Use this checklist when reviewing existing contracts or negotiating new ones:
329
+
330
+ | Clause | Required by | Present? | Gap? |
331
+ |--------|------------|---------|------|
332
+ | Clear service description | Art. 30(2)(a) | | |
333
+ | Data location — primary and secondary | Art. 30(2)(b) | | |
334
+ | Change notification for data locations | Art. 30(2)(b) | | |
335
+ | GDPR/data protection provisions | Art. 30(2)(c) | | |
336
+ | Service levels (availability, integrity, security) | Art. 30(2)(d) | | |
337
+ | Audit rights — financial entity | Art. 30(2)(e) | | |
338
+ | Audit rights — competent authority | Art. 30(2)(e) | | |
339
+ | Audit rights — resolution authority | Art. 30(2)(e) | | |
340
+ | Termination for cause | Art. 30(2)(f) | | |
341
+ | Termination for regulatory reasons | Art. 30(2)(f) | | |
342
+ | Minimum notice period on exit | Art. 30(2)(f) | | |
343
+ | Incident reporting by TPSP to entity | Art. 30(2)(g) | | |
344
+ | Data portability on exit | Art. 30(2)(h) | | |
345
+ | Migration assistance commitment | Art. 30(2)(h) | | |
346
+ | Data deletion/destruction certificate | Art. 30(2)(h) | | |
347
+ | Sub-contracting — prior consent | Art. 30(2)(i) + CDR 2025/532 | | |
348
+ | Sub-contracting — equivalent provisions | Art. 30(2)(i) + CDR 2025/532 | | |
349
+ | Sub-processor change notification | CDR 2025/532 | | |