DORA Article 28 Requirements: Why UK Banks Need Documented Exit Strategies for ICT Third-Party Services

Financial institutions across the UK face mounting pressure to demonstrate comprehensive control over their ICT third-party relationships. DORA Article 28 establishes specific requirements for documented exit strategies that enable banks to terminate critical vendor relationships without compromising operational continuity or regulatory compliance.

The challenge extends beyond basic contract termination clauses. Banks must prove they can execute complete data migration, maintain service continuity, and preserve regulatory documentation throughout vendor transitions. This operational complexity demands architectural planning that many institutions have yet to implement effectively.

This analysis examines how UK banks can build defensible exit strategies that satisfy DORA Article 28 requirements whilst maintaining the agility needed for competitive third-party relationships.

DORA’s Applicability to UK Banks Post-Brexit

DORA is an EU regulation and does not apply directly to all UK banks by default. However, the regulation’s reach into the UK financial sector is broader than it may initially appear, and institutions should assess their specific exposure carefully.

UK banks with EU branches, subsidiaries, or regulated entities operating within EU member states are subject to DORA directly and must comply in full with its requirements, including Article 28’s exit strategy provisions. Similarly, UK firms that provide ICT services to EU financial institutions as third-party providers may fall within DORA’s scope where those services are deemed critical or important under the regulation’s risk classification criteria.

For UK-only institutions without EU operations or EU-facing ICT service relationships, the direct legal obligation does not apply. However, the FCA and PRA have signalled clear alignment with DORA principles through their own operational resilience frameworks, including SS2/21 and PS6/21, which impose comparable expectations around third-party risk management, exit planning, and service continuity. UK banks should therefore treat DORA’s Article 28 standards as indicative of the direction of domestic regulatory expectation, whether or not they are formally in scope.

Executive Summary

DORA Article 28 mandates that financial institutions maintain comprehensive exit strategies for all critical ICT third-party services, including detailed data portability plans, service continuity measures, and regulatory compliance preservation. UK banks must demonstrate they can execute vendor transitions without operational disruption or compliance gaps, requiring architectural approaches that embed exit readiness into third-party relationships from inception rather than treating it as a contract afterthought.

Key Takeaways

1. DORA Article 28 Mandates. Requires comprehensive exit strategies for critical ICT third-party services, including data portability, service continuity, and regulatory compliance preservation.
2. UK Banks’ Exposure. Directly applies to institutions with EU operations or ICT services to EU firms; others must align with equivalent FCA and PRA operational resilience expectations.
3. Core Exit Strategy Elements. Demand data classification, standardized migration formats, alternative provider identification, and continuous audit trail preservation throughout transitions.
4. Proactive Architectural Readiness. Exit planning must be embedded into third-party governance from inception to ensure security, compliance, and operational continuity under regulatory scrutiny.

Critical Components of DORA-Compliant Exit Strategies

Banks must architect exit strategies that address multiple operational dimensions simultaneously. DORA Article 28 requirements extend beyond traditional contract management to encompass data sovereignty, service continuity, and regulatory documentation preservation throughout vendor transitions.

Effective exit strategies begin with comprehensive data classification that identifies all information flows between the bank and third-party providers. This mapping must capture not only primary data repositories but also metadata, audit trails, and compliance documentation that regulatory authorities expect to remain accessible during and after vendor transitions.

Service continuity planning requires banks to identify alternative delivery mechanisms for every critical function provided by third-party vendors. This analysis must consider technical compatibility, regulatory approval timelines, and operational capacity constraints that could delay transition execution.

Data Portability and Migration Planning

Data portability represents one of the most technically complex aspects of DORA-compliant exit strategies. Banks must ensure they can extract, validate, and migrate all relevant data without compromising integrity or regulatory traceability.

Effective data migration planning requires standardised export formats that maintain audit trail continuity and regulatory mapping accuracy. Banks need mechanisms to verify data completeness during extraction whilst ensuring that sensitive information remains protected throughout the migration process.

Migration timelines must account for regulatory approval requirements, technical validation procedures, and operational testing that demonstrates equivalent service delivery capability. Many banks underestimate the coordination required between internal teams, outgoing vendors, and replacement providers during these transitions.

Service Continuity and Alternative Provision

Service continuity planning demands that banks identify viable alternatives for every critical function before entering third-party relationships. This proactive approach enables faster transition execution whilst reducing operational risk during vendor changes.

Alternative provision analysis must evaluate technical compatibility, regulatory compliance status, and operational capacity of potential replacement vendors. Banks should maintain updated assessments of market alternatives, including cost structures and implementation timelines that support rapid transition execution when required.

Continuity testing validates that alternative providers can deliver equivalent service levels without compromising regulatory compliance or operational efficiency. This testing should occur regularly to ensure that replacement options remain viable as both the bank’s requirements and vendor capabilities evolve.

Regulatory Documentation and Audit Trail Preservation

DORA compliance requires banks to maintain complete audit trails and regulatory documentation throughout third-party transitions. This preservation extends beyond basic data retention to encompass compliance mappings, risk assessments, and operational monitoring records that demonstrate continuous regulatory adherence.

Documentation preservation strategies must ensure that audit trails remain accessible and legally defensible during vendor transitions. Banks need mechanisms to extract compliance records whilst maintaining their evidential value for regulatory examinations and internal risk management processes.

Regulatory mapping continuity requires banks to demonstrate that replacement vendors can maintain equivalent compliance posture without gaps in monitoring or reporting capability. This continuity must be demonstrable through testing and validation procedures that regulatory authorities can examine and verify.

Compliance Framework Alignment

Exit strategies must demonstrate how vendor transitions maintain alignment with applicable regulatory frameworks throughout the change process. This alignment requires detailed mapping between vendor capabilities and specific compliance obligations that the bank must satisfy.

Compliance validation procedures should verify that replacement vendors can deliver equivalent regulatory reporting, risk monitoring, and audit trail generation capability. Banks must demonstrate this equivalence through testing and documentation that regulatory authorities can examine during transition periods.

Framework alignment extends to data privacy requirements, operational resilience standards, and risk management expectations that regulatory authorities monitor continuously. Exit strategies should explicitly address how these obligations remain satisfied during vendor transition periods.

Operational Risk Management During Vendor Transitions

Vendor transitions introduce operational risks that banks must identify, assess, and mitigate through comprehensive planning and execution frameworks. DORA Article 28 requirements emphasise the importance of maintaining operational resilience throughout third-party relationship changes.

Risk identification processes must capture technical integration challenges, data migration complexities, and service continuity gaps that could compromise operational effectiveness during transitions. Banks should develop risk registers that address both anticipated challenges and contingency scenarios that require alternative approaches.

Mitigation strategies require coordination between internal teams, outgoing vendors, and replacement providers to ensure smooth knowledge transfer and service handover. This coordination must maintain security controls and regulatory compliance throughout the transition process.

Stakeholder Communication and Change Management

Effective vendor transitions require comprehensive communication strategies that keep all stakeholders informed of progress, challenges, and timeline adjustments throughout the process. This communication must balance transparency with confidentiality requirements that protect sensitive commercial and operational information.

Change management processes should ensure that internal teams understand their roles and responsibilities during vendor transitions whilst maintaining operational focus on daily activities. Banks must provide clear escalation procedures for issues that could compromise transition success or regulatory compliance.

External stakeholder management includes coordination with regulatory authorities, business partners, and customers who may be affected by service changes during vendor transitions. Banks should develop communication templates and approval processes that ensure consistent messaging whilst meeting disclosure obligations.

Conclusion

DORA Article 28 represents a substantive shift in how financial institutions must approach third-party ICT relationships — from reactive contract management to proactive, architecturally embedded exit readiness. For UK banks in scope, whether through EU operations, ICT service provision to EU firms, or by alignment with equivalent FCA and PRA frameworks, the operational and compliance demands are significant.

Meeting these requirements demands more than updated vendor contracts. Banks must demonstrate that data portability, service continuity, audit trail preservation, and regulatory documentation integrity can all be maintained throughout vendor transitions, under examination conditions. Institutions that treat exit planning as a post-engagement exercise will face both operational and regulatory exposure.

Building defensible exit strategies requires embedding exit readiness into third-party governance from the outset, supported by technical architectures that maintain security and compliance control regardless of which vendor is providing the underlying service. The institutions that act on this now will be better positioned not only for regulatory scrutiny, but for the commercial agility that effective third-party risk management enables.

Securing Sensitive Data Throughout Vendor Transitions

Traditional exit planning often focuses on contractual and operational considerations whilst overlooking the critical importance of maintaining data security and regulatory compliance throughout vendor transitions. Banks require architectural approaches that embed security controls and audit trails preservation into every aspect of third-party risk management.

The Kiteworks Private Data Network enables banks to maintain comprehensive control over sensitive data throughout vendor transitions by providing zero trust architecture that secures information regardless of the underlying service provider. This approach ensures that exit strategies can be executed without compromising data privacy or regulatory documentation requirements.

Kiteworks delivers tamper-proof audit trails that preserve regulatory compliance evidence throughout vendor changes, enabling banks to demonstrate continuous adherence to DORA requirements during transition periods. The platform’s data-aware controls ensure that sensitive information remains protected whilst facilitating the data portability and migration requirements that effective exit strategies demand. The platform is validated to FIPS 140-3 standards, uses TLS 1.3 for data in transit, and is FedRAMP High-ready — enabling banks to meet the most demanding technical security benchmarks required under DORA and broader financial sector compliance obligations.

Integration with existing SIEM, SOAR, and ITSM workflows enables banks to maintain operational visibility and risk management capability throughout vendor transitions. This integration ensures that security monitoring and compliance reporting continue uninterrupted whilst providing the documentation and evidence trail that regulatory authorities expect during third-party relationship changes.

To explore how Kiteworks can help your institution build DORA-compliant vendor transition frameworks that maintain security, compliance, and operational continuity throughout critical third-party relationship changes, schedule a custom demo.