"An organization's sovereignty can only be as strong as the weakest link in its digital value chain. A non-compliant third party is a breach in your own sovereignty posture."
Extending sovereignty to partners and vendors, sovereignty due diligence in RFPs, third-party scoring, contractual propagation clauses.
CDO, CIO, CISO, IT procurement teams, legal counsel, third-party risk managers (TPRM), DORA/NIS 2 compliance officers.
DORA Art. 28-30 (TPRM), NIS 2 Art. 21.2.d (supply chain), Data Act Art. 5-9 (third-party data), EU AI Act Art. 25 (deployers).
Half day (3h30) — 2 sessions + 1 real vendor scoring workshop.
The digital value chain of a banking organization typically includes 4 categories of third parties, each with a distinct sovereignty risk profile.
| Category | Typical examples | Access to your data | Sovereignty risk | DORA/NIS 2 obligation |
|---|---|---|---|---|
| Critical ICT providers | Data platform, cloud, core banking, SIEM | Critical data | Critical | Full DORA Art. 28 |
| IT services & integrators | IT consultancies, tech advisory firms, custom software vendors | Confidential data + code | High | DORA Art. 28 + IP clauses |
| AI & data providers | LLM APIs, data providers, third-party models | Potentially confidential data | High | EU AI Act Art. 25 + GDPR |
| Partners & ecosystem | Fintechs, insurtechs, Open Banking PSD3 | Shared customer data | Moderate | GDPR + DPA contracts |
| Support vendors | HR tools, marketing, productivity | Internal data | Low | Basic GDPR |
DORA Art. 28.5: financial entities must ensure that contracts provide subcontractor traceability and a right of objection to subcontracting to certain countries. This obligation extends to tier 2 and tier 3 subcontractors.
You have viewed the preview of this module (first 2 pages).
To access the full content, enter your access code or request access.