Exit Strategies for Suppliers | 360TPRM

Exit strategies are plans for the orderly termination of supplier relationships — whether due to risk escalation, contract expiry or regulatory requirements. DORA Art. 28(7) makes exit strategies mandatory for ICT third-party contracts.

Why are exit strategies critical?

Without an exit strategy, dangerous dependencies arise: lock-in effects prevent a quick switch when risks escalate. Data losses threaten when suppliers do not properly return or delete data. Operational disruptions occur when critical services disappear without an alternative solution. DORA therefore requires a documented exit strategy for every critical ICT provider.

DORA Art. 28(7) — mandatory exit strategy

Financial entities must maintain a documented exit strategy for all critical ICT third-party contracts. This is actively reviewed by supervisory authorities.

Elements of an exit strategy

A complete exit strategy contains: exit scenarios (when is the exit strategy activated?), alternative providers (who can take over at short notice?), data migration plan (how is data transferred or deleted?), transition period (how long does migration take?), communication plan (who is informed when?) and regulatory notification requirements.

Exit management in 360TPRM

360TPRM documents exit strategies for all critical suppliers and automatically generates the required evidence for supervisory authorities.

FAQ

For which suppliers do I need an exit strategy?+

DORA requires exit strategies for all ICT third-party providers classified as critical or important. Best practice: for all suppliers with access to critical systems or data.

How often must the exit strategy be reviewed?+

At least annually and upon material changes to the supplier relationship. 360TPRM automatically reminds of upcoming reviews.

Document exit strategies

See in a 45-minute demo how 360TPRM specifically meets your requirements.

Request free demo →