EU

DORA: ICT Third-Party Risk Management

ICT Third-Party Risk Management [Art 28-44]

Rule: Financial entities must manage risks from ICT third-party providers throughout the relationship lifecycle, with specific contractual requirements and oversight for critical providers.

General Principles [Art 28]

Financial entities must:

ObligationDescription
Retain responsibilityRemain fully responsible for compliance despite outsourcing
Proportionate managementRisk management proportionate to nature, scale, complexity
Maintain oversightEffective oversight of ICT third-party arrangements
Ensure accessMaintain ability to access, audit, and terminate

Key Policy Requirements [Art 28(2)]

Strategy must address:

  • Policy on use of ICT services supporting critical/important functions
  • Approach to sub-contracting
  • Exit strategies
  • Concentration risk management

Register of Information [Art 28(3)]

Must maintain a register of:

ElementDetail
All ICT third-party contractsFull inventory
Services supporting critical functionsClearly identified
SubcontractorsFor critical function support
Contract detailsStart date, termination, service levels
AssessmentRisk assessment for each arrangement

Register must be available to competent authority on request.

Pre-Contractual Assessment [Art 28(4)]

Before contracting, assess:

  • Whether arrangement concerns critical/important function
  • Supervisory conditions are met
  • Appropriate due diligence completed
  • Risks are acceptable

Contractual Arrangements [Art 30]

Mandatory contract terms:

RequirementPurpose
Service descriptionsClear description of ICT services
Data locationsWhere data will be processed/stored
SLAsService levels, quantitative/qualitative targets
Incident notificationProvider must notify incidents promptly
BCM provisionsBusiness continuity obligations
TerminationRights and notice periods
Transition assistanceSupport during exit
Access and auditRight to audit, access to data and premises
Sub-contractingConditions and approval requirements
Data protectionGDPR compliance
Governing lawChoice of law (preferably EU)

Critical or Important Function Contracts [Art 30(2)]

Additional requirements for critical function support:

RequirementDetail
Full service descriptionsQuantitative and qualitative performance targets
Incident proceduresDetailed notification procedures and support
BCM testingProvider participation in testing
Termination rightsFor various scenarios (breach, insolvency, regulatory order)
Exit plansTransition periods, data migration support
Unfettered accessAccess by competent authorities

Sub-Contracting [Art 29]

For critical/important functions:

  • Provider must seek prior approval for material sub-contracting
  • Financial entity must assess sub-contractor risks
  • Chain sub-contracting requires visibility
  • Termination rights if sub-contracting creates unacceptable risk

Concentration Risk [Art 29]

Must assess and manage concentration risk from:

  • Heavy reliance on single provider
  • Limited substitutability
  • Multiple entities using same provider
  • Geographic concentration

Critical ICT Third-Party Service Providers [Art 31-44]

ESAs designate critical providers based on:

  • Systemic importance of financial entities served
  • Degree of substitutability
  • Number and type of financial entities relying on services

Oversight framework for critical providers:

AspectMechanism
Lead OverseerESA designated to oversee provider
Oversight planAnnual assessment plan
Information requestsDirect requests to provider
InspectionsOn-site and off-site
RecommendationsBinding or non-binding
RemediationTrack implementation of recommendations

Exit Strategies [Art 28(8)]

Must have exit plans covering:

  • Triggers for exit
  • Transition timelines
  • Data migration
  • Alternative providers
  • Continued service during transition
  • Impact assessment

Third-Country Providers

ConsiderationRequirement
Data locationAssess data sovereignty and access risks
Audit accessEnsure audit rights are enforceable
Supervisory accessAuthorities must be able to access information
Equivalent protectionAdequate data protection standards

Due Diligence Checklist

Assessment AreaItems
Financial stabilitySolvency, financial position
Technical capabilitySkills, certifications, infrastructure
SecuritySecurity policies, certifications (ISO 27001, SOC 2)
ComplianceRegulatory compliance track record
BCMBusiness continuity capabilities
ReferencesOther client experiences
InsuranceProfessional indemnity coverage

Citation

Art 28-44, Regulation (EU) 2022/2554

Contains public sector information licensed under the Open Government Licence v3.0 where applicable. This is not legal advice. Always refer to official sources for authoritative text.

llms.txt