Article 25 Digital Operational Resilience Act (DORA), General Principles

The Digital Operational Resilience Act (DORA) sets stringent requirements for financial entities to manage ICT third-party risks effectively. These requirements ensure that financial entities uphold their responsibility for compliance with relevant regulations and maintain robust cybersecurity practices, regardless of their contractual arrangements with third-party ICT service providers. The guidelines emphasize a proportional approach to risk management, considering the scale, complexity, and importance of ICT dependencies.

Financial entities must implement a comprehensive ICT risk management framework that includes strategies for managing third-party risks. This involves regularly reviewing policies, maintaining detailed registers of ICT service contracts, and ensuring third-party providers meet high-security standards. Additionally, financial entities must conduct thorough due diligence, establish clear exit strategies, and ensure regular audits to maintain resilience and service continuity. The European Supervisory Authorities (ESAs) will develop technical standards to provide further clarity and support effective implementation of these requirements.

ICT Third-Party Risk Management Under DORA: Key Requirements and Strategies

• Financial entities shall uphold full responsibility for complying with this Regulation and applicable financial services legislation, notwithstanding contractual arrangements for ICT services supporting their business operations.

• Management of ICT third-party risk by financial entities shall align with the principle of proportionality, considering the scale, complexity, and importance of ICT dependencies. This includes assessing risks from contractual arrangements with ICT third-party service providers, especially concerning critical functions impacting financial service continuity and quality.

• Within their ICT risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk. This strategy shall encompass policies for utilizing ICT services provided by third-party service providers across individual, sub-consolidated, and consolidated levels. The management body shall undertake regular assessments of risks associated with outsourcing critical or important functions.

• As part of their ICT risk management framework, financial entities shall maintain and update a Register of Information at entity, sub-consolidated, and consolidated levels. This register shall document all contractual arrangements for ICT services provided by third-party service providers, distinguishing between those covering critical or important functions and others. Annually, financial entities shall report to competent authorities on new ICT service arrangements, categories of third-party providers, contract types, and the services/functions provided. Upon request, they shall provide the full register or specified sections for effective supervision.

• Prior to entering into contractual arrangements for ICT services, financial entities shall: (a) Assess whether the contractual arrangement covers critical or important functions. (b) Verify compliance with supervisory conditions for contracting. (c) Identify and assess all relevant risks related to the contractual arrangement, including potential contributions to ICT concentration risk. (d) Conduct due diligence on prospective ICT third-party service providers throughout the selection and assessment processes to ensure suitability. (e) Identify and assess conflicts of interest that may arise from the contractual arrangement.

• Financial entities may only engage ICT third-party service providers that comply with high, appropriate, and current information security standards.

• When exercising access, inspection, and audit rights over ICT third-party service providers, financial entities shall adopt a risk-based approach to determine the frequency and scope of audits, adhering to accepted audit standards and any supervisory guidelines. For contracts involving high technological complexity, financial entities shall verify that auditors possess the necessary skills and knowledge to conduct effective audits and assessments.

• Financial entities shall ensure that contractual arrangements for ICT services are terminated under specified circumstances, including: (a) Breach by the ICT third-party service provider of applicable laws, regulations, or contractual terms. (b) Changes identified during the monitoring of ICT third-party risk that could impact the performance of functions provided under the contract, including significant changes affecting the provider or the arrangement. (c) Evidenced weaknesses in the ICT third-party service provider's overall ICT risk management, particularly in ensuring the security and integrity of confidential, personal, or otherwise sensitive data or non-personal information. (d) Situations where the competent authority can no longer effectively supervise the financial entity due to the contractual arrangement.

• Financial entities shall establish exit strategies to manage risks associated with ICT third-party service providers, including potential failures, deterioration in service quality, business disruptions, or material risks affecting the deployment of functions. These strategies shall ensure that the termination of contractual arrangements: (a) Does not disrupt business activities. (b) Does not compromise compliance with regulatory requirements. (c) Does not detrimentally affect the continuity and quality of service provision to clients. Exit plans shall be comprehensive, documented, and, where appropriate, tested sufficiently. Financial entities shall identify alternative solutions and develop transition plans to securely transfer functions and data from the ICT third-party service provider to alternative providers or back in-house, accompanied by appropriate contingency measures to maintain business continuity in all aforementioned circumstances.

• The ESAs, through the Joint Committee, shall develop draft implementing technical standards to establish standard templates for the Register of Information as outlined in paragraph 4.

These draft implementing technical standards shall be submitted to the Commission within one year of this Regulation's entry into force. The Commission is empowered to adopt these implementing technical standards in accordance with Article 15 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010, respectively.

• The ESAs, through the Joint Committee, shall develop draft regulatory standards to further specify the detailed content of the policy referenced in paragraph 3 regarding contractual arrangements for the use of ICT services provided by ICT third-party service providers, with reference to the main phases of the lifecycle of these ICT service arrangements.

Additionally, these draft regulatory standards shall define the types of information to be included in the Register of Information as referred to in paragraph 4.

The ESAs shall submit these draft regulatory technical standards to the Commission within one year of this Regulation's entry into force. Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards mentioned in the preceding subparagraphs in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010, respectively.