Article 26 of the Digital Operational Resilience Act (DORA): Preliminary Assessment of ICT Concentration Risk and Further Sub-Outsourcing Arrangements

Jul 23, 2024by Sneha Naskar

Article 26 of the Digital Operational Resilience Act (DORA) addresses the critical need for financial entities to assess ICT concentration risk and manage further sub-outsourcing arrangements effectively. This regulation ensures that financial entities maintain operational resilience by identifying and mitigating risks associated with the over-reliance on a limited number of ICT service providers. By conducting thorough preliminary assessments and maintaining oversight of sub-outsourcing practices, financial entities can better safeguard against potential disruptions and maintain the continuity and quality of their services.

Preliminary Assessment of ICT Concentration Risk and Further Sub-Outsourcing Arrangements

1. Evaluation of ICT Concentration Risks

When financial entities conduct the identification and assessment of ICT concentration risk, as mandated by Article 25(5)(c), they must carefully examine scenarios that could potentially heighten their risk exposure due to their reliance on ICT third-party service providers. This evaluation focuses on two key considerations:

(a) Lack of Substitutability: One critical scenario to evaluate is whether engaging with an ICT third-party service provider might result in a situation where there are no easily substitutable alternatives available. The lack of alternative providers can create significant concentration risk, as it makes the financial entity heavily reliant on a single provider for critical ICT functions. This reliance can be problematic in cases where the provider faces operational difficulties, regulatory issues, or financial instability, as it may impact the entity’s ability to maintain continuous operations and manage ICT-related risks effectively.

(b) Multiple Contractual Arrangements with the Same Provider: Another scenario involves establishing multiple contractual arrangements with the same ICT third-party service provider or with closely interconnected ICT third-party service providers. Such arrangements can create a concentration risk if the provider faces challenges that impact all the services they deliver to the financial entity. By concentrating various ICT functions with a single provider or a network of closely connected providers, the financial entity could be exposing itself to systemic risks. For instance, if the provider experiences a cybersecurity breach, it could affect multiple functions or services, leading to widespread operational disruption for the financial entity.

To manage these risks, financial entities should evaluate the benefits and costs associated with alternative solutions. This includes exploring options for diversifying ICT third-party service providers to reduce concentration risk. Diversification helps spread the risk across multiple providers, thereby enhancing the financial entity’s resilience against potential disruptions. The evaluation should align with the entity’s business objectives as outlined in its digital resilience strategy, ensuring that any changes or diversification efforts support the overall goals of maintaining robust digital operations.

DORA Compliance Framework

2. Assessment of Subcontracting Risks

When a contractual arrangement for ICT services permits an ICT third-party service provider to further subcontract critical or important functions to other providers, financial entities must assess the associated benefits and risks. This assessment is particularly crucial when the subcontractor is located in a third country.

(a) Compliance with Data Protection Standards: One key factor to consider is whether the subcontractor complies with relevant data protection standards. The financial entity must ensure that the subcontractor adheres to data protection regulations that align with the entity’s obligations under applicable laws. This is especially important when dealing with subcontractors in third countries where data protection standards may differ from those in the financial entity’s home jurisdiction.

(b) Enforcement of Legal Obligations: The ability to enforce legal obligations in the event of issues with the subcontractor is another critical consideration. Financial entities should evaluate whether they can effectively enforce contractual terms and obligations with the subcontractor, including resolving disputes or ensuring compliance with service level agreements.

(c) Applicable Insolvency Laws: The financial entity must also assess the applicable insolvency laws in the event that the ICT third-party service provider or the subcontractor faces bankruptcy. Understanding these laws helps in determining the potential impact on the entity’s operations and its ability to recover its data and services. Insolvency laws vary significantly across jurisdictions, and having clarity on how these laws apply can prevent disruptions in the event of a financial crisis affecting the service provider.

(d) Data Recovery Constraints: Lastly, the entity should consider any constraints that may hinder the prompt recovery of its data in case the subcontractor fails to deliver or encounters problems. Prolonged or complex subcontracting chains can affect the financial entity’s ability to effectively monitor and manage the contracted functions. This could impact the entity’s overall operational resilience and the competent authority’s ability to supervise and ensure compliance effectively.

The identification and assessment of ICT concentration risks and the evaluation of subcontracting arrangements are essential aspects of managing ICT-related risks for financial entities. By thoroughly evaluating the potential scenarios involving concentration risks and subcontracting, and by considering factors such as compliance with data protection standards and applicable insolvency laws, financial entities can better manage their reliance on ICT third-party service providers and ensure their operational resilience.

DORA Compliance Framework