The digital age has revolutionized the financial sector, making it more efficient and interconnected. However, this transformation has also introduced new risks, particularly from third-party ICT (Information and Communication Technology) providers. Recognizing the critical role these providers play in the financial ecosystem, the European Union has introduced the Digital Operational Resilience Act (DORA). This comprehensive guide will break down DORA third-party risk standards for you, providing all the information you need to understand and comply with this pivotal regulation.
What is DORA?
The DORA regulation, or the Digital Operational Resilience Act, is a regulatory framework established by the European Union to ensure the operational resilience of the financial sector. Its primary goal is to mitigate ICT risks and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions. This includes risks from third-party service providers, making DORA EU a crucial piece of legislation for any financial institution relying on external ICT services.
The Context Behind DORA
Operational resilience has become a significant concern for regulators, especially given the increasing complexity and interdependence of financial systems. Directives such as the EU’s NIS Directive and NIS 2 Directive, along with the UK’s Network and Information Systems Regulations, highlight the importance of mitigating ICT risks to maintain economic stability. These legislative frameworks set the stage for DORA by emphasizing the need for robust cybersecurity measures across all sectors, particularly in financial services.
Why Third-Party Risk Matters
Financial institutions are heavily reliant on ICT services for their day-to-day operations. This dependence makes them vulnerable to disruptions or failures in their third-party service providers. Regulators emphasize that resilience can only be achieved if every link in the supply chain meets minimum cybersecurity standards. Given the pervasive reliance on IT services, scrutiny has naturally intensified on IT service providers.
Understanding ICT Third-Party Risk
DORA EU takes a broad approach to defining ICT third-party risk. According to Article 3(18) of DORA, ICT third-party risk encompasses any risk that a financial institution might face when using ICT services provided by external vendors or their subcontractors. This includes any outsourcing arrangements. If you rely on an external provider for your IT services, this risk applies to you.
What is an ICT Risk?
Article 3(5) of DORA defines ICT risk as any situation involving network and information systems that, if it happens, could threaten the security of these systems, disrupt technology-dependent tools or processes, or affect service delivery. It’s about anything that could cause trouble in your digital or physical environment.
What are ICT Services?
When DORA talks about ICT services in Article 3(21), it refers to digital and data services delivered through ICT systems to internal or external users. This includes hardware services and technical support via software updates but excludes traditional analog telephone services. Any company providing these ICT services is considered an ICT third-party service provider under DORA.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Scope of DORA’s Regulations
DORA’s definitions are intentionally broad to keep up with technological changes. The key takeaway is that if any part of your operations is outsourced to a third-party IT provider, you need to follow these rules. This includes service providers within the same financial group. Recital 63 says that if you’re part of a financial group and you provide ICT services to your parent company, subsidiaries, or branches, you’re also considered an ICT third-party service provider.
The regulation also covers the payment services sector. As the payment services market becomes more dependent on complex technical solutions, anyone involved in payment processing or running payment infrastructures must comply with DORA. This ensures that all critical services in the financial ecosystem are robust and secure.
Why New Regulatory DORA Requirements?
We know what many of our readers are thinking. They question the necessity of this renewed regulatory focus. For years, EU-based financial entities have adhered to the European Banking Authority’s 2019 Guidelines on Outsourcing Arrangements and the European Securities and Markets Authority’s 2021 Guidelines on Outsourcing to Cloud Service Providers. Many have bolstered their cyber resilience policies and contractual frameworks in response to these guidelines.
The rationale behind DORA’s heightened regulatory stance at the European level lies in harmonizing approaches across Member States and recognizing the escalating complexity of IT interdependencies, which necessitates pan-national oversight.
As stated in Recital 29 of DORA, “Union financial services law lacks specific standards governing contractual arrangements with ICT third-party service providers, leaving a gap in addressing external ICT risks comprehensively.”
DORA introduces a renewed regulatory focus for several reasons:
- Harmonization Across Member States
DORA aims to harmonize approaches across EU Member States, ensuring consistent standards and practices for managing ICT third-party risks. This harmonization addresses the fragmented regulatory landscape that existed before, providing a unified framework applicable to all financial entities operating within the EU.
- Escalating ICT Interdependencies
The increasing complexity and interdependence of IT systems in the financial sector necessitate a more comprehensive regulatory approach. DORA recognizes that disruptions or failures in ICT services can have widespread implications, affecting not only individual financial institutions but also broader financial stability.
- Specific Standards and Governance Gaps
Prior to DORA, specific standards governing contractual arrangements with ICT third-party service providers were lacking. Recital 29 acknowledges this gap in Union financial services law, emphasizing the need for explicit regulatory requirements to manage ICT third-party risks comprehensively.
Key DORA Requirements
DORA outlines stringent requirements for financial entities to manage ICT third-party risks effectively. These requirements ensure operational resilience while maintaining regulatory compliance across the financial sector.
General Principles
Article 28 of DORA establishes general principles for managing ICT third-party risks:
- Integrated Risk Management: Financial entities must manage ICT third-party risk as part of their overall ICT DORA third-party risk management framework, with a focus on proportionality. While all entities must manage these risks, the extent and manner of management should align with the entity’s size, complexity, and operational importance.
- Responsibility and Compliance: Financial entities remain fully responsible for complying with all regulatory obligations, regardless of outsourcing arrangements. They must assess and manage risks considering the potential impact on service continuity and availability at individual and group levels.
Strategy and Policy on ICT Third-Party Risk
Financial entities, except microenterprises and certain smaller entities, must adopt and regularly review a strategy on ICT third-party risk. This strategy should integrate a multi-vendor approach where applicable, applying at individual, sub-consolidated, and consolidated levels. The management body is responsible for periodically assessing risks associated with contractual arrangements, taking into account the entity’s overall risk profile and business complexity.
Register of ICT Contracts
Financial entities must maintain and update a register of all ICT service contracts at various levels (entity, sub-consolidated, consolidated). This register should distinguish contracts supporting critical functions from others. Entities must report new contracts to competent authorities annually, detailing provider types and services offered. They should also disclose planned arrangements for critical functions and provide the register or relevant sections upon request.
Pre-Contractual Assessment
Entities must conduct a pre-contractual assessment before entering into ICT service contracts. This assessment evaluates whether services support critical functions, meet supervisory conditions, and identify and evaluate relevant risks, including concentration risks. Due diligence on potential providers is mandatory, ensuring adherence to information security standards, especially for critical functions.
Contractual Provisions
Contracts with ICT third-party providers must be clear and comprehensive, including service-level agreements documented in a durable format. They should specify all services and functions, subcontracting conditions, data processing locations, and protection provisions. Contracts should ensure the financial entity’s access to data during various scenarios, such as provider insolvency or contract termination. Providers are also obligated to assist during ICT incidents, cooperate with authorities, and participate in security and resilience training.
Monitoring and Audit Rights
Financial entities must secure contracts allowing regular audits and inspections of ICT third-party providers. Audits should follow accepted standards, conducted at predetermined frequencies and scopes based on risk assessments. Auditors must possess the necessary skills to handle complex technical aspects. Contracts should outline conditions for termination in case of significant breaches or conditions impacting provider performance.
Exit Strategies
Entities must develop exit strategies for critical functions, mitigating risks associated with provider failures or disruptions. These strategies facilitate smooth transitions to alternative providers or in-house solutions, ensuring business continuity without regulatory compliance issues or service quality detriments. Exit plans should be well-documented, periodically tested, and include contingency measures for operational continuity during transitions.
ICT Concentration Risk
When assessing contractual arrangements, entities must evaluate potential ICT concentration risks, such as reliance on non-substitutable providers or multiple contracts with the same or connected providers. They should explore alternative solutions, considering benefits and costs aligned with digital resilience strategies. Assessment criteria encompass subcontracting chains, insolvency laws, and compliance with data protection rules, especially involving providers from third countries.
Designation of Critical ICT Third-Party Providers
The ESAs (European Supervisory Authorities), acting through a joint committee, set the designation criteria for critical ICT third-party providers. Criteria include systemic impact, substitutability, and reliance on significant financial entities. Designated providers undergo oversight to meet regulatory expectations and support financial stability.
Proportionality Principle
DORA applies regulatory requirements proportionally to the size, complexity, and risk profile of each financial entity. This principle ensures that regulatory burdens are appropriate and manageable across diverse entities, from small credit unions to multinational banks. It prevents a one-size-fits-all approach, tailoring rules to fit specific contexts while upholding security and resilience standards.
Final Word on DORA
The oversight of ICT third-party risks has become a focal point of regulatory scrutiny, particularly in the context of enhancing operational resilience across the financial sector in both the European Union and the United Kingdom. Directives such as the EU’s NIS Directive and NIS 2 Directive, alongside the UK’s Network and Information Systems Regulations, underscore the criticality of mitigating ICT risks to uphold economic stability. For deeper insights into these legislative frameworks, see our previous articles on the NIS 2 Directive.
Ultimately, being DORA compliant strengthens operational stability, builds stakeholder confidence, and contributes to a more secure and resilient financial ecosystem.Â
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days