Go to content

Management of ICT risk for third-party providers

DORA devotes a lot of attention to third-party risk in order to limit supply chain risks as far as possible. Companies are required to explicitly include third-party risk in the ICT risk management framework and to develop a strategy for outsourcing, including of IT.

The requirements for limiting the risks within the chain are set out in Chapter V (Articles 28 to 44) of the Regulation. These articles cover the required policy documents, risk analyses and contractual provisions, among other things. These articles also define the oversight framework for critical third-party providers of ICT services.

Outsourcing

The Regulation specifies the elements that are important to consider when outsourcing. For example, companies must always have mutual agreements in place with the service provider covering service levels (e.g. in service level agreements).

In the case of critical outsourcing, an exit strategy must always be available. There are also a number of fixed elements that companies must include in an agreement. An example is the power to require an inspection or audit by the institution, a designated third party or the competent supervisory authority.

Companies must also maintain a register of existing outsourcing arrangements, including relevant characteristics.

General principles for managing ICT risk for third-party providers

Articles 28 and 29 of DORA outline the different general principles for third-party risk management. To be resilient against cyber threats and ICT disruptions throughout the chain, it is important to be mindful of the risks of taking ICT services from third-party providers.

These articles focus on the measures companies should take before concluding an agreement with a third-party provider. This involves the same requirements for external agreements as for intragroup agreements.

Strategy

First of all, companies should explicitly address the ICT risks arising from using services from third-party providers. This risk analysis is not an isolated exercise, but needs to be part of the organisation-wide ICT risk management framework.
Additionally, DORA requires companies to develop a strategy for third-party risk management, in which the risks of outsourcing critical services are regularly reviewed. Microenterprises are exempt from the obligation to develop this strategy.

Register

All contractual arrangements for the provision of ICT services must be recorded in a register of information. Companies should also include in this register of information whether the services purchased support critical or important activities. Supervisory authorities may request this register of information. The register of information is important for an institution's internal control, but will also be used by the ESAs to designate Critical Third-Party Service Providers (CTPPs) of the European Union.

Reporting

Furthermore, DORA requires companies to report annually to the supervisory authority which third-party ICT agreements were entered into that year. Agreements relating to critical or important functions will also have to be actively reported to the supervisory authority on an interim basis.

Analysis

Prior to concluding agreements with third-party providers, various aspects should be analysed, such as the required ICT security level and the required frequency and scope of audits and inspections. It is also important to consider any concentration risks.

Further subcontracting by the service provider may also have an impact on this. Additionally, companies also need to have an exit strategy in place if third-party providers support critical or important functions. Such exit strategy has to consider any risks that may occur on the part of the service provider, such as a disruption in provision, deterioration in quality or (premature) termination of the agreement.

The ESAs have developed a standard model for the register of contractual arrangements. They have also further elaborated the key principles for third-party risk management in an RTS. The standard model and the starting points have since been submitted to the European Commission.

General principles: key contractual provisions

Article 30 of DORA includes different provisions that companies need to include in contractual arrangements with third-party providers. It distinguishes between elements that must be included in all agreements, and additional obligations for agreements that support critical or important functions.

Examples of elements that must at all times be included in agreements are:

• Both parties’ rights and obligations.
• A full description of the services provided.
• The regions and/or countries where the services are to be provided and where data are to be processed.
• The service level to be provided.
• The level of data protection, in terms of availability, authenticity, integrity and confidentiality.
• The support in case of incidents.
• The termination rights and related minimum notice periods. In addition to the elements above, contractual arrangements on the outsourcing of services supporting critical or important functions will need to include at least the following:
• The service provider’s reporting obligation.
• The requirement for the service provider to implement and test business contingency plans.
• The obligation of the service provider to cooperate in the financial institution’s Threat-Led Penetration Tests (TLPTs).
• The right of inspection and audit by the financial entity or an appointed third party.
• It also sets additional and more in-depth requirements for the provisions that should apply to all means of subcontracting, such as detailing the services provided through accurate key performance indicators.

Microenterprises may agree with the service provider that audits and inspections are performed by an independent party appointed by the service provider, rather than microenterprises performing them themselves. However, in doing so, microenterprises should always be able to request the necessary information from this party.

Critical third-party providers are also under supervision

A large part of the ICT services of the financial sector is being outsourced to a limited number of ICT providers. That will entail concentration risks, which is why DORA enables the supervision of these service providers. These are crucial for the stability of the European financial sector.

At present, these articles do not yet directly affect financial undertakings. Ultimately, this oversight will be able to bring companies greater certainty about the digital resilience of outsourcing partners.

Articles 31 to 44 describe this new mandate in the so-called oversight framework. The ESAs are selecting the service providers that will be covered by this framework. This will presumably take place in the course of 2025.

Among other things, this instruction is based on the service provider’s impact on the system and the level of dependability and substitutability of this service. A lead overseer will be appointed for each service provider that will be responsible for the supervision.

Depending on the sector most serviced, this will be ESMA, EIOPA or EBA. Ultimate supervision will be performed by a team of European and national supervisory authorities.