Chapter V: Managing of ICT third-party risk (Articles 28-44)

Article 28.1: General Principles for Managing ICT Third-Party Risk

Financial entities must manage ICT third-party risk as part of their overall ICT risk management framework. They remain fully responsible for compliance with the regulation and financial laws, even when using ICT third-party services.

How DORAedge Assists:

• Sets forward a standardised risk management tookit and integrates financial services own ICT third-party risk management within the broader ICT risk management framework.

• Tracks compliance and obligations for each third-party provider

Article 28.2: ICT Third-Party Risk Strategy

Entities must develop and regularly review a strategy for managing ICT third-party risk, including policies for critical ICT services provided by third-party providers.

How DORAedge Assists:

• With DORAedge on the team, the financial entity can upload their strategies which will be reconciled against the DORA requirements

Article 28.3: Register of ICT Third-Party Contracts

Entities must maintain a register of all contractual arrangements with ICT third-party service providers, documenting services that support critical or important functions. They must report annually to competent authorities on new ICT service arrangements.

How DORAedge Assists:

• Manages a centralized register of all ICT third-party contracts and providers, including a full log of historic changes

• Automatic LEI code resolvement

• Automates annual reporting to competent authorities.

Article 28.4: Pre-Contractual Assessment

Before entering into ICT service contracts, entities must assess the risks, conduct due diligence, and evaluate potential conflicts of interest.

How DORAedge Assists:

• DORAedge it self can not conduct the due dilligence nor evaluate conflicts of interest. When destilled into risks, these can be mapped on the DORAedge platform however

Article 28.5: Information Security Standards

Entities may only contract ICT third-party providers that comply with appropriate information security standards.

How DORAedge Assists:

• Tracks compliance with information security standards for all third-party providers.

• Ensures critical service providers meet the highest standards before contracting and continously requests updates for certifications etc.

Article 28.6 : Audit Rights

Financial entities must establish audit rights over ICT third-party service providers, ensuring appropriate audit frequency and auditor expertise.

How DORAedge Assists:

• This should be encompassed into the contracts of the ICT and financial entity.

Article 28.7: Termination of ICT Contracts

Entities must ensure contracts can be terminated in cases of regulatory breaches, poor performance, or ICT service provider failure.

How DORAedge Assists:

• This should be encompassed into the contracts of the ICT and financial entity.

Article 28.8: Exit Strategies

Entities must have exit strategies for ICT services supporting critical functions, ensuring continuity of business operations and compliance with regulatory requirements during transition or termination of services.

How DORAedge Assists:

• Provides tools for documenting exit strategies.

Article 29: Preliminary Assessment of ICT Concentration Risk

Entities must assess the risks of concentration when relying on a single ICT third-party provider for critical services or if multiple services are outsourced to closely connected providers.

How DORAedge Assists:

• Tracks concentration risks natively diversification strategies.

• Analyzes subcontracting chains for critical services and highlights risks

Article 30: Key Contractual Provisions

Contracts with ICT third-party providers must clearly define rights and obligations, service locations, data protection provisions, and contingency plans.

How DORAedge Assists:

• Provides templates and structured questionaires for ICT service contracts, ensuring inclusion of all necessary provisions.

• Backed up, always available repository for all information and contingency plans.

Article 31–44: Oversight of Critical ICT Third-Party Providers

These articles detail the oversight framework for critical ICT third-party service providers, including the designation of critical providers, the Lead Overseer's responsibilities, and international cooperation. These provisions largely pertain to the ESAs and other oversight bodies rather than directly to financial entities.

Article 31: Designation of Critical ICT Third-Party Providers (Relevant to ESAs)

The ESAs, through the Joint Committee, will designate critical ICT third-party providers and assign Lead Overseers to ensure oversight of these providers.

Note: This does not apply to financial entities, but affects their relationship with critical providers once designated.

Article 32: Structure of the Oversight Framework (Relevant to ESAs)

The ESAs will establish the Oversight Forum to monitor ICT third-party risks and facilitate coordination across financial sectors.

Note: This pertains to oversight responsibilities and is not directly relevant to financial entities.

Article 33–35: Powers and Tasks of the Lead Overseer (Relevant to ESAs)

The Lead Overseer will conduct assessments, investigations, and issue recommendations to critical ICT third-party providers to manage their ICT risks effectively.

Note: Financial entities may receive instructions based on the Lead Overseer’s findings, but these tasks fall under the ESA's remit.

Article 36–37: Oversight and Inspections (Relevant to ESAs)

The Lead Overseer, in coordination with other authorities, will conduct inspections and request information from critical ICT third-party providers.

Note: This oversight function pertains to ICT service providers and is not directly applicable to financial entities.

Article 38–40: General Investigations, Inspections, and Ongoing Oversight (Relevant to ESAs)

The Lead Overseer will carry out general investigations and inspections of critical ICT third-party service providers, including premises inspections and audits.

Note: Financial entities may need to cooperate, but this is primarily focused on critical ICT providers.

Article 41: Harmonization of Oversight Conditions (Relevant to ESAs)

The ESAs will develop technical standards to ensure consistent oversight of ICT third-party providers, including subcontracting arrangements and audit templates.

Note: This task is assigned to the ESAs and is not directly relevant to financial entities.

Article 42–43: Follow-Up and Fees for Oversight (Relevant to ESAs)

The Lead Overseer will issue follow-up recommendations, and critical ICT third-party service providers must pay oversight fees to cover the costs of oversight activities.

Note: Financial entities may be indirectly affected by these provisions through their ICT service providers but are not directly responsible for these tasks.

Article 44: International Cooperation (Relevant to ESAs)

The ESAs may engage with third-country authorities to ensure consistent oversight of ICT third-party providers across jurisdictions.

Note: This is relevant for cross-border regulatory cooperation and does not directly impact financial entities.