DORA – Managing of ICT third-party risk

Managing of ICT third-party risk

Financial entities manage the third-party risk of information and communication technologies (ICT third-party risk) across the entire life cycle. The ICT third-party risk is the ICT-related risk that may arise in conjunction with the usage of ICT services that are provided by ICT third-party service providers or their subcontractors.

In addition to the requirement to operate a register of information about ICT third-party service providers, the rules cover the drawing up of a strategy for ICT third-party risk, about conducting of due diligence checks prior to using ICT services, the contents of contracts and exit strategies.

Register of Information

The register contains information about all ICT services that are directly provided by ICT third-party service providers. Sub-outsourcings are also required to be listed that support ICT services, critical or important functions or a material part thereof.

Such registers of information are required to be submitted to the competent authorities in full at the latter’s request.

On 15 November 2024, the ESAs published a Decision on reporting of information necessary for the designation of critical ICT third-party service providers.

Registers of information should be set up in 2025 for the reference date of 31 March 2025. The competent authorities should submit registers of information to the ESAs by 30 April 2025. It is expected that supervised entities will submit their registers of information to the FMA during the first weeks of April 2025.

Financial entities are requested to submit complete registers of information already at the time that the Digital Operational Resilience Act (DORA) begins to apply.

The submitted information is used to identify critical ICT third-party service providers and are also used in the supervisory process, e.g. In conjunction with the reporting of major ICT-related incidents.

Furthermore, financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

Strategy for ICT third-party risk

The management body shall adopt this strategy and regularly check risks that are identified in conjunction with the contracts for using ICT services for supporting critical or important functions. ICT concentration risk at enterprise level is also evaluated.

Due diligence

Prior to the conclusion of contracts financial entities conduct comprehensive reviews of ICT third-party service providers. For example, contracts are only allowed to be concluded with service providers that observe adequate standards for information security.

Contractual agreements

The minimum content of contracts, for example the termination rights or the notification requirements in the case of an intended change of location, are prescribed. For ICT services that include critical or important functions, additional elements apply, e.g. The services to be agreed upon during a transitional period until the change to another ICT third-party service provider or performing services in-house.

Exit strategies

The objective is potentially getting out of contractual agreements, without interruption to business activities, and maintaining the continuity and quality of the services provided. Contingency measures, alternative solutions and transition plans are identified for this purpose. Furthermore, exit plans are also tested and regularly checked.

Questions and Answers

Financial entities will already be requested to submit the full register of information when DORA begins to apply.

This register will also be required to be submitted to the FMA on an annual basis thereafter.

Article 3(22) DORA defines a critical function as follows:

a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law;

If the subsidiary itself falls within DORA’s scope of application (Article 2 DORA), then all rules apply shall apply to the same extent. Where aspects of the ICT service are for example are outsourced to the parent undertaking (or vice versa) then this triggers it being captured and treated as an internal ICT service provider.

Yes. See also the question “Which service providers support critical or important functions?”

From the FMA’s perspective a risk-based approach is necessary when classifying which service providers support critical or important functions. In line with ESA Q&A 2750 when classifying a service provider, the issue is relevant about whether the disruption of the system or service provider would materially impair the affected function(s) – especially regarding continuity and security.

According to Article 4 (2) DORA the principle of proportionality applies for Chapter III and IV, as where are Chapter V Section I, where stipulated in the relevant rules contained therein. Regarding Article 30(2) (i) DORA, reference is made to Article 13 (6) DORA regarding the participation of ICT third-party service providers in the ICT security awareness programmes and digital operational resilience training. It stipulates that financial entities must include ICT third-party service providers as appropriate in their relevant training programmes. With regard to this rule, financial entities are therefore required to assess the appropriateness of the inclusion of ICT third-party service providers.

In Annex III of the Specification of the Register of Information, consulting contracts are stated as a separate category (explained as ‘Provision of intellectual/ICT expertise services’). Such contracts would also need to be included in this context, provided that a clear link to ICT systems exists.

Where it is clearly apparent from the contract that certain minimum contents of the contract pursuant to Article 30 (2) DORA are not applicable, then these must not be included as separate points in the contract (e.g. omission of the clause about the place of data processing where it is determined that no data is transferred to the consultant).

Where a large amount of these minimum contents appear not to be applicable, this might also form an indication that the specific service is not related to Information and communication technologies (ICT systems).

Here it is necessary to consider how the open source software is obtained. Where other services are linked to it, such as for example ongoing support, advice or similar services, then an ICT service as defined in DORA may exist. If in an extreme case only open source code is obtained, e.g. from a repository, and then used within the entity, then no such service would exist; irrespective this other provisions in DORA (for example ICT systems acquisition, development, and maintenance) may apply accordingly.

Article 30 (3) (e) (ii) DORA states that the contractual agreements on the usage of ICT services to support critical or important functions cover the right to monitor the ICT third-party service provider’s service on a continual basis, including the right to agree on alternative assurance levels if other clients’ rights are affected.

This paragraph must be read in conjunction with Article 30 (3) (e) (i) DORA:

(i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

ii) the right to agree on alternative assurance levels if other clients’ rights are affected;

Therefore: in the event that ‘traditional’ audit rights would encroach on the rights of other clients of the service provider due to the specific situation in question, alternative ways may be agreed upon to monitor the service provider’s service.

In relation to the filling of the register of information, the question also arises about whether there is a materiality limit regarding the “supporting” of critical functions. This question has been asked to the ESAs through the Q&A process. There is no specific time frame in this regard, but clarification is expected at European level on this issue.

The assessment and the depth of the assessment is required to take place in a risk-based approach and from the point of view of proportionality. The Regulatory Technical Standards to specify the elements which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions (Article 30(5) DORA) contains more detailed rules.

While certifications may be taken into account when assessing the suitability of a service provider as a source of information, they are not however a substitute for a service provider assessment.

As stated in the response to the previous question, a certification may not be considered as a substitute for assessing the service provider, and similar a certification may not replace the ongoing (re-)auditing of the service provider. The frequency of ongoing reviews of service providers depends on their criticality and therefore is to be assessed on a case-by-case basis.

The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.

Legal bases

Information regarding the legal bases for DORA can be found on the FMA’s DORA – Digital Operational Resilience in the Financial Sector” web page.