All new and existing contractual arrangements with third-party ICT service providers have to be DORA-compliant from 17 January 2025. Requirements relating to the management of third-party ICT risk range from the implementation of third-party ICT risk strategies to ensuring that ICT contracts contain the required provisions set out in DORA, to maintaining a register of third-party ICT service providers. Additional requirements apply to ICT services that support critical and important functions of the financial institution, and to subcontracting for such services.
Flowchart: step one towards managing ICT third-party risk under DORA
"An important first step towards compliance is the mapping and subsequent classification of arrangements with third-party ICT service providers", says financial law partner Sven Uiterwijk. Our team has developed a flowchart to provide guidance on how to determine whether a (proposed) arrangement with a third-party ICT service provider is subject to third party risk requirements set out in DORA and whether the arrangement supports critical and important functions of the financial entity.
-
Download: flowchart
Flowchart: Is the (proposed) arrangement with a third-party ICT service provider subject to third party risk requirements set out in DORA? And does the arrangement support critical and important functions of the financial entity?
-
Counting down to DORA blog series
- 17 May 2024: Mapping & classification of ICT services ‘supporting’ critical or important functions
- 11 April 2024: Governance of ICT risks and board member responsibility
- 14 March 2024: ICT services comparison with the ESMA and EBA outsourcing guidelines
- 17 February 2024: Mapping and classification of ICT services
- 17 January 2024: Counting down to DORA – three key aspects
- 8 December 2023: Comparison of ESMA outsourcing guidelines, EBA outsourcing guidelines and DORA
- 21 November 2022: The forthcoming EU legal framework on Digital Operational Resilience in the financial sector
- Digital Operational Resilience Act (DORA)