In our second DORA blog, we discuss an important first step towards compliance: the mapping and classification of ICT services for financial institutions.

All new and existing contractual arrangements with third-party ICT service providers have to be DORA-compliant from 17 January 2025. Requirements relating to the management of third-party ICT risk range from the implementation of third-party ICT risk strategies to ensuring that ICT contracts contain the required provisions set out in DORA, to maintaining a register of third-party ICT service providers. Additional requirements apply to ICT services that support critical and important functions of the financial institution, and to subcontracting for such services.

Flowchart: step one towards managing ICT third-party risk under DORA
"An important first step towards compliance is the mapping and subsequent classification of arrangements with third-party ICT service providers", says financial law partner Sven Uiterwijk. Our team has developed a flowchart to provide guidance on how to determine whether a (proposed) arrangement with a third-party ICT service provider is subject to third party risk requirements set out in DORA and whether the arrangement supports critical and important functions of the financial entity.

Related articles

Cookie notification

This functionality uses third-party cookies. Change your cookie preferences to view this content or view more information.
These cookies ensure that the website works properly. These cookies cannot be disabled.
These cookies can be placed by third parties, such as YouTube or Vimeo.
By deactivating categories, it is possible that related functionalities within the website may no longer work properly. It is always possible to change your preferences at a later time. View more information.