Counting down to DORA – Mapping and classification of ICT services

In our second DORA blog, we discuss an important first step towards compliance: the mapping and classification of ICT services for financial institutions.

All new and existing contractual arrangements with third-party ICT service providers have to be DORA-compliant from 17 January 2025. Requirements relating to the management of third-party ICT risk range from the implementation of third-party ICT risk strategies to ensuring that ICT contracts contain the required provisions set out in DORA, to maintaining a register of third-party ICT service providers. Additional requirements apply to ICT services that support critical and important functions of the financial institution, and to subcontracting for such services.

Flowchart: step one towards managing ICT third-party risk under DORA
"An important first step towards compliance is the mapping and subsequent classification of arrangements with third-party ICT service providers", says financial law partner Sven Uiterwijk. Our team has developed a flowchart to provide guidance on how to determine whether a (proposed) arrangement with a third-party ICT service provider is subject to third party risk requirements set out in DORA and whether the arrangement supports critical and important functions of the financial entity.

Download: flowchart

Flowchart: Is the (proposed) arrangement with a third-party ICT service provider subject to third party risk requirements set out in DORA? And does the arrangement support critical and important functions of the financial entity?
Counting down to DORA blog series
11 April 2024: Governance of ICT risks and board member responsibility
14 March 2024: ICT services comparison with the ESMA and EBA outsourcing guidelines
17 February 2024: Mapping and classification of ICT services
17 January 2024: Counting down to DORA – three key aspects
8 December 2023: Comparison of ESMA outsourcing guidelines, EBA outsourcing guidelines and DORA
21 November 2022: The forthcoming EU legal framework on Digital Operational Resilience in the financial sector
Digital Operational Resilience Act (DORA)

Related articles

AIFMD II enters into force - the implementation period has started

Counting down to DORA – governance of ICT risks and board member responsibility

ESG Matters: European Court rules that Switzerland’s climate inaction violates human rights

NautaDutilh appoints three new partners

ICT services: comparison of the ESMA and EBA outsourcing guidelines and DORA

ESG Matters: Where are we heading with the CSDDD?

NautaDutilh intensifies AI collaboration with Fledger

DMA countdown - Perhaps the most important milestone: gatekeepers must ensure compliance

NautaDutilh assists Buckaroo on partnership with ABN AMRO

NautaDutilh IP team maintains strong standing in WTR 1000 2024

Romain Sabatier wins 'Insolvency Law – Lawyer of the Year' Award by Lawyer Monthly

NautaDutilh assists Rabobank in setting up the fund Rabo Transitiefonds

Privacy & data in the Benelux: five things you need to know in 2024

NautaDutilh advises a.s.r. on its sale of Knab to BAWAG

Benelux Competition Law in 2024: five things you need to know

Technology and the law in 2024: five things you need to know

Counting down to DORA – three key aspects

Strict liability regime in case of enforcement of invalid IP rights can be 'appropriate'

ESG Matters: the Belgian climate case (Klimaatzaak)

NautaDutilh assists Woningborg into partnership with French mutual insurer SMABTP

NautaDutilh assists ABN AMRO with launch of EU Emission Allowances trading service

EU AI Act: three key insights on the world's first comprehensive AI law

Comparison - ESMA outsourcing guidelines, EBA outsourcing guidelines & DORA

The Chambers Technology & Outsourcing guide 2023

Q&AI: What financial institutions need to consider when using AI

NautaDutilh assists ING with setting-up a new insurance distribution partnership with Allianz-Direct

The Foreign Direct Investment Regimes Guide 2024

ESG Matters: Sustainability supervision in the financial sector

NautaDutilh assists TCS in expanding its partnership with Athora

Life Sciences challenges and opportunities in Europe and the USA: key insights

Luxembourg FDI screening mechanism enters into force

A new era in patent litigation: five things to know about the start of the UPC

Update Luxembourg law on business licenses: three key insights

NautaDutilh contributes to The Legal 500 AI Comparative Guide

New bill of law for modernisation and retailisation of Luxembourg fund solutions

Third parties can intervene in BDPA proceedings and appeal its decisions

The twin transition of the financial sector: eight key insights

The law on the use of digital tools and processes in company law in force in Luxembourg

The competition dynamics in relation to cloud services

NautaDutilh assists founding shareholders of Route Mobile in selling majority stake to Proximus

Green light for EU-US Data Privacy Framework: a new era for transatlantic data flows

NautaDutilh writes Netherlands chapter of the Global Legal Insights on AI, Machine Learning and Big Data 2023

NautaDutilh named Benelux Trademark Firm of the Year at the 2023 Managing IP Awards

The law on the use of digital tools and processes in company law

Luxembourg: introduction of national FDI screening mechanism

ESG Matters: Impact litigation

Upcoming EU legislation on artificial intelligence

New bill of law for the modernisation and retailisation of Luxembourg fund solutions

ESG Matters: EU proposals to tackle greenwashing

NautaDutilh Luxembourg ranked in Chambers FinTech 2023

Best practices for drafting and updating data protection notices

NautaDutilh assists Bluestar Alliance in Scotch & Soda acquisition

NautaDutilh strengthens Financal Law practice with arrival of Roel Theissen as counsel

EU Foreign Subsidies Regulation (FSR): five things you need to know

Using ChatGPT and other generative AI tools: risks and challenges

The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR

NautaDutilh assists Lifetri with plans to enter into long-term strategic relationship with Legal & General

NautaDutilh continues to demonstrate excellence in the Chambers Europe 2023 rankings

Benelux Competition Law in 2023: five things you need to know

Data Protection in Belgium: the 2023 focus of the BDPA

Basic banking service for businesses in Belgium: (almost) operational

NautaDutilh contributes to IAPP's Global Legislative Predictions 2023

NautaDutilh advises ABN AMRO on tokenised securities

Online platforms and search engines to publish average monthly active recipients (AMARs) in EU by 17 February 2023

Benelux Technology Law in 2023: five things you need to know

CJEU decision extending the scope of article 5(1) of the Damages Directive

UPC update: extension Sunrise Period, judicial appointments and more

GDPR & AML: no longer public access to UBO data without legitimate interest

A low degree of similarity?

No longer public access to UBO data without legitimate interest

DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector

Vincent Wellens on FATCA in the Paperjam

DORA the EU Regulation

NautaDutilh contributes to Technology Disputes Guide by Lexology

The Unified Patent Court: five things you need to know

NautaDutilh Luxembourg's 20th Anniversary Cocktail Party

CSSF publishes Communication on SFDR RTS confirmation letter

NautaDutilh boosts its funds practice with the arrival of partner Géraldine Léonard

Paying a tribute is not dishonest