Article 25 Digital Operational Resilience Act (DORA), General Principles
The Digital Operational Resilience Act (DORA), Article 25, emphasizes the critical role of financial entities in managing ICT third-party risks as an integral part of their overall ICT risk management framework. This management is guided by several key principles to ensure the security, continuity, and quality of financial services.
Responsibility and Compliance
Financial entities that engage in contractual arrangements with ICT service providers remain fully accountable for complying with all regulatory obligations. This responsibility persists regardless of the involvement of third-party providers, ensuring that financial entities cannot delegate their regulatory duties to external ICT service providers.
Proportionality Principle
The management of ICT third-party risks must align with the principle of proportionality. This requires financial entities to consider the scale, complexity, and importance of their ICT-related dependencies. Specifically, they must assess the risks associated with contractual arrangements with third-party providers, particularly focusing on the criticality of the services provided and their potential impact on the financial entity's operations.
Strategic Risk Management
As part of their ICT risk management framework, financial entities are required to develop, adopt, and regularly review a strategy for managing ICT third-party risks. This strategy must consider a multi-vendor approach as outlined in Article 5(9) and include a comprehensive policy on the use of ICT services provided by third parties. The management body of the financial entity must regularly assess risks related to the outsourcing of critical or important functions, ensuring these risks are effectively managed.
Documentation and Reporting
Financial entities must maintain and update a detailed Register of Information concerning all contractual arrangements with ICT third-party service providers. This register must differentiate between arrangements that cover critical or important functions and those that do not. Additionally, financial entities are required to report annually to competent authorities on new ICT service arrangements, including details on service providers, types of contracts, and the services provided. The full register or specific sections must be made available to authorities upon request to facilitate effective supervision.
Pre-Contractual Assessments
Before entering into a contractual arrangement with an ICT service provider, financial entities must assess whether the contract covers critical or important functions. They must also evaluate if the supervisory conditions for contracting are met, identify and assess all relevant risks, and ensure the provider is suitable through rigorous due diligence processes. This includes identifying potential conflicts of interest that may arise from the contractual arrangement.
Security Standards Compliance
Financial entities are permitted to enter into contracts only with ICT third-party service providers that meet high and appropriate information security standards. This ensures that the service providers' practices align with the latest security protocols, safeguarding the financial entity's operations.
Audit and Inspection Rights
Financial entities must exercise their rights to access, inspect, and audit ICT third-party service providers on a risk-based approach. This includes pre-determining the frequency of audits and the areas to be audited, adhering to commonly accepted audit standards. For complex technological arrangements, entities must ensure that auditors possess the necessary skills and knowledge to effectively conduct assessments.
Termination of Contracts
Contracts with ICT third-party service providers must be terminated under specific circumstances, including breaches of laws or regulations, identified risks that could affect the performance of contracted functions, and weaknesses in the provider’s ICT risk management. Additionally, contracts should be terminated if they impede the competent authority's ability to supervise the financial entity effectively.
Exit Strategies
Financial entities are required to develop and implement exit strategies to mitigate risks associated with ICT third-party service providers, such as provider failure or service quality deterioration. These strategies should ensure that the financial entity can terminate contracts without disrupting business activities, compromising regulatory compliance, or affecting service continuity. Exit plans must be well-documented, comprehensive, and tested where appropriate. Entities should also identify alternative solutions and develop transition plans to securely transfer contracted functions and data to other providers or reintegrate them in-house.
Technical Standards Development
The European Supervisory Authorities (ESAs) are tasked with developing draft implementing technical standards to establish templates for the Register of Information. These drafts must be submitted to the Commission within one year after the regulation's entry into force, enabling the Commission to adopt the necessary standards in accordance with relevant EU regulations.
Regulatory Standards Development
The ESAs are also responsible for creating draft regulatory standards that specify the content of policies related to ICT third-party service contracts and the types of information to be included in the Register of Information. These drafts are to be submitted within one year of the regulation’s enforcement, with the Commission empowered to adopt the standards to ensure comprehensive regulatory oversight.