Article 26 Digital Operational Resilience Act (DORA), Preliminary Assessment of ICT Concentration Risk and Further Sub-Outsourcing Arrangements

Article 26 of the Digital Operational Resilience Act (DORA) is integral to ensuring that financial entities within the European Union (EU) manage risks associated with Information and Communication Technology (ICT) services, particularly those related to the concentration of ICT service providers and sub-outsourcing arrangements. This article mandates a thorough assessment of potential risks that arise from contracting ICT services, especially when those services are concentrated with a few providers or involve complex chains of sub-outsourcing. The objective is to strengthen the digital resilience of financial entities by preventing over-reliance on single or closely connected ICT service providers and ensuring effective oversight over sub-contracted services.

Assessing ICT Concentration Risk

The first section of Article 26 requires financial entities to carefully evaluate ICT concentration risks as part of their broader ICT risk management strategy. When entering into contractual arrangements for ICT services, financial entities must consider whether these arrangements could lead to the following risks:

• Non-Substitutable ICT Service Providers: Financial entities must assess whether contracting with a particular ICT third-party service provider could result in over-reliance on a provider that is not easily replaceable. This situation can occur when the provider offers highly specialized services or holds a dominant market position, making it difficult for the financial entity to switch providers in the event of service disruptions, failures, or contractual disagreements.

• Multiple Contracts with the Same or Closely Connected Providers: Another risk to consider is having multiple contracts with the same ICT service provider or with providers that are closely connected, such as subsidiaries of the same parent company. Such arrangements can lead to a concentration of risk, where disruptions affecting one provider could have a cascading impact across all services contracted by the financial entity.

To mitigate these risks, financial entities are required to weigh the benefits and costs of alternative solutions. This involves exploring the possibility of contracting with different ICT service providers, which can reduce dependence on a single provider and enhance the entity’s overall digital resilience. The decision-making process should align with the business needs and objectives outlined in the financial entity’s digital resilience strategy. This means that any alternative solutions should not only address concentration risks but also support the entity’s long-term operational goals and digital resilience framework.

Evaluating Sub-Outsourcing Arrangements

The second section of Article 26 focuses on the risks associated with sub-outsourcing arrangements, where an ICT third-party service provider sub-contracts critical or important functions to other ICT providers. This practice can introduce additional layers of complexity and risk, particularly if the sub-contractor is based in a third-country, outside the EU.

When a contractual arrangement includes the possibility of sub-outsourcing, financial entities are required to assess the potential benefits and risks. This assessment is especially crucial when the sub-contractor is established in a third-country, as this can introduce several legal, regulatory, and operational challenges. Key factors that financial entities must consider include:

• Data Protection Compliance: Financial entities must ensure that sub-contractors in third countries comply with EU data protection regulations, such as the General Data Protection Regulation (GDPR). This includes assessing whether the third-country provides adequate data protection standards and whether the financial entity can ensure the security and privacy of its data when transferred or processed by the sub-contractor.

• Effective Law Enforcement: The ability to enforce contracts and regulatory compliance in a third-country is another critical factor. Financial entities need to assess whether the legal framework in the sub-contractor’s country allows for effective enforcement of laws and whether there are any legal barriers that could hinder the financial entity’s ability to assert its rights or seek recourse in the event of disputes.

• Insolvency Law Provisions: In the case of the ICT third-party service provider’s bankruptcy, financial entities must understand the insolvency laws in the third-country and how they might impact the financial entity’s access to its data and continuity of services. Insolvency law provisions are particularly important in ensuring that the financial entity can recover its data and resume operations with minimal disruption.

• Constraints on Data Recovery: Financial entities must also consider any constraints that may arise in respect to the urgent recovery of their data. This includes assessing the logistical and legal challenges of retrieving data from a third-country and ensuring that there are robust mechanisms in place to facilitate data recovery in the event of a service disruption or termination of the contract.

In addition to these factors, financial entities are required to assess the impact of long or complex chains of sub-contracting on their ability to effectively monitor the contracted functions. Complex sub-contracting arrangements can obscure the financial entity’s visibility into the performance and risks associated with the sub-contracted services. This lack of transparency can hinder the financial entity’s ability to manage risks and ensure compliance with regulatory requirements. Moreover, complex sub-contracting chains can also impact the ability of competent authorities to effectively supervise the financial entity, further exacerbating the risks.

Conclusion

Article 26 of DORA plays a critical role in guiding financial entities in managing ICT concentration risks and sub-outsourcing arrangements. By requiring thorough assessments of the risks associated with ICT service providers and their sub-contractors, the article aims to prevent over-reliance on single providers, ensure compliance with data protection and legal requirements, and maintain the transparency and oversight necessary for effective risk management. This approach not only enhances the digital resilience of financial entities but also strengthens the overall stability and security of the EU’s financial system.