EU DORA ICT Third-party providers

How does DORA ((EU) 2022/2554 - Digital Operational Resilience Act) apply to ICT Third-party providers?

This is a very good question and one that most practitioners just assume all ICT Third-party providers need to implement the same regulations prescribed to the financial entities. However, if you read the Act in detail, most clauses are focused using the phrases such as “financial entities shall” or “Lead Overseer shall” & “the ESA shall”. The result in our opinion, is that the financial entities are on the hook for almost everything. This is deliberate as DORA is crafted to ensure financial entities take full responsibility for managing their ICT risks.

That's not to say ICT Third-party providers are not in scope they most definitely are. But crucially they are not included in the definition of 'financial entities' (see Article 2 clause 2). Their inclusion in the overall scope means that ICT Third-party providers can see what is required of them to contract with a financial entity in the EU. As an example both the financial entities and the ICT third-party providers need to comply with the new contracting regulations - see below. In addition financial entities will need ICT Third-party providers to do more to help comply with DORA. This should result in an uplift in services purchased which needs to be re-negotiated as part of contractual agreements.

DORA contract clauses

The ICT Third-party contract clauses detailed in DORA cover:

• Service level agreements
• Description of all functions and ICT services
• Locations where the service is provided from and where data is to be processed
• The Information Security measures in relation to the protection of data, including personal data
• The access, recovery and return in an easily accessible format of personal and non-personal data
• ICT incident management obligations
• Obligations for the ICT Third-party to comply with lead overseer and other authorities
• Termination rights and related minimum notice periods
• Participation in the financial entities’ ICT security awareness programmes and digital operational resilience training

Critical ICT Third-party providers

DORA includes a special designation of ICT Third-party providers called Critical ICT Third-party providers (CTPPs). This subset of all ICT Third-parties are deliberately targeted for additional oversight (from the Lead Overseer). For Critical ICT Third-party providers the following additional contracting elements are summarised below:

• Full service level descriptions with precise quantitative and qualitative performance targets with agreed remedial actions
• Notice periods and reporting obligations
• Requirements for the ICT third-party service provider to implement and test business contingency plans
• The obligation of the ICT third-party service provider to participate in TLPT
• The right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:
  • unrestricted rights of access, inspection and audit by the financial entity
  • the right to agree on alternative assurance levels if other clients’ rights are affected
  • the obligation of the ICT third-party service provider to fully cooperate with the Lead Overseer and other authorities
  • the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits
• Exit strategies, in particular the establishment of a mandatory adequate transition period:
  • During which the ICT third-party service provider will continue providing the respective functions, or ICT services
  • Allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions

Risk assessment and due diligence

To reinforce this, DORA requires financial entities to undertake a risk assessment combined with comprehensive level of due diligence before entering into a contract for ICT services. The legislation is clear on what’s required right down to ensuring appropriate risk mitigation controls being in place and working. These are not planned controls but actual deployed and operating controls.

If you are a CTPP providing critical or important services to an EU financial entity or entities it is expected that you already know how to protect your services. As part of DORA, the financial entity is responsible for its ICT risk and to have ensured this as part of the due diligence process and on-going monitoring.

Regulatory oversight

To help with compliance the Lead Overseer will require the following from CTPPs (Article 33). Below is a summary only:

• The ICT requirements for security, availability, continuity, scalability and quality of services
• Ability to maintain high standards of availability, authenticity, integrity or confidentiality of data
• Physical security of premises contributing to ensuring the ICT security
• Risk management processes, including ICT risk management policies
• ICT business continuity policy and ICT response and recovery plans
• Governance arrangements, including organisational structure
• Management and monitoring of ICT-related incidents including cyber-attacks
• Mechanisms for data portability, application portability and interoperability
• the testing of ICT systems, infrastructure and controls
• the ICT audits
• the use of relevant national and international standards applicable to financial entities

A further point worth covering is the requirement for CTPPs to establish a subsidiary in the EU within 12 months following designation. This is important because financial entities can only continue to use your services if you comply with this obligation.

Conclusion

While DORA places an extra level of burden on financial entities it has the following benefits for their ICT Third-party providers:

• Uplift in services requiring renegotiation
• Increased integration with financial entities and participation in their digital operational resilience training and testing programmes
• Improved resilience and less ICT-related incidents and disruption
• Additional barrier for new entrants to the market - especially true for CTPPs

It also has the following impacts for ICT Third-party providers:

• Easier path to exit services through portability
• Greater support for financial entities to conduct monitoring
• Additional focus to deliver and meet the agreed SLAs contracted
• Potential daily fines for non-compliance equivalent of 1 % of the average daily worldwide turnover

We hope you have found this article useful. If you need help with DORA or digital operational resilience in general please get in touch.

How IT Security Locksmith can help

If you need to undertake an EU Digital Operational Resilience Act GAP analysis please get in touch. We offer three levels:

• Board level - takes about three weeks to complete
• Management level - takes about six weeks to complete
• Full gap analysis - takes about three months to complete

Free expert opinion!

If you are concerned about the EU DORA or told that it's all under control please get in touch for a no obligation free consultation. We can help you understand the challenges, how to go about addressing them and provide you with options and prices for you to take away and consider.

If nothing else you get some expert opinion free of charge!

About IT Security Locksmith

IT Security Locksmith specialises in board level training and consultancy.

To find out more about our capabilities please click here.

Our services page showcases the types of services we offer.

Click here to contact us for a no obligation initial consultation.