ICT Third-Party Risk Management

Chapter V of DORA (Articles 28-44) establishes a comprehensive framework for managing the risks that arise from financial entities' reliance on ICT third-party service providers. This framework addresses one of the most significant sources of systemic risk in the modern financial sector: the concentration of critical services in a small number of technology providers, particularly cloud service providers.

Financial entities must maintain and update a register of information in relation to all contractual arrangements on the use of ICT services provided by third-party providers. This register must distinguish between arrangements that cover critical or important functions and those that do not. Before entering into a contractual arrangement, financial entities must assess the risks, including concentration risk, and verify that the provider meets appropriate information security standards.

DORA prescribes detailed mandatory contractual provisions that must be included in agreements with ICT third-party providers supporting critical or important functions. These include clear descriptions of services with quantitative and qualitative performance targets, provisions on accessibility, availability, integrity, security, and protection of personal data, guaranteed rights of access, inspection, and audit, termination rights, exit strategies, and adequate transition periods.

Perhaps the most innovative aspect of DORA's third-party framework is the direct oversight mechanism for critical ICT third-party service providers (CTPPs). The European Supervisory Authorities may designate a provider as critical based on systemic impact criteria, and appoint a Lead Overseer to conduct direct oversight. The Lead Overseer can issue recommendations, and if the CTPP fails to comply, the ESAs can request that financial entities suspend or terminate their arrangements with the provider, effectively creating regulatory leverage over entities that are not themselves regulated as financial institutions.