At the start of this year, our article on Regulation EU 2022/2554 (DORA) and Directive EU 2022/2556 (DORA Amending Directive) (which is accessible here) provided an overview of the background to DORA and the DORA Amending Directive and some key aspects.
In this first follow-on article, we look at what DORA and the DORA Amending Directive envisage regarding the management of ICT third-party risk. This is a critical area of DORA and the DORA Amending Directive, as “third-party” under both pieces of legislation means not only external third-party service providers but also service providers who are intra-group entities and entities which are subsidiaries.
Article 28 of DORA specifies that financial entities will need to manage their ICT third-party risk in accordance with the following principles:
- financial entities need to have contractual arrangements for the use of ICT services which are fully compliant with applicable financial services law, including DORA; and
- the management of ICT third-party risk must follow the principle of proportionality. It should consider the nature, scale, complexity and importance of the relevant ICT dependencies and the associated risks arising from the contractual arrangements.
ICT Risk Management Strategy & Register of Information
Article 28 also provides for the creation and maintenance certain risk management documentation. Under Article 28(2), for example, financial entities must create and frequently review their ICT third-party risk strategies. This strategy must contain a policy on using ICT services that support critical or important arrangements (CIFAs) provided by ICT third-party service providers.
Article 28(3) specifically requires financial entities to create a register of information which provides information on all contractual arrangements for the use of ICT services provided by ICT third-party service providers. This register must display which arrangements cover services which are CIFAs, and which are not.
This register must be available to the competent authority for review, and a financial entity is required to report to the competent authority, at least yearly, the number of new arrangements on using ICT services, the categories of the providers, the type of arrangements and the services and functions being provided. Additionally, financial entities are expected to inform the competent authority on any planned contractual arrangement on the use of ICT services supporting CIFAs and when a function becomes a CIFA.
For many financial entities, these are not entirely new obligations. The Central Bank of Ireland (CBI) already requires financial entities to submit a register of outsourced contractual arrangements each year. Financial entities must also notify the CBI where a CIFA has been outsourced or if there has been a material change to a pre-existing outsourcing arrangement.
Key Contractual Provisions
Observers will quickly notice commonality between the provisions being brought in by DORA and those already existing from the CBI’s, the EBA’s, EIOPA’s and EMSA guidance on outsourcing. While DORA mandates written contracts for all relevant agreements, it provides two layers of mandatory provisions, depending on whether the contract addresses a CIFA or not.
The mandatory provisions applicable to both CIFAs and non-CIFAs cover a number of issues, including, but not limited to:
- the description of services provided;
- locations involved;
- protection of data;
- access to data during a resolution event;
- service level descriptions;
- assistance during ICT incidents;
- co-operation with competent authorities;
- conditions regarding digital operational resilience training;
- termination rights; and
- provision of assistance during service distribution.
Where a CIFA is involved, besides the base-level mandatory provisions highlighted above, there are several additional mandatory provisions, found in Article 30(3). These additional CIFA-specific provisions cover issues such as;
- full-service level descriptions, including precise quantitative and qualitative performance targets;
- notice periods and reporting obligations regarding developments capable of a material impact;
- exit strategies;
- participation in threat-led penetration testing;
- unrestricted access, inspection and audit rights;
- monitoring of performance; and
- the implementation and testing of business contingency plans.
How can affected entities prepare?
The first practical step is a legal review of all potentially relevant contracts and ongoing or imminent tenders for third-party ICT services. A gap analysis can then be documented to identify areas of concern on a per-contract basis. This gap analysis is also important to ensure all relevant contracts are captured for the register of information. Once the gap analysis is done, contracts identified as having material gaps, particularly contracts relating to CIFAs, can be amended to address and close the identified gap. This may entail some level of re-negotiating with third-party service providers.