Helpful links

Popular Topics

Management of ICT third-party service providers

Published
Updated

Third-party risk management (TPRM)

When a financial market participant uses an ICT service provided by a third party, it must ensure compliance with the requirements set out in Regulation (EU) 2022/2554 (DORA) throughout the entire life cycle of the service – from pre-contract assessment to ongoing monitoring and termination.

1. Before concluding the contract
Prior to entering into a contract, the institution must:

  • Identify whether the ICT service supports a critical or important function, or a function whose disruption would significantly impair the financial entity’s financial performance, service continuity, or ability to meet obligations. Examples include payment processing, settlements, cloud infrastructure supporting core services, or the processing and storage of customer data. Additional requirements apply when contracting for such services.
  • Assess the service provider’s reputation, experience, service quality, and compliance with regulatory requirements, including cybersecurity and business continuity capabilities (Article 28(4) of DORA).
  • Identify and evaluate operational and reputational risks, including cyber, technological, geopolitical, and compliance risks, arising from the use of the third-party service.

2. Contracting and commencement of service
When concluding the contract and initiating service use, the institution must:

  • Include all mandatory contractual requirements as set out in Article 30 of DORA. For services supporting critical or important functions, the contractual requirements of RTS 2024/1773 must also be incorporated. A standardised contract annex may be used, provided it reflects the applicable regulatory requirements. These obligations also extend to ICT services used within a financial group.
  • The contract must clearly define, depending on the service type:
    • description of the service and allocation of responsibilities;
    • service quality, security, and continuity requirements (SLA);
    • data processing and protection obligations;
    • incident management and notification procedures;
    • audit and monitoring rights;
    • contract termination and data return/destruction procedures;
    • options for selecting alternative service providers and replacing the existing service provider if the contract with the current third-party service provider is terminated or it is no longer possible to receive the relevant service; and
    • options for insourcing or re-integrating a function previously outsourced to a third-party service provider, where this is necessary or appropriate.
  • Register the respective provider in the Register of Information (RoI). The institution must establish and maintain an up-to-date RoI of third-party ICT service providers in accordance with Article 28(3) of DORA, including data on all third-party contracts. The structure of the register shall be developed in line with ITS 2024/2956, and the Excel template provided by the Latvijas Banka may also be used. The data contained in the register maintained by the institution must be submitted to the supervisory authority upon request.
  • Inform Latvijas Banka at least 30 days in advance if the institution intends to use an ICT service supporting a critical or important function. The notification must include a service description and a risk assessment.
  • Develop and maintain an exit strategy for ICT services supporting critical or important functions, outlining how the institution could either perform the function internally or transition to another service provider if the existing arrangement is terminated or becomes unavailable.

3. Use and monitoring of the ICT service
During the use of the ICT service, the institution must ensure continuous oversight of the service provider. The institution must have the necessary competences, resources, and processes in place to:

  • receive timely information about ICT incidents;
  • regularly monitor service quality, performance, and security; and
  • periodically review and update the risk assessment to identify new or emerging risks related to the ongoing use of the service.

Required action

The moment of action

Risk assessment

Before signing the contract

Due diligence check

For essential services before signing the contract

Defining minimum contract requirements

In the process of preparing the contract

Updating the register of third parties (RoI)

After the contract is concluded

Developing an exit strategy

For essential services in the contract preparation process

Informing the regulator

30 days before using the service

Regular monitoring

During the service period

In accordance with Regulation (EU) 2022/2554 (DORA) and the Decision of the European Supervisory Authorities of 8 November 2024 on the time limits and conditions under which records of information must be provided by national supervisory authorities to the European Supervisory Authorities for the purpose of identifying essential ICT third-party service providers, financial institutions are required to maintain and submit RoI.

Financial institutions subject to the requirements of DORA shall, in accordance with Article 28(3), maintain and update a register of information relating to each contractual arrangement for ICT services provided by third parties.

Financial institutions must submit the information register to the Latvijas Banka for the first time by 15 April 2025, using data current as of 31 March 2025. Thereafter, financial institutions shall submit the register annually by 1 March, using data as of 31 December of the previous year.

Individual financial institutions shall submit the information register at the company level. Group entities shall prepare a consolidated RoI and submit a single register covering all group entities (DORA subjects) at the consolidated level.

The requirements for the content, structure, and format of the RoI are outlined in Commission Implementing Regulation (EU) 2024/2956. Information may be provided in Latvian or English.

The register must be submitted in accordance with the technical document “Requirements for the DORA Information Register Submitted to the Latvijas Banka.”

Questions and answers about the preparation and submission of the information register.

To support correct preparation and submission:

Questions regarding the preparation or submission of the information register may be directed to the Latvijas Banka.

Each financial entity shall identify and categorise its ICT third-party service providers in accordance with the applicable Implementing Technical Standards (ITS). The following examples illustrate common categories of ICT suppliers:

  • Cloud computing service providers;
  • Software suppliers, developers, and support providers;
  • ICT project management and consulting service providers;
  • ICT security, risk, and operational management service providers;
  • ICT infrastructure providers, including physical equipment, premises, and data storage platforms;
  • Communication service providers, including telecommunication systems and network operators;
  • Data analysis and data processing service providers;
  • Data centre service providers;
  • Participants in the payment services ecosystem that provide payment processing or maintain payment infrastructure;
  • Financial entities providing ICT services to other financial institutions;
  • Intragroup service providers, i.e. companies within a financial group that deliver ICT services to parent companies, subsidiaries, or branches.

Three European Supervisory Authorities – the European Banking Authority, the European Securities Market Authority and the European Insurance and Occupational Pensions Authority – are compiling questions and answers to support consistent and effective application of the European Union regulation in the area of financial services. The database of questions and answers regarding DORA is available on the website of the European Insurance and Occupational Pensions Authority (see Joint Q&As - EIOPA) and can be navigated by selecting appropriate filters.

The questions published there are the ones that market participants have most often found confusing. If you cannot find an answer to your question via the resources of the European Supervisory Authorities or Latvijas Banka, you can e-mail it to dora@bank.lv or submit your question via the EIOPA's web resource Joint Q&As – EIOPA.

Question. To what extent are the DORA requirements for ICT third-party service providers applicable to software licence distributors? We believe that several requirements are not really applicable, as a distributor does not process any financial institution data, and also the existence or non-existence of a distributor does not affect the operation of the software itself.
Answer. The implementing technical standards for the register of information outline requirements regarding the contractual arrangements to be registered in the register of ICT third-party service providers. They are based on the need for information to identify critical ICT providers and ensure their supervision at the European Union level. The register of information must contain information about software licences. In order to answer the question whether a distributor of licences is an ICT third-party service provider, one has to analyse the commitments outlined in the respective supply contract. An explanation by the European Securities and Markets Authority is available here: ESMA_QA_2103.

Question. Please confirm that we have understood correctly: only the existing ICT service contracts that support critical or important functions should be renewed (amended), i.e. not all existing ICT service contracts, but only those that support critical or important functions.
Answer. The ICT contractual arrangements supporting critical and important functions have to include mandatory provisions based on the requirements set out by Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers, and an adequate management policy must be developed and implemented. Evaluating and renewing such contacts is a priority to ensure compliance.

As to other ICT contractual arrangements, their compliance with the management principles of third-party related ICT risks and associated risks must be evaluated (Article 28 of DORA). If necessary, these contractual arrangements must also be amended to provide for auditing rights, consent to cooperation with the competent authorities and the requirements referred to in Articles 30(1) and 30(2) of DORA regarding key contractual provisions.

How valuable was this information for you?
Not valuable Very valuable
How can we improve your experience in our site

This page is protected by Google’s reCAPTCHA and visitors are subject to Google Terms of Service and Google Privacy Policy