Helpful links

Popular Topics

Management of ICT third-party service providers

Published
Updated

Third-party risk management (TPRM)

When a financial market participant uses an ICT service provided by a third party, it must ensure compliance with the requirements set out in Regulation (EU) 2022/2554 (DORA) throughout the entire life cycle of the service – from pre-contract assessment to ongoing monitoring and termination.

1. Before concluding the contract
Prior to entering into a contract, the institution must:

  • Identify whether the ICT service supports a critical or important function, or a function whose disruption would significantly impair the financial entity’s financial performance, service continuity, or ability to meet obligations. Examples include payment processing, settlements, cloud infrastructure supporting core services, or the processing and storage of customer data. Additional requirements apply when contracting for such services.
  • Assess the service provider’s reputation, experience, service quality, and compliance with regulatory requirements, including cybersecurity and business continuity capabilities (Article 28(4) of DORA).
  • Identify and evaluate operational and reputational risks, including cyber, technological, geopolitical, and compliance risks, arising from the use of the third-party service.

2. Contracting and commencement of service
When concluding the contract and initiating service use, the institution must:

  • Include all mandatory contractual requirements as set out in Article 30 of DORA. For services supporting critical or important functions, the contractual requirements of RTS 2024/1773 must also be incorporated. A standardised contract annex may be used, provided it reflects the applicable regulatory requirements. These obligations also extend to ICT services used within a financial group.
  • The contract must clearly define, depending on the service type:
    • description of the service and allocation of responsibilities;
    • service quality, security, and continuity requirements (SLA);
    • data processing and protection obligations;
    • incident management and notification procedures;
    • audit and monitoring rights;
    • contract termination and data return/destruction procedures;
    • options for selecting alternative service providers and replacing the existing service provider if the contract with the current third-party service provider is terminated or it is no longer possible to receive the relevant service; and
    • options for insourcing or re-integrating a function previously outsourced to a third-party service provider, where this is necessary or appropriate.
  • Register the respective provider in the Register of Information (RoI). The institution must establish and maintain an up-to-date RoI of third-party ICT service providers in accordance with Article 28(3) of DORA, including data on all third-party contracts. The structure of the register shall be developed in line with ITS 2024/2956, and the Excel template provided by the Latvijas Banka may also be used. The data contained in the register maintained by the institution must be submitted to the supervisory authority upon request.
  • Inform Latvijas Banka at least 30 days in advance if the institution intends to use an ICT service supporting a critical or important function. The notification must include a service description and a risk assessment.
  • Develop and maintain an exit strategy for ICT services supporting critical or important functions, outlining how the institution could either perform the function internally or transition to another service provider if the existing arrangement is terminated or becomes unavailable.

3. Use and monitoring of the ICT service
During the use of the ICT service, the institution must ensure continuous oversight of the service provider. The institution must have the necessary competences, resources, and processes in place to:

  • receive timely information about ICT incidents;
  • regularly monitor service quality, performance, and security; and
  • periodically review and update the risk assessment to identify new or emerging risks related to the ongoing use of the service.

Required action

The moment of action

Risk assessment

Before signing the contract

Due diligence check

For essential services before signing the contract

Defining minimum contract requirements

In the process of preparing the contract

Updating the register of third parties (RoI)

After the contract is concluded

Developing an exit strategy

For essential services in the contract preparation process

Informing the regulator

30 days before using the service

Regular monitoring

During the service period

Check-list on the implementation of management requirements for third-party ICT services

This check-list helps financial market participants in assessing and recording the implementation of Regulation (EU) 2022/2554 with regard to the management of third-party ICT services. It offers a structured overview of the general management, the contract life cycle and the contractual requirements, in particular those concerning critical and important functions, taking note of the principle of proportionality and the risk-based approach.

Check-list on the implementation of management requirements for third-party ICT servicesDOCX

Three European Supervisory Authorities – the European Banking Authority, the European Securities Market Authority and the European Insurance and Occupational Pensions Authority – are compiling questions and answers to support consistent and effective application of the European Union regulation in the area of financial services. The database of questions and answers regarding DORA is available on the website of the European Insurance and Occupational Pensions Authority (see Joint Q&As - EIOPA) and can be navigated by selecting appropriate filters.

The questions published there are the ones that market participants have most often found confusing. If you cannot find an answer to your question via the resources of the European Supervisory Authorities or Latvijas Banka, you can e-mail it to dora@bank.lv or submit your question via the EIOPA's web resource Joint Q&As – EIOPA.

Question. To what extent are the DORA requirements for ICT third-party service providers applicable to software licence distributors? We believe that several requirements are not really applicable, as a distributor does not process any financial institution data, and also the existence or non-existence of a distributor does not affect the operation of the software itself.
Answer. The implementing technical standards for the register of information outline requirements regarding the contractual arrangements to be registered in the register of ICT third-party service providers. They are based on the need for information to identify critical ICT providers and ensure their supervision at the European Union level. The register of information must contain information about software licences. In order to answer the question whether a distributor of licences is an ICT third-party service provider, one has to analyse the commitments outlined in the respective supply contract. An explanation by the European Securities and Markets Authority is available here: ESMA_QA_2103.

Question. Please confirm that we have understood correctly: only the existing ICT service contracts that support critical or important functions should be renewed (amended), i.e. not all existing ICT service contracts, but only those that support critical or important functions.
Answer. The ICT contractual arrangements supporting critical and important functions have to include mandatory provisions based on the requirements set out by Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers, and an adequate management policy must be developed and implemented. Evaluating and renewing such contacts is a priority to ensure compliance.

As to other ICT contractual arrangements, their compliance with the management principles of third-party related ICT risks and associated risks must be evaluated (Article 28 of DORA). If necessary, these contractual arrangements must also be amended to provide for auditing rights, consent to cooperation with the competent authorities and the requirements referred to in Articles 30(1) and 30(2) of DORA regarding key contractual provisions.

How valuable was this information for you?
Not valuable Very valuable
How can we improve your experience in our site

This page is protected by Google’s reCAPTCHA and visitors are subject to Google Terms of Service and Google Privacy Policy