DORA update: emphasis on managing ICT risk for third-party providers

The AFM has released a second publication on the Digital Operations Resilience Act (DORA), focusing on managing ICT risk for third-party providers. DORA, a European regulation in effect since January 2023, aims to enhance control over ICT risks for financial firms and make them more resilient to cyber threats.
The update emphasizes the importance of addressing risks associated with third-party providers in Chapters V (Articles 28-44), specifying policy documents, risk assessments, strategy development, and contractual provisions along with an oversight framework for critical third-party ICT service providers, requiring firms to develop a strategy for third-party risk management.
Firms preparing for compliance with DORA can take specific actions related to third-party risk management. Articles 28 and 29 of DORA outline general principles, including explicit assessment and addressing of ICT risks from third-party providers. Micro-undertakings are exempt from developing a strategy for third-party risk management. DORA mandates the recording of all contractual arrangements in a register of information, which is vital for internal control and designating CTPPs. Firms must report annually to supervisory authorities on third-party ICT agreements, especially those related to critical functions. Before entering agreements, firms must analyse various aspects, including security levels, audits, and subcontracting risks, and develop an exit strategy for critical functions.
Contractual arrangements for critical functions should include reporting obligations, business contingency plans, cooperation in Threat-Led Penetration Tests (TLPTs), inspection rights, and detailed subcontracting provisions. Micro-enterprises may delegate audits to independent parties.
Table 3 outlines further elaborations for subcontracting conditions, with a completion target of July 2024. Additionally, Table 2 details the completion timelines for RTS and ITS related to DORA. Firms are advised to analyse existing contractual arrangements for alignment with DORA’s requirements, as specified in Article 30, which includes elements that must be included in all agreements and additional obligations for critical or important functions.
The ESAs are developing a standard model and key principles. Compliance with DORA is mandatory by 17 January 2025, covering elements such as a register of information, reporting obligations, and exit strategies. DORA also addresses critical third-party providers‘ oversight, with articles 31 through 44 describing the oversight framework.