Please note that this outline is based in part on a draft RTS. It does not appear that any of the draft regulatory technical standards connected with DORA will be finalized until July 2024 and so the information below may all be subject to change.
Please also note that this document is intended as a helpful high-level project plan rather than exhaustive instructions or guidance – think of it as a cheat-sheet and you will not be far off. As with any other piece of legislation there is lots of complexity in DORA hence:
The information below does not and is not intended to constitute legal advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. It is not intended to be relied upon in the making (or refraining from making) any specific decisions. |
Step 1 – Identify ICT assets
A register of ICT assets is the starting point for complying with any of your DORA compliance obligations. No other exercise is more critical than this foundational step.
If you don’t have a comprehensive view of what ICT assets your organization is using it will be very difficult to be able to comply with the requirements as set out by DORA.
Also, if you don’t have a good grasp on what ICT technologies you are using it is impossible to manage or monitor them or asses their risk.
Step 2 – Identify ICT services being provided by third-parties
As part of a wider ICT asset discovery exercise identify any and all ICT services being provided to your organization by third-parties.
During this evaluation ensure that you also consider ICT services being supplied:
- through resellers (in other words intermediaries who may be managing the relationship with third-party ICT service providers on your behalf);
- by a parent / subsidiary.
It may also be necessary to consider any implications of DORA that might be relevant at a group level here. |
Step 3 – Classify the ICT services being provided by third parties
ICT services fall within scope of this RTS if they are supporting a function that is critical or important.
Because the definition of a critical or important function is relatively specific it might be helpful to structure this evaluation exercise as a series of questions:
Would the disruption or failure of this function materially impair:
- the organization’s financial performance; or
- the soundness or continuity of its services and activities; or
- the continuing compliance with the conditions and obligations of its authorization; or
- its other obligations under applicable law?
If the answer to any of these question is ‘yes’ it is likely that the ICT third-party is in scope and a written policy on the ICT services provided by the third-party service provider is needed.
DORA includes a principle of proportionality which is intended to ensure that it application is “proportionate” to the size and risk profile of the financial entity. Always consider the size and complexity of your organization when working on DORA compliance. |
Step 4 – Draft and implement written third-party policy
A written policy on ICT services provided by third-parties is a key to becoming compliant with DORA. The RTS is intended to ensure that the policy stipulates all key requirements for the contractual arrangements with third parties that support critical or important services and that it outlines how these are managed.
Step 5 – Assign internal responsibility for the third-party as well as the ICT service(s)
Ensure that a member of senior management is made responsible for the monitoring of the relevant contractual arrangements.
The requirement to ensure that adequate skills are present within the business to oversee the third party services / arrangements in place is an important one to consider here. Having an outsourcing arrangement in place cannot lead to a situation where no one at the institution understands how the third-party systems work and/or how they support critical or important functions. It is the contractual arrangements that are to be overseen rather than the systems themselves. It may therefore not be a requirement for the responsible person to understand all of the technical detail of specific systems (although that knowledge can of course be relevant and helpful), but they must understand enough to be able to assess whether the system fulfils the stipulated contractual obligations. |
Step 6 – Evaluate the complexity and risk profile of the third party
As part of this evaluation process take into account:
- location of third party (or parent);
- nature of shared data;
- data processing and storage location;
- intra-group or independent supplier; and
- impact of risks / disruptions on continuity / availability of services.
Step 7 – Assess the health of the third-party and ensure they are a part of your audit plan
You will need to ensure that the third party has ‘sufficient resources’ to ensure that you can comply with all legal and regulatory requirements.
This is an important requirement and will almost certainly require you / an independent auditor to at the least examine the relevant third-party’s finances and/or operating and business model. The intent here is to ensure that relationships are established with third-parties that are adequately resilient and proffer stability. |
Step 8 – Conduct due diligence on the third-party
Ensure that all due diligence as stipulated in the policy are followed.
If a selection process has taken place, this should be well documented.
Step 9 – Structure or restructure the contract with the third-party
The contract must include, at a minimum:
- a description of functions and services (including an indication whether subcontracting is permitted);
- the location where functions and services are provided and where data is processed;
- provisions around data protection;
- provisions ensuring data access and recovery;
- service level descriptions;
- an obligation to provide assistance in the case of an ICT incident connected to the service being provided;
- an obligation to cooperate with the relevant regulator;
- termination rights and notice periods;
- conditions for participation in security awareness programmes and digital operational resilience training.
Step 10 – Because this is a third-party supporting critical or important functions, include additional contractual terms
For these third-parties the contract must also include additional terms that cover at a minimum:
- measurable performance targets;
- reporting obligations;
- adequate business contingency and security measures;
- an obligation to cooperate in penetration testing;
- the right to monitor performance (including unrestricted access);
- exit strategies.
Also useful to note is the fact that it is not only the contractual terms that are different for third parties supporting critical or important functions. Amongst other things more onerous due diligence is required. |
Step 11 – Monitor third-party performance
A contract has been signed, all is implemented and the services are being successfully used.
It is now essential to monitor, on an ongoing basis, the performance of the third party service provider and particularly their compliance with requirements regarding data and information including:
- confidentiality;
- availability;
- integrity; and
- authenticity.
Where services levels are not being met appropriate measures must be taken, including any of the penalties dictated by the written policy.
Step 12 – Set up a regular (at least annual) policy review
Ensure that any changes to the policy are reflected in the contractual arrangements in place with third parties.
In other words if the policy changes all potentially impacted third-party contracts should be reviewed and updated as necessary in order to remain in alignment with the policy. The requirement for timeliness in implementing any necessary changes also extends to the contractual arrangements. This requirement has practical consequences for the negotiation of contracts with vendors – a mechanism should be in place enabling you to renegotiate parts of the contract that may need to be revised following material policy changes. The timeliness element means that the changes could well be needed part way through the contractual term, something that is more likely for contracts that are longer in duration (eg multi-year contracts). |