EU DORA RTS - third party contractual arrangements - Art 6

Outlines the policy provisions that guide the due diligence and selection of third-parties providing ICT services. It stipulates that the policy must include an appropriate and proportionate process for selecting and assessing the third-party.

Rule Overview

Jurisdiction: European Union

Regulator: ESMA

Topic: Resilience, Business Continuity

Overview
Rules in This Collection
Notable
Latest News
Further Reading

It also requires the policy to include measures to identify, prevent and manage potential conflicts of interest.

As part of the assessment process the policy must prescribe the evaluation of the following criteria in connection with the third-party provider:

  1. Business reputation.
  2. Sufficient abilities.
  3. Expertise.
  4. Adequate financial resources.
  5. Adequate human resources.
  6. Adequate technical resources.
  7. Information security standards.
  8. Appropriate organisational structure including;
    1. Risk management.
    2. Internal controls.
  9. Required authorisation or registration (if applicable) to provide the services in a reliable and professional manner.
  10. Ability to monitor relevant technological developments.
  11. Ability to identify ICT security leading practices.
  12. Ability to implement ICT security leading practices where appropriate to have an effective and sound digital operational resilience framework.

In addition the policy must require the consideration of the following criteria:

  1. Potential sub-contracting.
  2. Location.
  3. Location of processing and storage of data.
  4. Consent to audit, including onsite, by:
    1. The contracting entity.
    2. Appointed third-parties.
    3. Regulators.
  5. Acting in an ethical and socially responsible manner including adherence to:
    1. Human and children’s rights.
    2. Principles of environmental protection.
    3. Appropriate working conditions including the prohibition of child labour. 
Notable
Your DORA questions answered – CIFs

Your DORA questions answered – CIFs

This third of a series of six articles covering a practical session organised by Ashurst focuses on critical or important functions.

Your DORA questions answered – ICT third party contracts

Your DORA questions answered – ICT third party contracts

This fourth of a series of six articles covering a practical session organised by Ashurst focuses on information and communication technology third party contracts.

Your DORA questions answered – ICT services in scope

Your DORA questions answered – ICT services in scope

This second of a series of six articles covering a practical session organised by Ashurst focuses on the ICT services in scope of DORA.

Technology

Your DORA questions answered – CIFs

Technology

Your DORA questions answered – ICT third party contracts

Technology

Your DORA questions answered – ICT services in scope

Latest News More on DORA