+DORA Ch. V Sec. I Art. 28 4.
|
1. Overview
DORA Ch. V Sec. I Art. 28 4.
4. Before entering into a contractual arrangement on the use of ICT services, financial entities shall:
- (a) assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function;
- (b) assess if supervisory conditions for contracting are met;
- (c) identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk as referred to in Article 29;
- (d) undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable;
- (e) identify and assess conflicts of interest that the contractual arrangement may cause.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Third-party Risk Management
Manage third-party risks proportionate to dependency nature, service-related risks, and impact on entity's continuity and availability in case of disruption. Implement a policy for critical function ICT services provided by third-party service providers, considering the location of the service provider (or its parent company), the level of assurance regarding the service providers' risk management framework (including risk mitigation and business continuity measures), the nature of the data shared with the service provider, the location of data processing and storage, group affiliation of the service provider, and the potential impact of the risks and disruptions on the continuity and availability on the activities of the entity. Test response and recovery of critical function-supporting services provided by third parties.
|
|
NOREA
|
Pre-Contract Risk Assessment
Perform pre-contract risk assessment. This assessment must assess if: the contract covers services supporting critical or important functions, a service provider is easily replaceable, the risks of sub-contracting are covered, the risks of outsourcing service to a third-country are covered, the risks of bankruptcy are covered on the side of the service provider, supervisory conditions for contracting are met, all contractual risks are identified and assessed (e.g., to cover for ICT concentration risks), the service provider is suitable, and if there are conflicts of interest. Assess service provider resources for ensuring entity compliance with all legal and regulatory requirements.
|
|
NOREA
|
Register of Information
Maintain a comprehensive register of information related to contractual arrangements with third-party service providers, distinguishing those supporting critical/important functions. Ensure that the register is in line with all mandatory fields as defined in the ITS on the register of information.
|
|
NOREA
|
Contractual Requisites
Only contract with service providers meeting appropriate information security standards (e.g., ISO 27001, SOC, PCI-DSS, etc.) appropriate to the criticaly of services delivered. Determine audit frequency for service providers, ensuring auditors possess requisite skills and knowledge for complex services
|
|
NOREA
|
Exit strategies
Develop and periodically test exit strategies and plans, considering risks related to third-party service providers, including potential failure, service quality deterioration, business disruption, and termination of contractual arrangements. Ensure that the exit plan is realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements. Also, ensure smooth exit and workload migration to another service provider without business disruption, compliance loss, or service quality decline.
The DORA Taskforce has designed an exit plan template that could be of assistence, see: https://www.norea.nl/dora/dora-template-exit-plan
|
|
NOREA
|
Annual Reporting of New Arrangements
Report new service provider arrangements to the regulator, especially those supporting critical or important functions, to the regulator on a yearly basis, with immediate notification for critical services.
|
|