+DORA Ch. V Sec. I Art. 28 5.
|
1. Overview
DORA Ch. V Sec. I Art. 28 5.
5. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Third-party Risk Management
Manage third-party risks proportionate to dependency nature, service-related risks, and impact on entity's continuity and availability in case of disruption. Implement a policy for critical function ICT services provided by third-party service providers, considering the location of the service provider (or its parent company), the level of assurance regarding the service providers' risk management framework (including risk mitigation and business continuity measures), the nature of the data shared with the service provider, the location of data processing and storage, group affiliation of the service provider, and the potential impact of the risks and disruptions on the continuity and availability on the activities of the entity. Test response and recovery of critical function-supporting services provided by third parties.
|
|
NOREA
|
Pre-Contract Risk Assessment
Perform pre-contract risk assessment. This assessment must assess if: the contract covers services supporting critical or important functions, a service provider is easily replaceable, the risks of sub-contracting are covered, the risks of outsourcing service to a third-country are covered, the risks of bankruptcy are covered on the side of the service provider, supervisory conditions for contracting are met, all contractual risks are identified and assessed (e.g., to cover for ICT concentration risks), the service provider is suitable, and if there are conflicts of interest. Assess service provider resources for ensuring entity compliance with all legal and regulatory requirements.
|
|
NOREA
|
Register of Information
Maintain a comprehensive register of information related to contractual arrangements with third-party service providers, distinguishing those supporting critical/important functions. Ensure that the register is in line with all mandatory fields as defined in the ITS on the register of information.
|
|
NOREA
|
Contractual Requisites
Only contract with service providers meeting appropriate information security standards (e.g., ISO 27001, SOC, PCI-DSS, etc.) appropriate to the criticaly of services delivered. Determine audit frequency for service providers, ensuring auditors possess requisite skills and knowledge for complex services
|
|
NOREA
|
Exit strategies
Develop and periodically test exit strategies and plans, considering risks related to third-party service providers, including potential failure, service quality deterioration, business disruption, and termination of contractual arrangements. Ensure that the exit plan is realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements. Also, ensure smooth exit and workload migration to another service provider without business disruption, compliance loss, or service quality decline.
The DORA Taskforce has designed an exit plan template that could be of assistence, see: https://www.norea.nl/dora/dora-template-exit-plan
|
|
NOREA
|
Annual Reporting of New Arrangements
Report new service provider arrangements to the regulator, especially those supporting critical or important functions, to the regulator on a yearly basis, with immediate notification for critical services.
|
|