+DORA Ch. V Sec. I Art. 29 2.
|
1. Overview
DORA Ch. V Sec. I Art. 29 2.
2. Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.
Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.
Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.
Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Third-party Risk Management
Manage third-party risks proportionate to dependency nature, service-related risks, and impact on entity's continuity and availability in case of disruption. Implement a policy for critical function ICT services provided by third-party service providers, considering the location of the service provider (or its parent company), the level of assurance regarding the service providers' risk management framework (including risk mitigation and business continuity measures), the nature of the data shared with the service provider, the location of data processing and storage, group affiliation of the service provider, and the potential impact of the risks and disruptions on the continuity and availability on the activities of the entity. Test response and recovery of critical function-supporting services provided by third parties.
|
|
NOREA
|
Pre-Contract Risk Assessment
Perform pre-contract risk assessment. This assessment must assess if: the contract covers services supporting critical or important functions, a service provider is easily replaceable, the risks of sub-contracting are covered, the risks of outsourcing service to a third-country are covered, the risks of bankruptcy are covered on the side of the service provider, supervisory conditions for contracting are met, all contractual risks are identified and assessed (e.g., to cover for ICT concentration risks), the service provider is suitable, and if there are conflicts of interest. Assess service provider resources for ensuring entity compliance with all legal and regulatory requirements.
|
|
NOREA
|
Register of Information
Maintain a comprehensive register of information related to contractual arrangements with third-party service providers, distinguishing those supporting critical/important functions. Ensure that the register is in line with all mandatory fields as defined in the ITS on the register of information.
|
|
NOREA
|
Contractual Requisites
Only contract with service providers meeting appropriate information security standards (e.g., ISO 27001, SOC, PCI-DSS, etc.) appropriate to the criticaly of services delivered. Determine audit frequency for service providers, ensuring auditors possess requisite skills and knowledge for complex services
|
|
NOREA
|
Exit strategies
Develop and periodically test exit strategies and plans, considering risks related to third-party service providers, including potential failure, service quality deterioration, business disruption, and termination of contractual arrangements. Ensure that the exit plan is realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements. Also, ensure smooth exit and workload migration to another service provider without business disruption, compliance loss, or service quality decline.
The DORA Taskforce has designed an exit plan template that could be of assistence, see: https://www.norea.nl/dora/dora-template-exit-plan
|
|
NOREA
|
Annual Reporting of New Arrangements
Report new service provider arrangements to the regulator, especially those supporting critical or important functions, to the regulator on a yearly basis, with immediate notification for critical services.
|
|