1. Overview

Third-Party Subcontractor Due Diligence

With regards to subcontracts that support a critical or important function:

• Implement due diligence procedures to evaluate third-party ICT service providers' subcontracting practices.
• Identify all subcontractors that provide ICT services that support critical or important functions or material parts thereof, to notify and inform the financial entity of those subcontractors,
• Ensure that the contractual arrangements with the subcontractors thereof enable the financial entity to comply with its own obligations.
• Ensure in contract with ICT third-party service provider that the subcontractor grants the same contractual rights of access and inspection as those granted by the ICT third-party service provider.
• Assess the third-party provider's organizational structure, resources, and information security standards, including incident response and risk management mechanisms with regards to the subcontractor.
• Assess financials entities own organizational structure, resources, and information security standards, including incident response and risk management mechanisms with regards to the ICT service provider and subcontractors.
• Assess the impact on digital operational resilience and financial soundness of a possible failure of a subcontractor
• Assess the location of the potential subcontractors
• Assess the ICT concentration risks at entity level in accordance
• Address any barriers to audit and access rights for competent authorities and the financial institution.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

3. Related Regulations

• NOREA -

  NOREA, de beroepsorganisatie van IT-auditors - DORA in Control Framework