The Ultimate DORA ICT Third Party Provider Checklist

Nov 28, 2024

In today's digital age, managing third-party ICT service providers is crucial for maintaining operational resilience and ensuring compliance with regulatory requirements. The Digital Operational Resilience Act (DORA) provides a comprehensive framework for managing ICT third-party risks. To help organizations navigate these requirements, we have developed the ultimate DORA ICT Third Party Provider Checklist. 

This checklist is divided into four key sections: Due Diligence, Contract Management, Management, and Subcontracting. Each section includes a combination of questionnaires, policies, actions, and monitoring items to ensure thorough and effective management of ICT third-party providers.

Due Diligence

The Due Diligence section focuses on assessing and evaluating potential ICT third-party service providers before entering into any contractual arrangements. This section primarily consists of questionnaires and policies designed to gather critical information and ensure that the service providers meet the necessary standards.

Questionnaires:

  • Overall Risk Profile and Complexity: Assess the size, nature, scale, and complexity of the services, activities, and operations of the financial entity.

  • Type of ICT Services: Identify the type of ICT services included in the contractual arrangement and evaluate the location from where the services are provided and where the data is processed and stored.

  • Location of ICT Third-Party Service Provider: Determine the location of the service provider or its parent company and consider whether the services are provided within a Member State or in a third country.

  • Nature of Data Shared: Assess the nature of the data shared with the service provider.

Policies:

  • Group Affiliation: Determine whether the ICT third-party service provider is part of the same group as the financial entity.

  • Authorisation and Supervision: Verify if the service providers are authorised, registered, or subject to supervision by a competent authority in a Member State or a third country.

  • Concentration of ICT Services: Assess whether the provision of ICT services supporting critical or important functions is concentrated with a single service provider or a small number of providers.

  • Transferability of ICT Services: Evaluate the transferability of the ICT services to another provider, considering technology specificities.

  • Impact of Disruptions: Consider the potential impact of disruptions in the provision of ICT services on the continuity of the financial entity’s activities and the availability of its services.


Contract Management

The Contract Management section focuses on establishing and maintaining clear and comprehensive contractual arrangements with ICT third-party service providers. This section includes policies and actions to ensure that the contracts are well-defined and enforceable.

Policies:

  • Written Form of Contractual Arrangements: Ensure that the contractual arrangements are in written form and include all necessary elements as per regulatory requirements.

  • Explicit Specifications in Contractual Arrangements: Ensure that the contracts do not relieve the financial entity and its management body of its regulatory obligations and responsibilities to its clients. Require that the service providers cooperate with competent authorities and provide effective access to data and premises.

Actions:

  • Access, Inspections, and Audits: Include the right for the financial entity to access information, carry out inspections and audits, and perform tests on ICT. Use methods such as internal audits, third-party audits, and pooled audits.

  • Limitations on Reliance on Certifications and Audit Reports: Do not rely solely on certifications or audit reports over time. Ensure that the certifications and audit reports cover the systems and key controls identified and comply with relevant regulatory requirements.

  • Formalisation of Material Changes: Ensure that material changes to the contractual agreement are formalised in a written document, dated and signed by all parties. Specify the renewal process for the contractual arrangements.

Management

The Management section focuses on the ongoing oversight and governance of ICT third-party service providers. This section includes policies, actions, and monitoring items to ensure that the management body is involved in the decision-making process and that the services are effectively managed.

Policies:

  • Responsibilities of the Management Body: Ensure the management body's involvement in the decision-making process on the use of ICT services supporting critical or important functions provided by third-party service providers.

  • Planning of Contractual Arrangements: Conduct risk assessments and due diligence as set out in regulatory requirements. Follow the approval process for new or material changes to contractual arrangements.

  • Involvement of Business Units and Internal Controls: Involve business units, internal controls, and other relevant units in respect of contractual arrangements.

  • Consistency with Regulatory Frameworks: Ensure that the contractual arrangements are consistent with the ICT risk management framework, the information security policy, the ICT business continuity policy, and the requirements on incident reporting.

Actions:

  • Implementation, Monitoring, and Management: Implement, monitor, and manage contractual arrangements, including at consolidated and sub-consolidated levels, where applicable.

  • Documentation and Record-Keeping: Maintain documentation and record-keeping, taking into account the requirements with regard to the register of information.

  • Exit Strategies and Termination Processes: Develop and follow exit strategies and termination processes as set out in regulatory requirements.

  • Define Business Needs: Ensure the business needs of the financial entity are defined before concluding a contractual arrangement.

  • Conduct Risk Assessment: Perform a risk assessment at the financial entity level and, where applicable, at consolidated and sub-consolidated levels before concluding a contractual arrangement. Consider all risks posed by the provision of ICT services.

Monitoring Items:

  • Senior Management Responsibilities: Clearly identify the role or member of senior management responsible for monitoring the relevant contractual arrangements. Specify how that role or member of senior management shall cooperate with the control functions and set out the reporting lines to the management body.

  • Independent Review and Audit: Require that ICT services supporting critical or important functions provided by third-party service providers are subject to independent review and are included in the audit plan.

  • Internal Responsibilities: Clearly assign internal responsibilities for the approval, management, control, and documentation of relevant contractual arrangements. Ensure appropriate skills, experience, and knowledge are maintained within the financial entity to effectively oversee the relevant contractual arrangements.

  • Annual Review and Update: Ensure the management body reviews the policy at least once a year and updates it where necessary. Implement changes to the policy in a timely manner within the relevant contractual arrangements.

Subcontracting

The Subcontracting section focuses on managing the use of ICT sub-contractors by third-party service providers. This section includes policies and monitoring items to ensure that subcontracting arrangements are effectively managed and do not pose additional risks.

Policies:

  • Use of ICT Sub-Contractors: Determine if the ICT third-party service provider uses or intends to use ICT sub-contractors to perform the ICT services supporting critical or important functions or material parts thereof.

  • Identify Conflicts of Interest: Specify measures to identify actual or potential conflicts of interest arising from the use of ICT third-party service providers.

  • Prevent and Manage Conflicts of Interest: Establish measures to prevent and manage actual or potential conflicts of interest before entering relevant contractual arrangements. Provide for ongoing monitoring of conflicts of interest. Ensure that decisions on the conditions, including financial conditions, for ICT services provided by ICT intra-group service providers are taken objectively.

Feel free to request a copy of the "The Ultimate DORA ICT Third Party Provider Checklist" from us.

By following this ultimate DORA ICT Third Party Provider Checklist, organizations can ensure comprehensive and effective management of ICT third-party service providers. This checklist provides a structured approach to due diligence, contract management, ongoing oversight, and subcontracting, helping organizations maintain operational resilience and comply with regulatory requirements. Whether you are a financial entity, a service provider, or a regulatory body, this checklist is an invaluable tool for managing ICT third-party risks.