DORA ICT providers management – everything you need to know

21.01.2025
  • ICT providers
dora ict providers management

Who is an ICT provider?

One of the regulator’s objectives during the creation of the DORA regulation was to develop effective and community-wide methods to monitor the risks associated with external ICT service providers in the financial sector.

While defining an ICT service provider, DORA does not explicitly indicate whether every company providing a specific type of service or offering specific products falls into this category. According to the definition given in the Regulation, an external ICT service provider is a company that provides ICT services.

The definition of ICT service provider indicates the meaning of what an ICT service is. According to DORA, ICT services means digital and data services provided on a continuous basis via ICT systems to one or more internal or external users, including hardware as a service and hardware services including the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephony services.

The definition is very broad. It is enough for a provider to offer digital services through ICT systems to be considered an ICT service provider. This concept also includes hardware providers, as well as hardware service companies working with financial entities. This is due, among other reasons, to the fact that ICT providers have a huge impact on ensuring the business continuity and operational digital resilience of financial entities. DORA emphasizes importance of monitoring, risk assessment and management of collaboration with ICT providers, especially for critical or essential functions. The principles of cooperation include, among other things, basic contractual rights that set out minimum safeguards for the execution and termination of contracts. They aim to provide financial entities with adequate tools to effectively monitor ICT risks generated by ICT service providers.

Why business functions are key to supplier classification

Each financial entity working with different suppliers over the years has developed its own way of determining which partner is ‘critical’ to that entity. DORA provides no such comfort by clearly indicating the specific process by which a supplier should be so categorized.
Firstly, Article 8(5) directs financial entities to identify and document all processes that depend on external ICT service providers and to identify inter-relationships with external ICT service providers that provide services that support critical or essential functions. Having mapped the extent of the relationship with a particular ICT service provider, one can move on to assess its ‘criticality’.

Example of template RT 06.01 information register for all contractual arrangements for the use of ICT services provided by external ICT service providers.
The assessment is carried out in template RT 06.01. It is worth indicating the points that need to be filled in with it:
● Function Identifier
● Licensed activity
One of the licensed activities referred to in Annex II for the different types of financial entities. In case the function is not linked to a registered or licensed activity, ‘support functions’ shall be reported.
● Function name
Function name according to the financial entity’s internal organization.
● LEI of the financial entity (this point is likely to be further amended)
● Criticality or importance assessment
Use this column to indicate whether the function is critical or essential according to the financial entity’s assessment. One of the options in the following closed list shall be used: 1. Yes 2. No 3. Assessment not performed
● Reasons for criticality or importance
A brief explanation of the reasons to classify the function as critical or essential (300 characters maximum)
● Date of the last assessment of criticality or importance
● Recovery time objective of the function
● Recovery point objective of the function
● Impact of discontinuing the function

This assessment is based on function, which is a combination of business process (function name) and activity type (licensed activity). The type of activity refers to a closed list of financial activities licensed by the supervisory authority.
There are cases where an activity type may be considered non-critical even though the associated business process is central to the financial entity. It is worth noting that for a single business process, a financial entity may have multiple business types. In the attached example, the “Contact Centre” business process supports 3 different types of activities. While the list of activity types is closed, business processes can be freely defined by the financial entity. However, it is key to carry out a case-by-case assessment of the criticality of each combination of activity type and business process.
The result of this process is information on which functions the ICT service provider supports. If a provider in any case provides services that support critical or essential functions, it is automatically subject to the strict requirements of the DORA regulation. It does not matter that this may be a tiny fraction of the entire scope of the financial entity’s collaboration with a given provider.

What are the characteristics of the different supplier groups?

Effective classification requires objective criteria, such as Business Impact Analysis (BIA), which identifies the links between key financial services, business processes and supporting assets. This enables financial institutions to identify which services and their providers are critical to the organization’s business continuity.
The DORA regulation, and in particular Articles 28 and 29, emphasizes the assessment of ICT providers in terms of their impact on the stability, quality and continuity of the provision of financial services. Additionally, JC 2023 85 expands on this classification. Each group requires a detailed assessment, which influences further supervisory and risk management activities when working with ICT providers.

Critical provider

The terms ‘critical provider’ or ‘provider supporting critical functions’ are simplified acronyms to refer to an ICT service provider supporting critical or essential functions. These functions, as defined by the DORA regulation, are critical to the operational continuity, security and stability of financial entities. As already mentioned, their disruption would materially affect the financial entity’s financial performance, security or continuity of its services and operations.

Suppliers supporting critical or essential functions are subject to strict requirements aimed at ensuring the highest level of security and business continuity. These requirements are reflected in Articles 28(5) and 30(3) of the DORA Regulation, which highlight the strategic importance of these providers to the stability of the financial sector.

Other providers

Other suppliers are a group comprising all external ICT service providers that are not recognised in DORA as supporting critical or essential functions. They can be referred to as ‘ordinary’ suppliers, as they are not subject to the same rigorous requirements as suppliers in the earlier category. They play an important role in the day-to-day operation of financial entities, supporting operational activities and providing supportive technology solutions. These providers do not have as much impact on the stability, security or continuity of the financial sector. They support functions that are not considered critical or relevant to operational digital resilience. Although these providers are not critical, they are still required to comply with DORA’s ICT security regulations. This means meeting the relevant requirements for data protection, compliance with the financial entity’s ICT security policies, or in terms of reporting incidents that may affect the services provided. The services provided by these providers tend to be more easily substitutable. The high level of substitutability means that the risks arising from their failure or unavailability are lower compared to suppliers supporting critical or essential functions.

External and internal provider

The DORA Regulation also distinguishes ICT service providers into two further categories: external and internal. According to Article 3(19) of the document, an external provider is a company that provides ICT services to financial entities. It is an independent entity that can offer a wide range of services, from basic IT infrastructure to advanced technologies such as cloud computing (IaaS, PaaS, SaaS), data management or ICT security. According to Article 3(20) of the DORA, an in-house provider is an entity that belongs to a financial group and that mainly provides ICT services to financial entities belonging to the same group or financial entities belonging to the same institutional protection scheme, including their parent companies, subsidiaries, branches or other entities under common ownership or control. Such entities, often in the form of subsidiaries or shared service centers, are dedicated to servicing the group’s internal technology processes.

Internal suppliers, although operating within a single group, are subject to documentation and control requirements. DORA requires recording of all ICT services contracts between entities in the group. Template RT.02.03 is used to identify and analyse such contracts by assigning unique ‘contract agreement reference numbers’. This allows for detailed mapping of relationships within the group.

19 ICT provider categories by ITS

The next step in categorizing ICT providers is to assign them to one (or more than one) category from the 19 supplier groups numbered S1 to S19. The implementing technical standards (RTS JC 2023 85) in Annex III introduce a detailed classification system for ICT providers. Examples of categories are:

  • CT Project Management (S01) – Includes services related to the PMO (Project Management Office),
  • ICT Security (S04) – Protection, detection, response and recovery services in the area of ICT security,
  • Cloud computing – Services in IaaS (S17), PaaS (S18) and SaaS (S19) models,
  • Data analytics services (S06) – Support for data processing and analysis,
  • Network infrastructure (S11) – Management and delivery of network infrastructure,
  • ICT risk management (S16) – Verification of compliance with ICT risk management requirements.

The categorization of ICT providers into 19 service types introduces a structure that enables financial entities to better understand and manage the risks associated with their relationship with ICT providers. It also helps with effective reporting, particularly in the context of critical functions supported by suppliers. However, in practice, categorization can be challenging, as some entities provide services that fit into more than one of the categories listed in Annex III.

Key provider    

A key provider is a strategic third-party ICT service provider that has been designated as a key provider by the European Supervisory Authorities (ESAs) rather than by individual financial entities. The European Supervisory Authorities designate these providers on the basis of data sent by EU 27 financial entities in the form of a register of contractual arrangements. For this reason, the category of ‘key provider’ is not one according to which financial entities themselves characterize      their providers in the register of contractual arrangements. However, it is necessary to be familiar with this group and to know what specificity it entails.

European supervisors designate key providers on the basis of a detailed analysis. A key provider is one whose potential service failures could significantly affect a large number of financial entities, particularly those with large assets. The level of interdependence between the institutions using its services, in particular global systemically important institutions, is taken into account. In addition, the dependence of financial entities on this provider’s services is analyzed     , particularly in the context of supporting critical or essential functions. The availability of alternatives to that provider’s services is also an important consideration     , taking into account aspects such as technical complexity, migration costs and constraints arising from market conditions. The regulator mandates key ICT providers outside the European Economic Area to designate a subsidiary located in the EEA.

These providers are identified as being particularly relevant to the European Union financial sector as a whole due to their systemic importance and impact on the stability, security and operational continuity of financial entities. A disruption in the delivery of their services can significantly affect the functioning of many financial entities, highlighting their strategic importance. The fact that a large number of financial entities use the same providers increases the risk of concentration. However, with proper governance and effective supervision, it is possible to minimize systemic risk and ensure the stability of the sector. An important aspect is that the key providers are not audited by the financial players, but by the European supervisory authorities, which increases the transparency and security of their operations.

Has the Dry Run project delivered value?

The Dry Run project was organized      as a practical exercise for financial entities to test their ability to prepare information registers as required by the DORA Regulation. The main objective of Dry Run was to enable these entities to pre-prepare a report (information register) to help identify potential problems and deficiencies in their reporting processes. At the same time, it allowed supervisors to assess the readiness of the financial sector and test the data collection methodology.

Financial entities had the opportunity to identify areas for improvement before the new regulations came into force. The Dry Run allowed for practical testing of the record-keeping methodology, which provided valuable information for both institutions and supervisors. It showed which aspects of the regulation, such as the identification of providers or the structure of the register, are most problematic.

The Dry Run revealed numerous challenges in the preparation of information registers. It turned out that creating a DORA-compliant information register was a much more complicated task than anticipated. The Excel template, which was originally the tool to work according to ESA, did not meet expectations, which was highlighted on 18.12.2024 during the webinar summarizing      the dry run.  Dry run results – 6.5% of the 1000 participants did the project without errors, 50% made less than 5 errors     .

It is worth mentioning that the Dry Run used the LEI (Legal Entity Identifier) for suppliers. Now the possibility of using the EUN has been added.  The final revised text was adopted in early December. The expectations are already known, but the data needs to be organized in a tool that offers more options than Excel.

How to perform due diligence on critical ICT providers     ?

Due diligence is a process of detailed analysis and assessment of a potential ICT provider to understand its ability to provide services as required and to identify potential risks. Due diligence is a mandatory step for financial entities before engaging with ICT providers supporting critical or essential functions.

This issue is described in Article 6 Due diligence of the Regulatory Technical Standards (JC 2023 84) setting out the detailed content of the policy in relation to contractual arrangements for the use of ICT services supporting critical or essential functions provided by external ICT service providers. Among other things, the financial entity is to verify that the ICT service provider:

  • has a business reputation, adequate resources (financial, human and technical), an organizational      structure, its own risk management and internal control process and, if required, appropriate authorizations      or licenses      to provide ICT services supporting a critical or essential function in a reliable and professional manner;
  • the ability to monitor relevant technological developments and identify leading ICT security practices and implement them where appropriate in order to have an effective and robust digital operational resilience framework;
  • uses or intends to use ICT subcontractors for the delivery of critical services or significant parts thereof;
  • processes or stores data in a third country. The financial entity shall assess the operational and reputational risks associated with such location, including the risk of sanctions, embargoes or other restrictions;
  • concentrates services. Institutions must assess the risks associated with concentrating services with a single provider, particularly in the context of potential operational disruptions;
  • accepts the possibility of audits (including offline, in a physical location) by the financial entity, external parties or supervisory authorities;
  • operates in accordance with ethical standards, respects human rights and environmental principles and ensures appropriate working conditions, including the prohibition of child labor.

The outcome of due diligence should be confidence that external ICT service providers will meet the requirements placed on them. As part of this policy, it is important to check that the provider has adequate safeguards and plans in place in case of problems and to ensure that they are actually operating as intended.

In summary, due diligence in terms of the DORA regulation is a sound analysis that should be performed taking into account the criticality of the ICT functions, the analysis of their dependencies, the risks associated with their concentration and attention to the diversification of ICT providers.

What tools should be used to verify these areas?

Financial entities may be wondering how they can conduct due diligence on ICT providers      supporting critical or essential functions. Guidance on this is detailed in RTS JC 2023 84:

  1. Audits or independent assessments conducted by or on behalf of the financial entity itself.
  2. Use by the financial entity of independent audit reports commissioned by an external ICT service provider.
  3. Use by the financial entity of internal audit reports carried out by the external ICT service provider.
  4. Use by the financial entity of relevant third-     party certifications.
  5. Use by the financial entity of other available relevant information or information provided by the external ICT service provider.

Preparation of the final due diligence report

The final stage of the due diligence process is the preparation of a report summariz     ing the results of the supplier assessment. This report should include the identification of key risk areas, recommendations for corrective actions or changes in working with the supplier, and conclusions on the supplier’s compliance with organizational and regulatory requirements. The document allows governing bodies within the organization to better understand the risks associated with working with a particular ICT service provider.

How do we deal with a critical ICT provider?

Correctly dealing with critical ICT providers is one of the most important tasks of a financial entity in its risk management process in the context of the requirements imposed by the DORA regulation. Critical providers      play a significant role in ensuring the business continuity, security and operational stability of financial entities.

Does the provider  comply with the highest security principles?

Considering their key role in maintaining the operational stability, business continuity and data security of financial entities, ICT service providers supporting critical or essential functions must meet high requirements in terms of both the security of the services provided and the internal organization. As mentioned in the DORA Regulation in Article 28(5), financial entities may only enter into contractual arrangements with external ICT service providers that comply with appropriate information security standards. Where these contractual arrangements concern critical or essential functions, financial entities shall – before entering into such contractual arrangements – duly consider whether external ICT service providers apply the most up-to-date and highest information security standards.

DORA does not specifically define what is appropriate and what is the highest information security standard. This is because the ‘current‘ standards are constantly changing. It is worth noting, for example, the frequency of ISO updates, to see that it would miss the point to include specific measures in the document.

However, DORA identifies certain areas where providers are required to implement comprehensive policies and procedures. These are designed to protect the availability, authenticity, integrity and confidentiality of their own data and the data provided by the financial entity.

This includes incident management, i.e. identifying incidents, responding, reporting and taking preventive action for ICT security incidents. Business continuity planning, which involves implementing contingency plans to quickly restore critical functions in the event of an operational disruption, is also a key element. These policies must comply with international standards such as ISO/IEC 27001 and be regularly reviewed and updated.

Providers are required to allow for regular audits by financial entities or their appointed auditors, as well as supervisory authorities that have the right to check compliance with regulations and contract provisions. The supplier must provide full access to the documentation, systems and resources covered by the audit. Verification of the provider’s resources, including technical infrastructure, financial stability, and staff qualifications and experience, is essential.

The supplier must monitor and manage the risks associated with its own subcontractors and other elements of the supply chain, being fully liable to the financial entity for any negligence of these companies. It is obliged to verify the security standards of subcontractors and their ability to provide services at the required level. Furthermore, the supplier must ensure business continuity even in the event of disruption to subcontractors. In addition, it should regularly update the list of subcontractors involved in critical functions, ensuring transparency and compliance with regulatory requirements.

Providers supporting critical functions are required to participate in digital resilience testing programs      (TLPT) organized by financial entities. Provided that the financial institution is designated by the Supervisory Authority to carry out such testing. The DORA regulation mentions penetration tests, scenario tests and failure simulations of critical functions. The provider must submit to an assessment of the effectiveness of security measures, such as incident detection and response systems. It must also test contingency plans to ensure that services can be restored at short notice.

Providers must clearly identify the location where data is processed and stored. In addition, it is obliged to ensure compliance with EU data protection laws, including GDPR, and to comply with the rules on international data transfers.

These providers must provide financial entities with support for the implementation of an exit strategy that allows for the safe termination of the collaboration without business disruption. This strategy should include the recovery of data and services in accordance with the terms of the contract, as well as allowing for handover to a new provider or the restoration of services to the financial entity’s internal structure in the event of a failure or termination of the collaboration.

Sending surveys

A survey is no substitute for an audit. DORA requires verification, not trust. It is one tool that a financial entity can use to obtain detailed information on suppliers. Its purpose is to gain a comprehensive understanding of the supplier’s organizational structure, processes, operational capabilities and level of compliance with regulatory requirements. This information provides the basis for risk assessment, identification of vulnerabilities and verification of the supplier’s ability to support critical or essential functions.

As part of the survey, the financial entity may ask the provider for data on key management and security personnel, as well as relationships with other entities that may affect the services provided. The location where the data is processed and stored is also an important element, especially if it includes countries outside the European Economic Area. The survey      should also include a detailed description of the scope of services provided, including their relevance to critical or essential functions and the terms of subcontracting, together with a list of the subcontractors involved.

The provider should provide information on the data protection, incident management and threat response policies and procedures implemented. Compliance with standards on information integrity and confidentiality is also important. The financial provider may additionally ask in the survey about the qualifications of the ICT risk management and security teams, risk management procedures and contingency plans in case of disruptions. The provider’s ability to restore functions in the event of operational incidents should also be described in detail.

An effective survey must be linked to regulatory requirements and allow mapping of the provider’s services against the financial entity’s processes and assets. Its results should provide a solid basis for implementing actions to enhance operational digital resilience.

Alignment of contracts

DORA in Article 30(2) and 30(3) indicates a number of points to be included in contracts with ICT service providers. This section of the article deals with points relating to ICT service providers supporting critical or essential functions, general provisions will be discussed in the chapter How do we deal with ‘ordinary’ providers?

Contracts with suppliers supporting critical or essential functions should include a detailed description of guaranteed service levels (SLAs), which must include both quantitative and qualitative service delivery targets. An important aspect of the contract is also the defined notice period and reporting obligations of the supplier. They should commit to inform the financial entity of any change that may affect the ability to provide services at the agreed level.

In the context of ICT security, providers must implement and regularly test contingency plans that ensure continuity of service provision even in crisis situations. Contracts should also oblige these companies to have appropriate tools, policies and procedures in place to guarantee compliance with the financial entity’s regulatory framework.

The obligation for suppliers to participate in digital resilience tests, such as TLPT (Threat-Led Penetration Testing), should also be clearly stated in contracts. They must fully co     operate in the implementation of such tests and implement the findings.

Financial entities should be guaranteed the right to monitor supplier performance, including audits. Contracts should include unlimited rights of access, inspection and on-site audits, whether by the financial entity or by designated third parties or supervisory authorities. In addition, suppliers must commit to cooperate fully during such inspections and audits and to provide detailed information on the procedures and frequency of audits.

Exit strategies should be an integral part of the contract and ensure a smooth termination of the relationship, including the ability to recover data and migrate services to a new provider or internal structures of the financial entity. During the transition period, the provider should continue to provide services to minimize the risk of disruption to the organization. Exit strategies must be tailored to the complexity of the services provided, ensuring operational fluidity even in the event of termination.

Financial entities and suppliers can also benefit from standard contractual clauses developed by public authorities, which streamline the negotiation process and ensure compliance with regulations. Such clauses facilitate the standardization of contractual provisions while promoting the protection of the organization’s interests.

How do we deal with ‘ordinary’ suppliers?

The management of ‘ordinary’ suppliers differs from the management of ICT service providers supporting critical or essential functions. This is related to Article 4 of DORA, the principle of proportionality. The principle of proportionality, as set out in DORA, requires financial entities to tailor the implementation of regulatory provisions to their size, risk profile and the nature, scale and complexity of the services, activities and operations provided.

This applies to both the general ICT risk management framework (Chapter II) and      the specific requirements for supplier management and digital resilience testing (Chapters III, IV and V, Section I). For this reason, the DORA regulation allows for a relatively looser approach in the risk assessment of ordinary suppliers and in the required actions than for critical suppliers. DORA indicates in Article 28(5) that ‘ordinary’ suppliers must comply with relevant information security standards. Regular security assessments help to ensure that the level of protection remains in line with the organization     ‘s requirements and appropriately adapted to changing conditions.

The management of the risks associated with these suppliers should be tailored to the specifics of the collaboration. By simplifying the process, it is possible to optimize the organization’s resources while maintaining compliance with DORA and ensuring business continuity. Regular review of suppliers’ safeguards and procedures allows the level of control to be adjusted on an ongoing basis, which minimizes operational risks and strengthens the overall security of the organization.

Contractual provisions with ICT service providers

Working with ‘regular’ suppliers also requires contracts to be tailored accordingly. These should include key clauses on data protection, minimum security standards, incident reporting rules and contract termination conditions. The topics are discussed in Article 30(2) of DORA.

Contracts with ICT providers should specify in detail all the functions and services to be provided, taking into account technical specifications, scope of functionality and quality requirements. Another important aspect is the precise definition of the location of service provision and data processing. Contracts should indicate the specific regions or countries where ICT services and data will be provided, both by the main provider and its subcontractors. It is important to include a requirement to notify the organization in advance of any planned changes to the location of service provision or data processing. Contracts must also include provisions on data protection, both personal and non-personal. They should set out measures to ensure the availability, integrity and confidentiality of the information processed, as well as procedures in the event of security breaches.

It is equally important to ensure that mechanisms are in place to recover data in crisis situations, such as supplier insolvency or termination of cooperation. The format of the data should be specified in the contract to allow for easy transfer to another provider or the organization’s internal system. In addition, contracts should include clear provisions for guaranteed service levels (SLAs), including performance indicators such as service availability, response times and problem escalation procedures.

A key element is also the supplier’s commitment to support in the event of ICT incidents, such as cyber-attacks, system failures or data loss. Contracts should specify whether such support will be provided at no additional charge or at a pre determined fee.

Finally, contracts should clearly regulate the supplier’s cooperation with regulators in the event of investigations or restructuring procedures. Transparency in the provision of information required by regulators should also be guaranteed. In addition, contracts must provide for minimum notice periods, in line with regulatory requirements, and detailed procedures to ensure the continuity of the organization’s business after the end of the cooperation.

What is the register of ICT providers information?

The information register in respect of all contractual arrangements for the use of ICT services provided by external ICT service providers is also referred to as the “ICT provider register“, the “information register” or the contractual arrangements register”. Pursuant to Article 28(3) of the DORA, financial entities are required to maintain and update a register of information regarding contracts with ICT service providers. Each financial entity must prepare the register of information and submit it to the relevant supervisory authority at the beginning of April 2025 (the exact dates are indicated by the authorities). The ESA is to receive these reports from local offices by 30 April 2025. …

It is a tool that responds to the requirements of the DORA regulation and includes information such as general data on the financial entity, identification of entities in the scope of consolidation, information on branches outside the home country, information on contractual agreements, contract details, links between intra-group contracts and external ICT service providers, information on contract signatories, identification of ICT service providers and an assessment of ICT services supporting critical or essential functions.

DORA requires a registry of ICT providers to standardize and centralize information on suppliers in order to better manage risk in the financial sector. The central register enables a better understanding and assessment of the relationships between financial entities and their ICT providers. It also supports the identification of risks associated with critical operational functions supported by ICT. Standardization      enables supervisors to access data quickly and accurately, which increases efficiency in monitoring risks.

The links in the information register are an important and at the same time difficult element to implement. The entire information register consists of 15 tables:

  • Entity maintaining the register of information (RT.01.01)
  • List of entities within the scope of consolidation (RT.01.02)
  • List of branches (RT.01.03)
  • Contractual arrangements – general information (RT.02.01)
  • Contractual arrangements – specific information (RT.02.02)
  • List of intra-group contractual arrangements (RT.02.03)
  • Contracting entities (RT.03.01)
  • ICT third-party service providers (RT.03.02)
  • Contracting entities (RT.03.03)
  • Entities making use of the ICT services (RT.04.01)
  • ICT third-party service providers (RT.05.01)
  • ICT service supply chain (RT.05.02)
  • Functions identification (RT.06.01)
  • Assessments of the ICT services (RT.07.01)
  • Definitions from Entities making use of the ICT Services (RT.99.01)

The information in these tables may be repeated, as in the case of the 19 categories of ICT services provided by providers. In this case, the information is indicated in:

  • RT.02.02 – Contractual arrangements – Field RT.02.02.0060
  • RT.05.02 – ICT service supply chains – Field RT.05.02.0020
  • RT.07.01 – Assessment of the ICT services – Field RT.07.01.0040

It is important to remember to tick the same categories in each of these tables (RT.02.02, RT.05.02 and RT.07.01). For this reason, filling in the register manually may introduce inconsistencies between the tables, especially in the event of a later update.

Keeping data up to date

The register of information must be kept up-to-date in the event of any change concerning the providers, the related contracts or the functions supported by ICT services. Keeping it up to date is important because financial entities shall, at least annually, provide information to the competent authorities on the number of new arrangements for the use of ICT services, the categories of external ICT service providers, the type of contractual arrangements and the ICT services and functions supported. Competent authorities may also request at any time the complete register of information or, according to the content of such a request, specific sections of that register together with any information deemed necessary.

What obligations does DORA impose in terms of supplier management?

Many of the obligations related to ICT providers have already been discussed in the article. Financial entities must maintain the aforementioned register containing information on contractual records of ICT services and other information indicated in the RTS. The register must be kept up-to-date and available to supervisors upon request. Financial entities must regularly report information on cooperation with ICT providers to supervisors, including contractual details and support of critical functions.

Financial entities need to create an ICT risk management strategy that includes rules for collaboration, risk assessment and monitoring. They must carry out an assessment of concentration risk, i.e. dependence on a single supplier and the potential risks associated with this. Contracts should include key security and risk management clauses. Entities must ensure that they are able to control and carry out regular audits. They need to ensure business continuity through contingency plans, regular testing and preparation for different scenarios. They also need to create exit strategies, i.e. plans in the event of termination of their relationship with a critical supplier.

Every financial entity needs to review its existing methods of managing ICT service providers and adapt to the new guidelines arising from the DORA regulation and the specific guidelines coming out of the RTS.

Before concluding a contract with a ‘critical’ supplier, this fact must be reported to the supervisory authority. The contract will enter into force after an appropriate period of time.

What happens if a financial institution fails to comply with DORA?

Failure to comply with the requirements set out in the DORA Regulation can lead to serious legal, financial, operational and reputational consequences for financial entities. These entities may face the risk of legal proceedings, especially if non-compliance leads to incidents. Supervisory authorities may impose significant financial penalties, the amount of which depends on the severity of the breach and the potential risks arising from non-compliance. Such penalties can significantly affect an entity’s financial stability and its ability to perform its core functions.

Financial entities may be subject to restrictions on their operations, for example by blocking cooperation with ICT providers that do not meet security requirements. Such sanctions may disrupt the entity’s key operations, leading to the loss of the ability to provide certain services. In addition to this, financial entities may be required to develop and implement recovery plans, which will affect the allocation of corporate resources.

Non-compliance can seriously damage an entity’s reputation, undermining the trust of customers, business partners and investors. Negative perceptions can result in an exodus of clients and a decline in financial performance. In extreme cases, where a breach of DORA requirements poses a serious threat to customers or the financial sector, supervisors may revoke an institution’s license      to operate. Withdrawal of the license      results in the institution having to cease conducting financial activities.

In addition, members of the board of directors may be subject to administrative sanctions, including a ban on serving as directors. Such penalties are enforced immediately, with no possibility of deferral.

How easy is it to cope with the responsibilities imposed by DORA?

Maintaining compliance with the DORA regulation for ICT service providers is a demanding process that imposes many complex obligations on financial entities. These include, as indicated in this article, among others, maintaining a register of ICT providers, keeping data up-to-date and producing reports for supervisors.

In fact, preparing a register for a single supplier can take up to two days of work by a project team member, especially if it is a supplier supporting critical functions. This process requires sifting through many documents and being fully precise in coding the information. In the context of manually completing the register, such a task is not only time-consuming but also increases the risk of errors. Add to this the need to update data between tables at a later date, the ‘manual’ format in an Excel file can be a challenge that can pose problems even for large teams in efficient organizations.

Automation in support of DORA duty management

One of the tools that automates this process is the DORA Register ICT Providers Tool This tool minimizes labor-intensive work by having the function of automatically transferring information between related records and also makes it easier to maintain data integrity. Furthermore, by processing the data in one system rather than in multiple Excel files, problems of repetition and discrepancies between tables are avoided. A change made once in one place is automatically propagated across all related records, saving time and eliminating the risk of errors. This is crucial during any update of the register. DORA Register also offers ready-to-use reports, compliant with regulators’ requirements, which can be obtained with a single click.

Thanks to the automation with DORA Register, it takes around 1.5 hours to complete the register for one supplier, whereas manual documentation can take up to eight hours. This tool works particularly well with a larger number of suppliers, allowing quick access to reports on demand and real-time monitoring.

Similar entries from the category