Cost optimization these days is causing every organization to use suppliers. Some suppliers are more important to the organization’s operations, others just support processes. It is crucial to determine who our suppliers are and what they supply us with. This information is contained in contracts, purchase orders and regulations. Many suppliers have been working with the organization for many years, and now we need to clarify what is the scope of the services provided and how important they are to ensure the proper functioning of the financial institution. New obligations under the DORA regulation make supplier management a challenge – especially when working with multiple suppliers. One of the first steps to achieving DORA compliance is to properly classify suppliers and build a clear information register for all contractual arrangements for the use of ICT services provided by third-party ICT service providers.
For most organizations, preparing this registry involves gathering a colossal amount of information. Currently, entities have a contract register, asset databases in the CMDB, various reports, analyses and summaries of assets, collateral, statements made in Excel sheets, which gives the impression that preparing a register of contractual arrangements for the use of ICT services will not be such a problem, but those who leave the creation of this register to the end may be surprised… Such summaries are often not very readable, and managing them requires equilibrium to keep them up to date and integral. So, how to classify suppliers correctly? How to create a register flawlessly and on time? You will find out in this article.
Is my supplier an ICT provider according to DORA?
Whether a supplier is a provider of services that fall within the scope of ICT services is determined by the subject matter of the contract and the services provided under it. Financial entities work with many suppliers. However, not all of them are subject to the requirements of DORA. The regulation, while defining an ICT service provider, does not explicitly resolve whether a particular company providing certain services or offering products is covered. According to the text of the regulation, a distinction is made between an external ICT service provider and intra-group providers, which are entities within a financial group that focus primarily on providing ICT services to entities within the same group. Determining whether an entity meets the criteria of an ICT provider requires looking at the definition of ICT services, which, according to the regulation, means: Continuous provision of digital services and data handling using ICT systems for internal or external users. These services may also include equipment, technical support, software or firmware updates, excluding traditional analog telephony. The definition is broad, which means that if there is any doubt as to whether an entity meets the criteria of an ICT provider, the answer will most often be yes. So look for information in the contract whether you are dealing with such a provider, and such services must be included in the register.
What is supplier classification and what is its purpose?
Classification is the starting point for an information registry and it enables an accurate mapping of suppliers and the services they provide. The first step divides suppliers into two categories:
– ICT suppliers providing services supporting critical or essential functions,
– other suppliers.
As part of this process, special attention is paid to suppliers supporting critical or important functions and the degree of dependence of the financial entity on suppliers is analyzed. With the classification, financial entities can manage the risks associated with ICT services by focusing on oversight of the providers most relevant to the organization’s operations.
How to classify an ICT provider?
Classification of ICT suppliers requires a consistent approach based on objective criteria rather than discretionary decisions. As a first step, the results of a business impact analysis (BIA) can be taken into account. In simple terms, BIA combines three elements. Firstly, information about the products/services provided by the financial institution, secondly, the processes through which these services are provided, and thirdly, the supporting assets that are necessary for the process and, consequently, the service. ICT providers offer some of these assets. Where services are identified as critical, we are by definition dealing with critical suppliers. Of course, in the second stage, one can consider whether they are definitely all critical, as it may be worthwhile to verify the participation of suppliers in certain processes related to critical business functions.
However, do not confuse the creation of proprietary supplier classification methods without basing them on the actual business functions that suppliers support with the thoughtful identification of critical business functions in a strategic approach. Creating proprietary supplier classification methods in isolation from functions should be avoided. Classification should be based on established principles, consistent with DORA requirements, that identify which functions and processes are critical to the financial entity.
You can read about these rules in Articles 28 and 29. In addition to the designation of key ICT service providers by the ESAs (EBA, ESMA, EIOPA) based on the recommendations of the Oversight Forum, Article 28 also sets forth the criteria that must be met for a provider to be considered key. Article 29 provides detailed criteria for evaluating key ICT service providers, including the impact on the stability, continuity and quality of the provision of financial services and the systemic importance of the financial entities using the provider’s services.
These articles are key to understanding how financial institutions should classify and evaluate their ICT providers according to DORA requirements.
In classifying ICT suppliers, a financial institution should include classification according to the detailed guidelines in JC 2023 85, which includes full documentation of the information registry. This implementing technical standard indicates several categories according to which ICT providers should be categorized. These include categories such as suppliers supporting critical or essential functions and the 19 specific categories of ICT services identified in Annex 3 of RTS 85. The process of classification should also include intra-group suppliers, which are listed in Table RT.02.03, covering intra-group contracts and relationships with suppliers outside the group.
In addition, suppliers recognized as key by European regulators will be a special group, which the organization does not classify on its own but will be designated top-down. Such suppliers will be subject to special oversight from the EU authorities. This classification will not be included in the information register itself, but may affect its evaluation and further cooperation with the supplier.
ICT providers supporting critical or essential functions
Critical or essential functions are those that are vital to the operational continuity, security and stability of a financial entity. These are processes whose disruption could lead to serious consequences, such as disruptions in customer service, problems in processing financial transactions, or breaches in the protection of personal data, in short, on the continuity of the institution’s operations. DORA indicates that these are functions whose discontinuation or malfunction would have a significant impact on the financial entity’s ability to continue to meet the conditions and obligations of its license or its other legal obligations.
Cooperation with ICT suppliers supporting critical or essential functions is subject to more stringent requirements than for suppliers supporting other functions. It is worth noting that an ICT supplier supporting even one critical or essential function must be included in this group, even if it is only a small part of its cooperation with the financial entity. Importantly, such a supplier must report to the financial institution the required information about its suppliers, who will be sub-suppliers of ICT services to the financial institution. We are talking about the entire supply chain here.
Suppliers supporting critical or essential functions must provide the highest standard of security, undergo regular audits and employ safeguards that support business continuity. This is mentioned in articles such as Article 28(5). or Article 30(3).
Categories of ICT services according to RTS 85
In addition to the division into critical and non-critical ICT providers, which stems from the DORA regulation itself, RTS 85 defines 19 categories of ICT services. Both types of supplier categories form the basis for classifying ICT suppliers and describing them in the Information Registry. These 19 categories cover a wide range of services, from basic IT infrastructure to more specialized services such as ICT security management, cloud services (IaaS, PaaS, SaaS), and data analytics. Each ICT provider, as required by DORA, must be assigned to the appropriate category, making it easier to identify and assess the function for a financial entity.
Classification into specific categories in RTS 85 enables financial entities to accurately identify the types of services provided, which is important for proper risk management of ICT providers. With this classification, financial entities can monitor and control various aspects of the services provided, especially those supporting critical functions. By separating suppliers into categories, the organization is able to determine more precisely what requirements should be placed on each supplier, depending on the nature and importance of their services to the institution.
In practice, the division into these groups is not clear and obvious. Some entities fulfill the hallmarks of participation in several categories of services, and experience shows that a very growing group of supporting suppliers.
ICT providers within the group
Internal ICT providers are entities that operate within large financial groups and are dedicated to providing ICT services to other units of the same group. These types of providers are found in corporate groups. Within the framework of the DORA regulation, all intra-group agreements regarding ICT should be identified to clearly define the relationship between intra-group and external providers.
Template RT.02.03 is used to document these relationships, and the “contract agreement reference number” enables the identification of individual contracts and an understanding of what relationships exist in the supply chain. Understanding this is important in cases where at least one of the suppliers in the ICT service chain is part of the same group as the entity using these services. Such a register of intra-group suppliers enables the monitoring of internal risks, increases transparency and facilitates the management of consolidated ICT processes.
Key suppliers in the community
A new feature is the category of “key ICT providers,” who are strategic service providers whose designation is made at the level of the ESAs and not by the financial entities themselves. To identify these key ICT providers, the ESA requires a register of contractual arrangements in a specific format. It is on the basis of data from all the supervisory institutions of the 28 European Union countries that these key providers will be designated. They should be ICT providers of particular systemic importance from the perspective of the entire European Union, looking through the prism of their service that can have a direct impact on the stability, security and continuity of the financial sector.
With this change, key suppliers will be subject to stringent security requirements and will be required to cooperate with the ESA, which will increase the leverage on these suppliers, thereby raising the overall digital resilience of the entire financial sector. It is worth noting that if a key supplier is located outside the European Economic Area, it must designate a subsidiary within the EEA. Key suppliers are not audited by the financial entities themselves, but by European regulators.
Practical aspects of classification
Before working with an ICT provider, the financial entity is required to conduct a detailed verification and classification exercise, which will identify the processes that depend on the provider and assess the risks associated with its services. As a first step, the financial entity should determine which business processes will rely on the provider’s services, and whether those services support functions that are critical or essential to the entity’s operations. ICT service providers can affect operations differently, and critical functions require special oversight and additional safeguards.
In this regard, it is necessary to carefully analyze all contracts concluded with such an ICT provider, in which the terms of cooperation should be included, not forgetting any subcontracting provisions. If the supplier is supporting critical or essential functions, the financier must ensure that it has full knowledge of all supply chain participants, including subcontractors. Ensuring such transparency is essential to managing ICT risks and minimizing potential disruptions.
As part of supplier verification, financial entities typically use surveys to gather detailed information about the supplier and its compliance with regulatory requirements. Such documentation is key to an initial assessment of whether a supplier meets the standards required by the DORA regulation and is able to ensure continuity of service, but this is only the first step of ICT supplier management.
Formal inclusion of a supplier in an information registry is a complex and time-consuming process. Translating ICT supplier contracts into an information registry format is a complex process of translating business language into incomprehensible codes and requires additional work. It is worthwhile to use an IT tool that facilitates the preparation of a registry of contractual provisions. The process ends with the generation and submission of reports in the format of relevant files in appropriate formats, such as CSV and JSON, which contain both business data and technical metadata. In addition, the reports must be properly organized and delivered to the regulators as zipped ZIP files.
Why are business functions the key to supplier classification?
Function is the basis for assessing whether there is a critical ICT provider. It is a combination of business process and business type (6.01). It can be a combination where the business type can be non-critical even though the business process is critical. For one type of activity, a financial entity must have multiple business processes. Note that the list of these activities is closed, and business processes can be added by the financial entity at its discretion. The criticality of this business process combination of activity types should be evaluated on a case-by-case basis.
For this reason, to determine which ICT suppliers are ICT suppliers supporting critical or essential functions, one must go through the entire process of assessing the criticality of business processes and types of activities. If even one supplier is found to be providing services that support critical or essential functions, it will be subject to the stringent requirements of DORA.
Is there a difference between critical and important suppliers?
Article 3 Definitions subsection 22) indicates that “critical or important function’ means a function, the disruption of which would materially impair the financial performance of a financial entity.” The DORA text does not explain the difference between a critical function and a significant function. For this reason, they can be treated as one and the same function. This means that any supplier supporting critical or essential functions is subject to the same stringent security, risk management and business continuity requirements.
Why is supplier substitutability important?
The DORA regulation recognizes the challenge faced by financial entities commonly referred to as “Vendor lock-in.” For this reason, it draws attention to the consideration of vendor substitutability. The idea is to ensure the ability to quickly and safely transition to an alternative solution if a particular ICT provider ceases to provide services or fails to meet the requirements imposed on it. This is one of the key elements of ICT supplier risk management, as it reduces the risk of disruption to critical functions that could lead to financial, reputational or compliance losses. High substitutability means that in the event of problems with one supplier, a financial entity is able to switch seamlessly, or at least relatively quickly, to alternative services. Therefore, financial entities need to assess the level of substitutability when engaging with ICT providers and work to develop an exit strategy.
How is the risk assessment related to the ICT provider done?
Assessing the risks of providing services by an ICT provider is an important part of managing the risks that might come from third-party ICT service providers. According to the regulation, risk assessment is based on a methodology that focuses on the value and criticality of information assets to the organization. The process should consider the identification of potential risks, an assessment of the likelihood of their occurrence and the impact on the organization’s operations in providing its services. We estimate risk according to a general formula:
R=W*P,
where R is risk, W is the impact on the organization’s broader compliance with DORA requirements, and P is the probability of risk. Threats must be assessed both in terms of their potential consequences for supporting assets (e.g., servers or software) and their impact on the operation of the financial entity as a whole. It is important to consider how the loss of security attributes such as availability, authenticity, integrity and confidentiality could affect the operation of the organization and, in particular, the services it provides. An effective methodology that incorporates Asset Based Approach will help you work securely with ICT providers from both an operational and regulatory perspective.
Iterative approach makes it easier to fill in the information register
Identifying and classifying ICT suppliers requires continuous monitoring of their participation in business processes and their links to critical functions. This task is time-consuming, especially if manual verification of the function’s compliance with the criticality criterion is used for this purpose using built-in spreadsheets in Excel. It can lead to errors that are difficult to eliminate in such a complex arrangement of records, let alone create the required reports. The use of an application that supports supplier classification enables an iterative approach, and this allows the simulation of various scenarios – for example, “How many suppliers will be considered critical if a function is considered critical?” or “Can some of the suppliers we consider critical be classified as non-critical if the functions assigned to them are not critical?” DORA Register supports this approach. Thanks to the approach proposed in the DORA Register application, those responsible for developing the register are allowed to complete the information in stages. They can analyze contractual provisions and requirements directed to suppliers, determine the criticality of the services offered to them and the concentration of services, and build a reflection of the supply chain. This translates into the creation of a precise and flexible register of suppliers and automatic reporting to the FSC.