ICT Third-Party Risk under DORA

ICT Third-Party Risk: The Largest DORA Chapter

Articles 28 through 44 of DORA (EU Regulation 2022/2554) address ICT third-party risk management, making it the most extensive chapter of the regulation. This reflects a fundamental reality of modern finance: financial entities are deeply dependent on external ICT service providers for cloud infrastructure, core banking platforms, payment processing, data analytics, and cybersecurity services.

DORA introduces two interconnected frameworks. First, it imposes obligations on financial entities to manage their ICT third-party risk. Second, it creates a direct oversight regime for critical ICT third-party providers (CTPPs) designated by the European Supervisory Authorities. Together, these provisions aim to reduce systemic risk from ICT concentration in the financial sector.

General Principles (Art. 28)

Art. 28 establishes several foundational principles for managing ICT third-party risk:

• Full responsibility remains with the entity: Financial entities remain at all times fully responsible for compliance with DORA, regardless of any arrangements with ICT third-party providers. Outsourcing does not outsource accountability.
• Risk-based approach to outsourcing: Entities must adopt a strategy for ICT third-party risk, including a policy on the use of ICT services supporting critical or important functions.
• Information register: Entities must maintain and update a register of information on all contractual arrangements with ICT third-party service providers. This register must be reported to the competent authority at least annually.
• Pre-contractual assessment: Before entering into a contractual arrangement, entities must assess whether the arrangement covers a critical or important function, evaluate supervisory conditions, identify and assess concentration risk, and conduct appropriate due diligence.

For details on the information register, see our dedicated DORA Information Register page.

Concentration Risk (Art. 29)

Art. 29 introduces the concept of ICT concentration risk, which arises when multiple financial entities, or critical functions within a single entity, depend on the same ICT third-party provider. This creates a potential single point of failure for the financial system.

Financial entities must assess concentration risk at the entity level and at the sub-consolidated and consolidated levels. Factors to consider include:

• The number of critical or important functions that depend on the same provider
• The substitutability of the provider (how easily can the service be switched to an alternative?)
• The number of financial entities using the same provider for critical functions
• Data sovereignty and data localisation requirements

Where concentration risk is identified, entities must implement mitigation measures. This may include multi-cloud strategies, maintaining alternative providers, or ensuring that exit strategies are operationally viable.

Contractual Requirements (Art. 30)

Art. 30 is one of the most operationally impactful provisions of DORA. It specifies mandatory contractual clauses that must be included in all arrangements with ICT third-party providers supporting critical or important functions:

• Service Level Agreements: Clear and measurable SLAs with defined performance targets and penalties for non-compliance
• Data location: The provider must specify where data will be processed and stored, including sub-outsourcing arrangements
• Audit and access rights: The financial entity and its competent authority must have full rights of access, inspection, and audit of the provider
• Incident notification: The provider must notify the financial entity without undue delay of any ICT security incident affecting the services
• Business continuity: The provider must maintain ICT security and participate in the entity's resilience testing
• Exit strategies: Contracts must include transition plans that allow the entity to exit the arrangement without disruption to its business activities
• Sub-outsourcing: Conditions under which the provider may sub-outsource, including prior notification and approval requirements
• Cooperation with authorities: The provider must cooperate with the entity's competent authority, including in the context of on-site inspections

For existing contracts that do not yet contain these clauses, entities must negotiate amendments. New contracts must include all required provisions from the outset.

Exit Strategies

DORA places particular emphasis on exit strategies. Financial entities must ensure that they can terminate ICT third-party arrangements without disruption. This requires:

• Documented transition plans with defined timelines
• Regular testing of exit procedures to ensure they remain operationally viable
• Identification of alternative providers or internal capabilities for critical functions
• Data portability provisions in contracts to ensure data can be migrated

Critical Third-Party Providers (CTPPs) and Oversight (Art. 31-44)

DORA introduces a groundbreaking direct oversight framework for Critical ICT Third-Party Providers (CTPPs). This is unprecedented in financial regulation: for the first time, technology companies that are not themselves financial institutions fall under direct supervisory oversight because of their systemic importance to the financial sector.

Designation of CTPPs (Art. 31)

The ESAs (EBA, EIOPA, ESMA) jointly designate ICT third-party providers as critical based on criteria including:

• The systemic impact that a failure of the provider would have on financial stability
• The number and importance of financial entities relying on the provider
• The degree of substitutability of the provider
• The systemic character or importance of the financial entities relying on the provider

The Oversight Framework (Art. 33-44)

Each designated CTPP is assigned a Lead Overseer from among the ESAs. The Lead Overseer has extensive powers:

• Request information and documentation
• Conduct general and targeted inspections, including on-site inspections at the CTPP's premises
• Issue recommendations on ICT security, including on the provider's ICT risk management, testing, and business continuity measures
• Impose periodic penalty payments of up to 1% of the CTPP's average daily worldwide turnover for non-compliance with recommendations

This is significant for major cloud providers (AWS, Azure, Google Cloud), core banking platform vendors, and payment processing companies that serve large parts of the financial sector. For details on penalty mechanisms, see our DORA Penalties page.

Practical Steps for Financial Entities

• Inventory all ICT third-party arrangements: Build the information register required by Art. 28(3). This is the foundation for everything else. See our Information Register guide.
• Classify arrangements by criticality: Not all arrangements are equal. Focus contractual review and enhanced due diligence on providers supporting critical or important functions.
• Review and amend contracts: Compare existing contracts against Art. 30 requirements. Prioritise amendments for critical-function providers.
• Assess concentration risk: Map dependencies across providers. Identify single points of failure and develop mitigation strategies.
• Develop and test exit strategies: For each critical-function provider, document a transition plan and validate its feasibility.