DORA Third-Party Oversight: ICT Third-Party Risk Management

Article 28(3) introduces one of DORA's most operationally significant requirements: financial entities must maintain and keep up to date a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. This register is not merely an inventory — it is a comprehensive, structured dataset that must be available to competent authorities upon request.

The register must contain, for each ICT third-party arrangement: the identity of the ICT third-party service provider, a description of the ICT services provided, the jurisdictions where data is stored and processed, information on any sub-contractors in the ICT service delivery chain, the assessment of the criticality or importance of the ICT services to the financial entity's business functions, and the date of the contractual arrangement and its renewal or termination dates.

Article 28(4) requires financial entities to report the register to their competent authorities at least annually. The register serves multiple regulatory purposes: it enables supervisory authorities to assess concentration risk across the financial sector, supports the designation of critical ICT third-party providers under Article 31, and provides the data foundation for the ESAs' oversight activities. Financial entities that are part of a group must ensure consistency of their registers with the group-level register maintained by the parent undertaking.

Article 30 prescribes mandatory contractual provisions that must be included in all ICT service arrangements between financial entities and their ICT third-party providers. These provisions go significantly beyond standard commercial contract terms and reflect DORA's objective of ensuring that the financial sector retains adequate control over outsourced ICT functions.

For all ICT services, Article 30(2) requires contractual provisions covering: (a) a clear and complete description of the ICT services, (b) the locations where data is processed and stored, with advance notification of any changes, (c) provisions on data availability, authenticity, integrity, and confidentiality including data protection, (d) provisions on ensuring access to, recovery, and return of data in an easily accessible format in the event of insolvency, resolution, or discontinuation, (e) service level descriptions and quantitative and qualitative performance targets, (f) provisions granting the financial entity unrestricted rights of access, inspection, and audit, (g) cooperation obligations for the ICT provider during incident reporting, (h) termination rights and minimum notice periods, (i) provisions on the participation of the ICT provider in the financial entity's ICT security awareness programmes, (j) the ICT provider's obligation to implement and test ICT business continuity plans, and (k) the ICT provider's obligation to participate in the financial entity's digital operational resilience testing.

For ICT services supporting critical or important functions, Article 30(3) imposes additional requirements including full SLAs with precise quantitative metrics, mandatory data processing locations within the EU where required by the financial entity or applicable law, and enhanced termination and exit provisions.

Before entering into an ICT third-party arrangement, financial entities must conduct a thorough pre-contractual risk assessment as mandated by Articles 28(4) and 28(5). This assessment is designed to ensure that the entity makes an informed decision about engaging an ICT provider, taking into account the full spectrum of risks including operational, concentration, and compliance risks.

The pre-contractual assessment must evaluate: the potential impact of the ICT service arrangement on the financial entity's operational risk, the ICT third-party provider's ability to comply with applicable regulatory requirements (including data protection), the provider's financial stability and business continuity capabilities, the risks arising from sub-outsourcing arrangements, and the overall concentration risk that would result from entering into the arrangement.

Article 28(5) specifically requires financial entities to assess whether entering into an ICT service arrangement would lead to excessive concentration risk — that is, whether the entity's dependency on a single provider or a small number of providers for critical ICT services would create an unacceptable single point of failure. The results of the pre-contractual assessment must be documented and form part of the entity's overall ICT risk management records. Where the assessment identifies material risks, the financial entity must implement appropriate mitigation measures before proceeding with the arrangement.

Articles 31-44 establish a novel direct oversight framework for ICT third-party service providers designated as critical by the European Supervisory Authorities. This framework represents one of DORA's most innovative elements: for the first time, non-financial entities — specifically, ICT service providers — are brought under direct EU financial regulatory supervision.

Article 31(1)-(6) defines the criteria for designation. The ESAs, through the Joint Committee, designate ICT third-party providers as critical based on: (a) the systemic impact that a failure or operational outage at the provider would have on the provision of financial services, (b) the systemic character of the financial entities relying on the provider, (c) the degree of substitutability of the provider, considering the lack of alternatives or the difficulty of migrating services, and (d) the number of member states in which the provider's services are used.

Designated critical ICT third-party providers are subject to direct supervision by a Lead Overseer — one of the three ESAs (EBA, ESMA, or EIOPA) — supported by a Joint Examination Team. The Lead Overseer has extensive powers under Article 33 including: conducting general investigations, on-site inspections, requesting information, issuing recommendations, and ultimately issuing penalty orders of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of six months.

Article 29 establishes specific requirements for managing ICT concentration risk — the risk arising from excessive dependency on a single or small number of ICT third-party service providers. This is distinct from the general third-party risk management requirements and reflects DORA's recognition that concentration in the ICT supply chain poses systemic risks to financial stability.

Financial entities must assess and manage ICT concentration risk as part of their ICT risk management framework. Article 29(1)-(4) requires entities to: identify and document all dependencies on ICT third-party providers, assess the substitutability of each provider (considering the availability of alternatives and the cost and complexity of migration), evaluate the potential impact of a large-scale failure at a single provider on the entity's operations, and consider the wider systemic implications where many financial entities rely on the same provider.

The concentration risk assessment is not a one-time exercise. Financial entities must continuously monitor their ICT dependency landscape and update their assessment whenever new ICT service arrangements are entered into or existing ones are materially modified. Competent authorities may use the aggregate data from registers of information (Article 28(3)) to identify sector-wide concentration risks and issue guidance or requirements to address them. In practice, this means that financial entities may be required to adopt multi-provider strategies for critical services or to develop credible exit and transition plans for services where high concentration risk is identified.

Article 28(8) mandates that financial entities develop and maintain exit strategies for ICT service arrangements. These exit strategies are a critical risk mitigation tool, ensuring that entities can disengage from an ICT provider — whether voluntarily or due to circumstances such as provider insolvency, regulatory action, or service degradation — without unacceptable disruption to their operations.

The exit strategy requirements apply to all ICT service arrangements, but are particularly rigorous for services supporting critical or important functions. Financial entities must ensure that exit strategies include: detailed transition plans specifying the steps, timeline, and resources required to migrate to an alternative provider or to bring services in-house; data portability arrangements ensuring that all data can be retrieved in a structured, commonly used, and machine-readable format; minimum notice periods that provide adequate time for orderly transition; and provisions for continued service delivery during the transition period.

The exit strategy must be tested periodically to ensure its feasibility. Financial entities that rely on a single provider for a critical function without a tested exit strategy face heightened regulatory scrutiny, as this represents a material concentration risk under Article 29. The contractual provisions required under Article 30 must support the exit strategy — for example, by including explicit data return obligations, cooperation duties during transition, and prohibitions on vendor lock-in practices that would impede migration.