DORA impact on ICT third party providers in financial services

With the January 2025 deadline for compliance with the Digital Operational Resilience Act (DORA) quickly approaching, financial entities (FEs) and their Information and Communication Technology (ICT) service providers need to carefully review DORA and its regulatory technical standards (RTS) and implementation technical standards (ITS) targeting the management of ICT third-party risk and determine what actions are to be taken now to enable readiness.

DORA: A recap

In the evolving digital landscape, managing ICT risk has become a critical concern for FEs. This has extended to organisations third, fourth parties and beyond which was brought into focus by a number of high profile outages triggered by these dependencies. DORA has addressed this concern head-on with its Chapter V - “Managing ICT third-party risk” and the supporting RTS, DORA requires FEs to integrate ICT third-party risk management as a core component of their overall ICT risk strategy.

The regulation stipulates a detailed framework of stringent principles that FEs are required to diligently follow. It mandates an ongoing, robust risk assessment and due diligence process be performed with ICT third-parties and mandates that key contractual provisions, as defined by DORA, are in place with all ICT third-parties. This provides a continuous alignment with regulatory expectations and the dynamic nature of risk management, underscoring the critical importance of maintaining rigorous oversight and adaptive risk strategies throughout the lifecycle of third-party relationships.

What do ICT Third-parties need to consider under DORA?

DORA prescribes requirements for all ICT third parties supporting FEs based in the EU/EEA. Clearly the risk exposure for all ICT providers are not equal and therefore as the criticality of the role the ICT provider plays increases so do the requirements under DORA.

To effectively understand the requirements, in this article we have divided the third-parties into three distinct categories;

Category 1: ICT third-parties that support any and all ICT services;
Category 2: ICT third-parties that support “Critical or Important Business Functions” (CIBF’s) defined by the FE; and
Category 3: ICT third-parties that are “Critical Third-Party Providers” CTPP’s at a European level.

The register of information (ROI) required to be completed by the FE requires a clear definition of the category of ICT service as noted in categories 1-3 above. The Act itself covers the basic requirements for the ICT third-parties supporting any ICT services (category 1) and the requirements for those designated as CTPP’s (category 3). While the Act also specifies some of the requirements for supporting ICT third-parties that support “Critical or Important Business Functions” (CIBF’s) (Category 2), an RTS released earlier this year further specifies more prescriptive requirements for this category.

DORA and its impact on Swiss financial entities and ICT service providers

Are you impacted?

Category 1: All ICT third-parties that support any and all ICT services

What can all “ICT” service providers do to support financial entities prepare ahead of the DORA enforcement date in January 2025?

Support the FE in compiling a register of information in relation to all contractual arrangements.
Supporting the FE with the contractual arrangements clearly outlining the rights and obligations of both parties including service level agreements taking into account the principle of proportionality with nature, scale, complexity and importance of the ICT related dependencies.
Prepare to support FEs in conducting audits and inspections as required by regulatory authorities either by obtaining independent review or being ready to facilitate the right to audit;
Taking note of the termination requirements in relation to breaches, performance, weaknesses in overall ICT management and any alterations that could potentially impact the competent authorities ability to supervise the FE with regard to the contractual arrangements in place.
Be prepared to have the obligation to provide assistance to the FE, when an ICT incident that is related to the services being provided to the FE occurs.

Be ready to assist the FE in developing a contract which includes essential elements such as a clear and complete description of services provided, data processing locations, data protection provisions on the availability, authenticity, integrity and confidentiality of data held, service level descriptions, termination rights and related minimum notice periods, obligations to cooperate with the competent authorities and resolution authorities of the FEs and participation in security awareness programs.

Undergo and support the FE in the risk assessments, due diligence and conflicts of interest processes to identify and address any potential risks associated with the services they provide;
Recommend that they maintain clear and comprehensive documentation of their services, processes and can provide details on the information security standards they comply with as an FE cannot enter into a contract unless this condition is met
Put in place processes and procedures of access, recovery and return in an easily accessible format of personal and non-personal data processed by the FE in the event of the insolvency, resolution or discontinuation of the business operations, or in the event of the termination of the contractual arrangements with the FE.

Category 2 What additional elements are required for an ”ICT” service provider supporting critical/important business functions

Develop a detailed mapping and visibility of where ICT services provided are sub - outsourced. The FE is required to understand their end to end mapping of business processes to ICT systems and therefore they will ask the ICT service provider to provide details on any sub outsourcing of these processes and systems, including if it is located, or processes or stores the data in a third country.
The mapping should clearly outline the type of service, the nature of the data and the location of where the data is stored and processed.
Check that the requirements on ICT risk management framework, incident management, digital operational resilience testing as required by DORA are in place in your organisation by performing a gap assessment against the requirements.
Develop full service level descriptions with quantitative and qualitative performance targets within the agreed service levels to allow for effective monitoring.
ICT service providers should check they have the most up to date and highest quality information security standards as required by the Act for all ICT providers supporting CIBF’s.
Check they have sufficient resources to provide the services to enable the FE to comply with all its legal and regulatory requirements regarding the services provided.
Be prepared to show the FE that you have the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisation(s) or registration(s) to provide the ICT services supporting the critical or important function in a reliable and professional manner, the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework.
Be prepared to demonstrate that you act in an ethical or socially responsible way and adhere to human and children's rights, applicable principles on environmental protection and appropriate working conditions including prohibition of child labour.
Be prepared to specify the required level of assurance on the effectiveness of the risk management framework within your own organisation.
Outline processes to include the existence of risk mitigation and business continuity measures and how these are considered.
Consider the level of supporting documentation to be provided i.e., certifications, independent audit requirements, internal audit reports, etc.

A consideration to the insolvency law provisions in the case of your organisation going bankrupt and the constraint that places on the ability for the FE to recover their data from your organisation.
Take steps to comply with Union data protection rules, especially if they operate in or subcontract to third countries;
Support with the risk assessment provisions required to be performed by the FE, to check all relevant risks are managed by the FE including operational, legal, reputational, risks to protecting confidential or personal data, risks to the availability of data risks linked to the location of where the data is stored and the location of ICT provider as well as support in assessing the concentration risk.

The FE will require support in documenting their policy on ICT services supporting CIBF’s including a requirement to maintain contractual arrangements that are consistent with that of their own entity and outlining the principles, responsibilities and the processes for each main phase of the lifecycle contracts, due diligence, risk assessment, monitoring and exit plans etc.

Include the full service level descriptions with precise quantitative and qualitative performance targets within agreed service levels which will support the FE in effective monitoring;
Defined notice period and reporting obligations where agreed services levels are not met.
Requirements to implement and test BCP and an appropriate level of ICT security measures for the service your organisation is providing
An obligation to participate in Thread Lead Penetration Testing (TLPT), where required
Support with the FEs exit plans and a mandatory transition period, which will require periodic testing and review by the FE.
Performance monitoring which will include the FEs right to monitor your organisation which includes unrestricted access rights, inspection and audit by the FE, details on scope and procedures to be followed and frequency of inspections.
Requirement to assess the third-parties intention to sub-outsource by requiring a risk and benefit analysis.
Include requirements on the obligations in relation to providing access to FEs, their auditors and the competent authorities in relation to their right to audit and access to documentation.

Category 3 ICT providers that are designated at Critical Third party providers (CTPP’s)

What are the criteria for designation as Critical ICT third-party service provider (CTPP Designation Summary):

The ESAs (European Supervisory Authorities (EBA, ESMA and EIOPA)) will classify ICT third-party service providers as "critical" based on specific criteria. An initial self-assessment may indicate whether a classification as "critical" is likely. This should then trigger an action to prepare for the increased requirements at an early stage and prevent potential penalties down the line.
The systemic impact on the stability, continuity or quality of the provision of financial services due to a widespread operational disruption of the ICT third-party service
The dependence of FEs on the services of the relevant ICT third-party service provider
The systemic nature or the importance of the FEs which rely on the ICT third-party service provider;
The degree of substitutability of the ICT third-party service provider

Once the CTPP is designated as critical they will notify the provider and they will be subject to oversight no longer than one month post notification.

The ESAs will publish and update yearly a list of CTPP’s at a union level. There exists the opportunity to request to be designated as critical by submitting a reasoned application to the ESA’s and a decision will be made within 6 months, if accepted.
FEs can only make use of a CTPP established in a third country and which has been established at CTPP if they have established a subsidiary in the Union within 12 months following designation.
Each CTPP will be assigned a “Lead Overseer” by the ESAs.
The CTPP will need to appoint one legal person as a coordination point to enable adequate representation and communication with the lead overseer.

In summary

Regulatory oversight and supervision aim to enable ICT third-party providers to play their role in effectively supporting the stability, resilience, and integrity of the systems they support for FEs while complying with regulatory requirements to protect consumers and mitigate risks.
DORA prescribes requirements for all ICT third parties supporting FEs based in the EU/EEA. Clearly the risk exposure for all ICT providers are not equal and therefore as the criticality of the role the ICT provider plays increases so do the requirements under DORA.
Third party organisations should prepare their response for each category of third party outlined above ensuring they are available to support with the requirements outlined in the Act and supporting RTS’s.
ESAs published joint report and draft RTS on subcontracting ICT services. The requirements of the RTS on subcontracting apply to ICT services supporting critical or important functions. These are functions that, if disrupted, could have a material impact on the financial soundness, business continuity and/or regulatory compliance of a FE. Both the FE & ICT third-party providers should consider their respective requirements in the newly released draft RTS on subcontracting and what actions must be taken in the coming months to enable readiness.
As an ICT third-party provider, assess DORA’s criteria for designation of critical third-party providers. An initial self-assessment may indicate whether a classification as "critical" is likely. This should then trigger an action to prepare for the increased requirements at an early stage and prevent potential penalties down the line.

While this provides a useful summary of the documentation requirements, all ICT providers will need to review the requirements defined in the Act and the relevant supporting RTSs for full compliance.

PwC’s multidisciplinary DORA team has the knowledge and experience to support clients in achieving DORA contractual compliance. If you are seeking support and practical advice on the leading practices for establishing your framework and DORA strategy, we would be delighted to hear from you.

Author: Moira Cronin, Partner, PwC Ireland (Republic of)