With DORA now in force, the ESAs will publish a yearly list of critical ICT third-party providers.
ICT third-party service providers that are not included in the list of critical providers can request to be designated as critical by submitting an application to EBA, ESMA, or EIOPA, which, through the Joint Committee, will decide whether to designate the provider as critical within 6 months of receiving the application.
Since most requirements and templates are already public, financial entities and critical CTPPs are encouraged to start preparing for designation now.
If you have already been designated as a CTPP or expect to be, you might find this blog post about DORA CTPP compliance useful.
We also have another blog post about how you can determine if you’re a critical ICT third-party provider if you are unsure whether your organisation is likely to be designated as a CTPP by the ESAs.
DORA Critical Third-Party Providers’ Requirements
We’ve reviewed the DORA regulation and picked out the parts directly relevant to critical third-party providers.
Here’s what you need to do/know as a critical third-party provider under DORA.
Governance and risk management
Oversight
Critical ICT third-party providers are under the direct supervision of a Lead Overseer appointed by the ESAs (EIOPA, ESMA, or EBA). (Art. 31(1b), Art. 33(1–2))
Oversight Forum
A sub-committee called the Oversight Forum supports the Joint Committee and the Lead Overseer in monitoring ICT third-party risks across financial sectors.
This sub-committee prepares joint positions and acts and ensures a consistent approach to ICT risk management in the EU.
It also conducts yearly reviews of oversight findings for all critical ICT third-party providers and promotes coordination, best practices to address ICT concentration risks, and strategies to manage cross-sector risk transfers.
Plus, it proposes benchmarks for ICT third-party providers, adopted as joint positions by the ESAs. (Art. 32)
Oversight Fees
Critical ICT third-party providers must pay fees to cover the costs of oversight activities performed by the Lead Overseer.
The fees are proportional to the provider’s turnover and will fully cover the costs of oversight duties.
Annual Oversight Plan
The Lead Overseer creates an annual plan for overseeing each critical ICT third-party provider.
This plan, which is shared with the provider each year, outlines clear objectives and key actions for the year.
Before finalising the plan, the Lead Overseer sends a draft to the provider. The provider has 15 days to respond, explaining how the plan might affect customers outside the scope of DORA and suggesting ways to reduce any risks. (Art. 33(4))
Powers of Supervisory Authorities
The Supervisory authorities have the following powers:
- Information requests: Authorities may request any information necessary for oversight. (Art. 37)
- Investigations: Supervisors can examine records, summon representatives, request statements, conduct interviews, and request records of communications. (Art. 38)
- Inspections: To carry out its duties under DORA, the Lead Overseer can inspect the premises, systems, and operations of critical ICT third-party providers, both on-site (e.g., offices, data centres) and off-site. Providers will receive reasonable prior notice unless it’s an emergency or a crisis or a notice would undermine the inspection’s effectiveness. Financial authorities connected to the inspected provider must be informed ahead of time. (Art. 39)
- Follow-up: Authorities may share information about providers' compliance and can demand suspension of financial entities' use of non-compliant providers. (Art. 42)
- Sanctions: Authorities can impose fines and penalties for non-compliance. (Art. 35(6–11))
ICT Risk Management
Critical third-party providers must put in place comprehensive ICT risk management processes, including for business continuity and disaster recovery. (Art. 33(3c))
Governance and Accountability
Providers must have clear governance structures with defined responsibilities and accountability to enable effective ICT risk management. (Art. 33(3d))
Standards
Providers must align with relevant national and international ICT service standards. (Art. 33(3i))
Interoperability
Have mechanisms for data portability, application portability, and interoperability for smooth termination and transfer of services by financial entities. (Art. 33(3f))
Audits
Conduct ICT audits to evaluate and maintain compliance and effectiveness. (Art. 33(3h))
Technical and Security Requirements
Service Security
Ensure the security, availability, continuity, scalability, and quality of services, maintaining high standards for data security, confidentiality, and integrity. (Art. 33(3a))
Physical Security
Have measures for securing premises, facilities, and data centers. (Art. 33(3b))
Incident Response
Establish systems for identifying, monitoring, and resolving ICT incidents, including cyber-attacks. (Art. 33(3e))
Testing
Conduct regular testing of ICT systems, infrastructure, and controls. (Art. 33(3g))
CTPPs’ ICT services supporting critical or important functions (i.e., not the entire third-party provider) may be included in the TLPT scope conducted by financial entities. When CTPPs are included in TLPT, financial entities must ensure their participation and retain full responsibility for compliance.
If testing might affect services provided by the CTPP to non-regulated customers or compromise confidentiality, the CTPP and financial entity can agree to a pooled testing arrangement, where multiple financial entities coordinate testing with the CTPP.
Even when CTPPs participate, financial entities remain fully responsible for managing the impact of tests, including any disruptions caused by their execution. (Art. 26)
Security Standards
For contracts involving critical or important functions, the financial entity must ensure that the provider uses the latest and highest quality security standards. (Art. 28(5))
Reporting
ICT Incident Reporting
Critical ICT providers must assist financial entities in reporting ICT-related incidents promptly, with updates and final analyses. (Art. 33(3)e))
Contracts
Mandatory Contractual Elements
In addition to the “normal” contractual requirements between financial institutions and their ICT third-party service providers, contracts between financial institutions and providers that support critical or important functions must include:
- Enhanced service levels: Full service level descriptions, including quantitative and qualitative performance targets, to monitor compliance and allow corrective actions.
- Incident reporting: Notice and reporting obligations for material impacts on service delivery.
- Contingency plans: Requirements for testing business continuity and ICT security measures.
- Testing participation: Obligation to cooperate in Threat-Led Penetration Testing (TLPT).
- Ongoing monitoring: Financial entities (and/or their appointed third parties, competent authorities, and the Lead Overseer) must have unrestricted rights to audit and inspect performance.
- Exit strategies: Defined transition periods to ensure service continuity during provider changes.
(Art. 30)
DORA Non-Compliance TL;DR
Critical ICT third-party providers must cooperate with the Lead Overseer and assist in fulfilling its responsibilities.
If you don’t comply with the required measures after being notified, and 30 days have passed without resolution, the Lead Overseer can impose daily penalty payments to enforce compliance.
These daily penalty payments will continue until you comply, but for no longer than six months from the notification date.
The penalty can be up to 1% of your average daily global turnover from the previous business year.
The exact amount will depend, with the Lead Overseer taking the following into account:
- How serious and prolonged the non-compliance is.
- Whether the non-compliance was intentional or due to negligence.
- How cooperative the provider has been with the Lead Overseer.
To ensure fairness, decisions will involve consultation within the Joint Oversight Network (JON).
Penalties are administrative and legally enforceable; enforcement follows the civil procedure laws of the relevant Member State, and collected penalties will go to the EU budget.
The Lead Overseer will publicly announce imposed penalties unless doing so could harm financial markets or cause significant damage to the involved parties.
Before imposing penalties, the provider will be allowed to review the findings and provide comments. Providers are entitled to access case files, except confidential information or the Lead Overseer’s internal documents, to prepare their defence.
Need Help Complying with DORA? SECFORCE Can Help
SECFORCE is a consultancy firm specialising in DORA. We have extensive experience helping financial businesses comply with regulations like DORA.
Contact us for support with your DORA compliance journey.
