In our second article regarding DORA, we broke down what financial entities need to do to start their DORA compliance journey. In this third article, we break down what third-party providers of ICT services need to do to start their DORA compliance journey.
What third-party ICT services providers need to do under DORA
DORA places significant emphasis on the accountability of TSPs that provide services to and support financial entities. As these providers often play critical roles in maintaining operational continuity, they must align with the resilience standards mandated by DORA.
1. Understand the Scope of Your Responsibilities
TSPs need to be fully aware of their role in the operational ecosystem of their financial entity clients. DORA requires that the TSPs take responsibility for ensuring their systems, processes, and infrastructure can support their clients’ resilience goals.
Key Actions:
Familiarize yourself with DORA's requirements which are relevant to you and how they apply to your services.
Identify critical or important ICT services you provide to financial entities and assess their impact on clients’ operational continuity. Please note however that the financial entity has the outmost responsibility to determine whether the ICT services you provide are critical or important.
2. Implement Robust ICT Risk Management Processes
As an extension of your clients’ operations, your ICT risk management framework must meet the same standards required of financial entities.
Key Actions:
Conduct risk assessments specific to the ICT services you provide to financial entities.
Develop safeguards to address identified risks, such as implementing cybersecurity measures, redundancy in infrastructure, and robust monitoring systems.
3. Strengthen Resilience Through Testing
TSPs must demonstrate that their systems and services can withstand disruptions and continue to operate effectively.
Key Actions:
Participate in joint testing initiatives with your clients to simulate disruptions and evaluate response and recovery capabilities.
Regularly conduct internal resilience testing, such as stress testing, penetration testing, and system recovery drills.
Provide testing documentation and results to your clients as part of compliance audits.
4. Support Incident Reporting and Resolution
When incidents occur, TSPs are required to collaborate with their clients to ensure timely detection, reporting, and resolution.
Key Actions:
Establish clear incident management protocols, including timelines for notifying clients about disruptions or breaches.
Maintain detailed records of incidents and their resolution, which clients may be required to report to regulators.
Commit to rapid response and transparent communication.
5. Maintain Clear Contractual Terms
DORA mandates that financial entities include resilience-related provisions in contracts with TSPs.
Key Actions:
Review existing contracts with your clients to ensure alignment with DORA requirements, such as provisions for risk assessments, incident reporting, and testing.
Prepare to accommodate client requests for audits, performance reviews, and regular updates on resilience measures.
Ensure your contracts include escalation procedures for incidents and defined accountability in the event of service disruptions.
The financial entity may provide you with a contract or an addendum to an existing contract which includes the clauses as required by DORA. You may also want to draft your own contract or addendum to an existing contract which you provide to the financial entity. Even though you expect the financial entity to provide you with its version of the contract/addendum we recommend that you draft your own version (i) as an exercise to understand the contractual requirements of DORA as well as (ii) being prepared when the financial entity requests your version instead of providing its own.
6. Prepare for Oversight by Oversight Authorities
TSPs that provide critical services may fall under the oversight of EU-designated oversight authorities.
Key Actions:
Be prepared to demonstrate compliance with DORA to oversight authorities.
Establish a compliance function to monitor changes in regulatory requirements and ensure continuous alignment.
Key takeaways
A TSPs non-compliance with DORA can result in reputational damage, loss of business relationships with financial entities, and potential regulatory penalties. It is therefore important that you understand the scope of your responsibilities and implement robust ICT risk management processes and strengthen resilience through testing. Be prepared to support incident reporting and resolution and cooperate where there is an oversight by Oversight Authorities. Ensure that you maintain clear and contractual terms.
Synch is a business-oriented law firm with innovation and technology at its heart. Our mission is to bring calm to any legal question, no matter the challenge. We do this this by using our curiosity to deeply understand our clients' challenges and fully grasp their needs, applying a combination of our knowledge, experience, and the best use of technology through advisory services and packaged solutions.
