Third-Party Risk Management under DORA (Article 28)
Third-Party Risk Management (TPRM) under DORA Article 28 requires financial entities to retain full responsibility for outsourced functions. Key requirements include integrating TPRM into the ICT risk framework, performing rigorous due diligence, maintaining a comprehensive contract register, and establishing mandatory exit strategies for critical or important functions.
Key Takeaways
Financial entities retain full responsibility for outsourced functions under DORA.
TPRM strategy must integrate with the overall ICT Risk Management Framework.
Thorough due diligence, including concentration risk assessment, is mandatory pre-contract.
Maintain an updated register of all third-party contracts, distinguishing critical functions.
Critical/important functions require a defined exit strategy for seamless transition.
What are the fundamental principles of DORA Third-Party Risk Management?
The fundamental principles of DORA Third-Party Risk Management (TPRM) establish that financial entities are always fully responsible for outsourced functions, meaning accountability cannot be transferred, regardless of the provider used. Furthermore, the principle of proportionality applies. This ensures that the complexity and scale of TPRM measures are commensurate with the size, nature, and overall risk profile of the financial entity, allowing for tailored and efficient compliance efforts based on actual risk exposure.
- Financial entity is always fully responsible.
- Principle of proportionality applies.
How should financial entities structure their Third-Party Risk Strategy?
Financial entities must structure their Third-Party Risk Strategy as an integral component of their overarching ICT Risk Management Framework, ensuring a cohesive approach to managing digital operational resilience. This integration is vital for addressing external dependencies effectively. Crucially, the management body must regularly review and approve this strategy to ensure its continued relevance, effectiveness, and alignment with the entity's risk appetite and regulatory obligations under DORA.
- Part of the ICT Risk Management Framework.
- Regularly reviewed by the management body.
What due diligence steps are required before entering a third-party contract?
Before finalizing any third-party contract, financial entities must execute a rigorous pre-contractual due diligence process to mitigate potential risks. This process requires assessing whether the function is classified as critical or important, which determines the necessary level of scrutiny. Entities must identify and assess all associated risks, including potential concentration risk, perform thorough due diligence on the provider, and evaluate any conflicts of interest. Finally, entities must confirm the provider meets necessary security standards.
- Assess whether the function is critical/important.
- Identify and assess all risks (incl. concentration risk).
- Perform due diligence on the provider.
- Assess conflicts of interest.
- Consider whether the provider meets security standards (Para. 5).
Why must financial entities maintain a Register of Information for third-party contracts?
Financial entities must maintain and continuously update a comprehensive Register of Information for all third-party contracts to ensure transparency and regulatory oversight. This register must clearly distinguish between contracts involving critical or important functions and those that are non-critical. Entities are required to report specific details, such as the number and categories of contracts, to the competent authority. The competent authority retains the right to request access to the entire register at any time for supervisory purposes.
- Maintained and updated for ALL contracts.
- Distinguishes critical / important functions.
- Reported to the competent authority (number, categories...).
- Competent authority may request the entire register.
What are the requirements for ongoing monitoring and auditing of third-party providers?
Ongoing monitoring and auditing are essential to ensure third-party providers continuously meet contractual and security obligations as defined by DORA. Financial entities must proactively determine the appropriate frequency and scope of these audits based on the criticality of the outsourced function and the risks involved. Furthermore, it is mandatory to ensure that the auditors conducting these assessments possess adequate skills and expertise relevant to the technology and services being audited, guaranteeing reliable oversight.
- Determine frequency and scope of audits.
- Ensure auditors have adequate skills.
When is an Exit Strategy required, and what must it include?
An Exit Strategy is mandatory for all contracts involving critical or important functions to ensure business continuity and operational resilience. This strategy must clearly define the conditions under which termination may occur, such as a material breach of contract or identified vulnerabilities. The primary goal is to guarantee a transition without any disruption of activity. The strategy must include detailed transition plans, outlining how the function will be moved to an alternative provider or brought back in-house if necessary.
- Must exist for critical/important functions.
- Clearly defined termination conditions (e.g., material breach of contract, vulnerabilities).
- Must ensure transition without disruption of activity.
- Includes transition plans (to another provider or in-house).
Which European authorities are responsible for developing DORA regulatory standards?
European Supervisory Authorities (ESAs) are tasked with developing detailed regulatory standards to support DORA implementation. Specifically, EBA, ESMA, and EIOPA are jointly responsible for drafting the Implementing Technical Standards (ITS) related to the Register of Information. Additionally, these European authorities will develop Regulatory Technical Standards (RTS) concerning the overall third-party risk policy and framework, ensuring harmonized application across the EU financial sector.
- EBA, ESMA, EIOPA develop ITS for the register.
- European authorities develop RTS for the policy.
Frequently Asked Questions
Does DORA allow financial entities to transfer responsibility to third-party providers?
No. DORA mandates that the financial entity remains fully and ultimately responsible for all outsourced functions, even when relying on external providers.
What is the role of the management body in the Third-Party Risk Strategy?
The management body must regularly review and approve the TPRM Strategy to ensure it is integrated into the overall ICT Risk Management Framework and remains effective.
What specific risk must be assessed during the pre-contractual due diligence phase?
Entities must identify and assess all risks associated with the outsourcing arrangement, including the crucial assessment of concentration risk across multiple third-party dependencies.
For which contracts must a financial entity maintain a Register of Information?
The Register of Information must be maintained and updated for ALL third-party contracts, though it must specifically distinguish between critical and important functions for reporting purposes.
What is the main objective of the mandatory Exit Strategy?
The main objective is to ensure that the termination of a contract for a critical or important function results in a transition without any disruption to the entity's activities or business continuity.
