DORA consultancy - helping financial institutes across the UK and Europe.

Alexander Ant, Abstract background with flow painting


Third-Party risk


ESA has recently released several draft Regulatory Technical Standards (RTSs), which provide some flavour of expected control levels.
This is the third article reviewing the Third-party Risk Management technical standard.
The first and second articles, focusing on Risk Management RTS, are available here and here.
One of the core DORA requirements is that the Financial entity must have a strategy for ICT third-party risk management. The strategy shall include a policy on using ICT services supporting critical or important functions provided by ICT third-party service providers.

TL;DR Financial entity must ensure control of its operational risks, information security and business continuity throughout the life cycle of contractual arrangements with third-party providers.

Financial entities should establish life cycle management of third-party suppliers. It is crucial that financial entities perform risk assessments and due diligence processes before they enter into contractual arrangements with ICT third-party service providers. Entities must ensure they can exit from such arrangements where necessary and have a business continuity plan for the supported critical or important function.
The above refered risk assessment phase shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third-party service providers on the financial entity and all its risks, including:
  • operational risks;
  • legal risks;
  • ICT risks;
  • reputational risks;
  • threats to the protection of confidential or personal data;
  • risks linked to the availability of data;
  • risks related to where the location of the data is processed and stored and the location of the ICT third-party service provider;
  • as well as ICT concentration risks at the entity level.

Suppliers (of ICT services) should be differentiated into the following categories:
  • ICT third-party service providers that are authorised or registered by a competent authority in a Member State;
  • Intra-group service providers and relevant subcontractors;
  • ICT third-party service providers located within a Member State and those in third countries also consider where the ICT services are provided and where the data is processed and stored.


Financial entities shall assess whether the ICT third-party service providers meet appropriate performance and quality standards in line with the contractual arrangement and the financial entity’s policies by ensuring that:
  • The ICT third-party service providers address relevant reports on their activities and services provided to the financial entity, including incidents and service delivery reports, reports on ICT security and business continuity measures and testing;
  • Performance of ICT third-party service providers is assessed with key performance indicators, key control indicators, audits, self-certifications and independent reviews in line with the financial entity’s ICT risk management framework;
  • Other relevant information is received from the ICT third-party service provider;
  • Financial entity is notified and responds to ICT-related incidents and operational or security payment-related incidents;
  • Independent review and compliance audits with legal and regulatory requirements and policies are performed.

Financial entity’s policy shall also include requirements for a documented exit plan for each ICT service supporting critical or important functions provided by ICT third-party service provider and their periodic review and testing, taking into account possible service interruptions, inappropriate or failed service delivery or the unexpected termination of a relevant contractual arrangement. The exit plan shall be realistic and feasible, based on plausible scenarios and reasonable assumptions. It shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements.

Our opinion:
The expected third-party management process significantly expands from the typical processes existing within the financial industry. In addition, third-party suppliers will be unpleasantly surprised by additional contractual requirements, including reporting requirements.

Please contact us if you have any questions.

Would you like to talk about DORA compliance? Contact us.