DORA consultancy - helping financial institutes across the UK and Europe.

Karolina Grabowska, Bright abstract background with vertical lines and spots


CCTP


To be or not be a Critical IT Third-Party provider (CTTP) is not a question.
Such a designation can be done solely by a financial institute or a regulator, and the service provider has a choice - to continue supporting its clients as they expect or lose business to someone who can do this.

For those IT service providers who made the right choice, below are several areas to work on.

TL;DR Lucky or not, IT service providers must make a significant effort to comply with DORA requirements. This is no longer a check-box security questionnaire.

If the IT service provider has an ISO 27001 or SOC2 certification, it is a good starting point, but it is not a substitution for DORA compliance. To avoid doubt, those certifications are voluntary and open to broad interpretation, while DORA is a law.
The good news is that the DORA technical requirements, highlighted in the respective draft RTSs, use the security industry's best practices. Such an alignment can and should utilise existing processes, hopefully already existing within an organisation.

Based on the suggested RTSs, the bad news is that the controls' requirements are much more detailed. Those details will require an additional implementation and management effort.
The IT service provider designated as critical can expect more scrutiny from financial clients, starting with new contract clause negotiation covering additional compliance requirements and subcontractors’ information. Also periodic status reporting about vulnerability management, client-specific incident reporting regimes, and resilience testing will be required.


A financial entity may have to consider its exit options (as per the latest EU guidelines on outsourcing) for cases like IT service providers' bankruptcy (which happens more often than expected) or not meeting the new compliance requirements (which will happen a lot). An escrow arrangement will help the IT service reduce client risk and provide them with pragmatic solutions and additional assurances.

For those IT service providers that will get the critical ICT third-party service providers' designation by a competent authority, the above changes will happen early next year when the regulator starts receiving annual reports from the financial entities and will be able to identify concentration risks among those providers, followed by the regulator's assessment.
‘ICT concentration risk’ means an exposure to an individual or multiple related critical ICT third-party service providers creating a degree of dependency on such providers so that the unavailability. Failure or other types of shortfall of such provider may potentially endanger the ability of a financial entity to deliver critical or important functions or cause it to suffer other types of adverse effects, including large losses, or endanger the financial stability of the Union as a whole (Art 3, par 29).

With such “an honour” of additional scrutiny by a the regulator comes additional obligations:
  • the company will have a Lead Overseer and will have to designate one legal person as a coordination point;
  • for companies that do not have a legal presence in the EU they will have to establish a subsidiary in the Union within the 12 months following the designation;
  • create an annual report with all required details, describing "comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which may pose to financial entities";
  • to have dedicated ICT audits;
  • and pay an annual fee (€50k).
Update 2025 - the deadline to submit relevant register is April, with the completion of criticality assessment by the regulators expected in July 2025.

We can help you conduct a gap analysis and prepare the compliance pack that will answer your client's questions about DORA related matters.

Would you like to talk about DORA compliance? Contact us.