DORA consultancy - helping financial institutes across the UK and Europe.

Steve Johnson, Orange Red and Blue


Third-party Management


ICT providers deliver benefits to entities, which include strengthening operational resilience, reducing reliance on legacy IT systems, and increasing the potential for innovation, diversification, and efficiency in the provision of financial services. The use of external ICT services allows entities to concentrate on their core business operations and efficiently manage IT expenditures.
However, with benefits come the risks. Cyber incidents resulting from third-party vulnerabilities could, for example, lead to fraud, disruption of entities’ services, inappropriate access to sensitive customer or corporate information, or impact the safety and soundness of the financial entity.
To help address ICT third-party service providers risks the G7 countries have developed jointly various regulations. Specifically, to further support the development of third-party cyber risk management in the financial sector, the G7 issued the Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector in 2018. Final report on the EBA Guidelines on outsourcing arrangements was issued in February 2019.

DORA has consolidated previous regulations on ICT third-party providers and made it binding obligation for the financial entities operating in the EU. Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their overall Risk management framework and in accordance with the following principles:
  • Financial Entity is directly responsible for compliance and discharge of all obligations under related to the ICT third-party service providers
  • Principle of proportionality outlined in the new ICT third-party service providers contractual arrangements shall apply
  • Concentration risk to be evaluated and taken into consideration
  • New contractual arrangements to apply to all ICT third party providers. Exit strategies have to be put into place (documented, tested and reviewed) for ICT services related to critical functions
  • Alternative solutions have to be identified by the financial entity. It should develop transition plans to enable to remove the contracted functions and the relevant data from the ICT third-party service provider and securely transfer them to alternative providers or reincorporate them in-house
  • Regular reviews of strategy of ICT third-party risk, taking into account the multi-vendor strategy
  • Financial entities have to report yearly to the Competent Authority on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the services
  • The Competent Authority have to also be informed about any planned contractual arrangement on the use of ICT services concerning critical functions and when a function has become critical
While DORA requirements are detailed, actual procedures on implementation of the new regulation are being developed within the EU and by individual financial entities. We find Fundamental Elements framework outlined in the G7 useful to address ICT third-party risk management for the financial entities looking to comply with DORA.
We would work with you on incorporating new outsourcing contractual requirements with ICT Third-Party providers and ICT third-party service providers Life Cycle Elements into your overall Risk Management Strategy.

Would you like to talk about DORA compliance? Contact us.