Contents
ICT multi-vendor strategy
Context within the ICT Risk Management Framework (Article 6(9) DORA)
- The ICT multi-vendor strategy is an optional component of the digital operational resilience strategy that forms part of the ICT risk management framework.
- Financial entities may define such a strategy at group or entity level.
Purpose and Scope (Article 6(9) DORA)
- The ICT multi-vendor strategy must provide a holistic view of:
– key dependencies on ICT third-party service providers, and
– the rationale behind the procurement mix of ICT third-party service providers. - The strategy may be adopted to complement the digital operational resilience strategy by providing structured guidance on vendor diversification and dependency management.
Relationship to the Strategy on ICT Third-Party Risk (Article 28(2) DORA)
- Where a financial entity has defined an ICT multi-vendor strategy under Article 6(9), the strategy on ICT third-party risk under Article 28(2) must take this multi-vendor strategy into account.
- The integration must occur as part of the regular review and implementation of the financial entity’s third-party risk governance.
Application Requirements (Article 28(2) DORA)
- The multi-vendor strategy, where defined, must be reflected on an individual basis and, where relevant, on a sub-consolidated and consolidated basis in the broader strategy on ICT third-party risk.
- The management body must ensure that its review of contractual risks concerning ICT services supporting critical or important functions incorporates the dependencies and procurement rationale set out in the multi-vendor strategy.