Contents
- ICT third-party risk management
- Distinction vs. “outsourcing” under MaRisk/MaGo
- Widening of contractual requirements
- New rules on subcontracting
- Extensive risk analysis and due diligence
- Changed exit & concentration-risk requirements
- Governance of ICT third-party risk
- Reporting obligations & information register (only noted, not analysed)
ICT third-party risk management
Distinction vs. “outsourcing” under MaRisk/MaGo
DORA introduces ICT third-party risk management as a separate but parallel regime to sectoral outsourcing law.
- The existing outsourcing rules (MaRisk AT 9, MaGo 13) remain fully applicable.
- DORA Ch. V adds ICT-specific rules for all contractual arrangements for ICT services.
Key differences:
- Broader scope than “outsourcing”
- DORA covers all “contractual arrangements on the use of ICT services to run business operations” (Art. 28(1)(a), Art. 3(21) DORA).
- Result: many vendor relationships that were not outsourcing under MaRisk/MaGo now come into DORA scope.
- “Critical or important function” ≠ “material outsourcing”
- DORA’s critical/important classification (Art. 3(22)) is based on impact of disruption/failure of the function, not on the MaRisk materiality test.
- RTS TPPol Art. 3(2) requires explicit criteria for this classification – institutions must design and document these criteria.
Implication: you get a two-dimensional matrix:
- Is it outsourcing? (MaRisk/MaGo)
- Does it support a critical or important function? (DORA)
…and both regimes must be satisfied in parallel.
Widening of contractual requirements
DORA massively extends the minimum mandatory contract clauses for ICT services.
1. Formal requirements
- Contracts must be in writing, with the full contract + SLAs in one durable, accessible document (Art. 30(1) DORA).
- Material changes must be formalised as a dated, signed written document (RTS TPPol Art. 8(4)).
2. Minimum content for all ICT contracts (Art. 30(2) DORA)
Among others:
- Clear description of all ICT services and functions.
- Locations (regions/countries) of service provision, storage and processing + obligation to notify location changes.
- Information-security objectives and data-protection clauses (availability, authenticity, integrity, confidentiality).
- Ensured access, recovery and return of data in insolvency / resolution / termination.
- Basic service level descriptions.
- Obligation to assist in ICT incidents (at no cost or pre-defined cost).
- Obligation to cooperate with competent authorities.
- Termination rights & minimum notice periods.
- Participation in the entity’s ICT-security awareness and resilience training.
3. Additional clauses where critical/important functions are supported (Art. 30(3) DORA, RTS TPPol Art. 8–9)
Examples (all explicitly listed in the Annex table):
- Detailed SLA metrics with precise qualitative & quantitative targets.
- Extended notification & reporting obligations of the provider for any development affecting its ability to deliver.
- Requirements to implement and test business contingency plans.
- Explicit ICT security measures “appropriate to the financial entity’s regulatory framework”.
- Participation & cooperation in TLPT and other resilience testing.
- Comprehensive audit & information rights (own audits, pooled audits, certifications, internal/third-party reports).
- Performance monitoring indicators and measures, including possible contractual penalties when SLAs aren’t met.
4. Implementation impact
- BaFin emphasises that the scope and depth of mandatory clauses require renegotiation of a large part of existing ICT contracts.
- No “wait-and-see” approach: RTS TPPol Art. 3(1) requires a documented timeline and implementation “as soon as possible”; no extended transition for legacy contracts.
New rules on subcontracting
Subcontracting of ICT services supporting critical/important functions is now tightly regulated by draft RTS SUB.
Key elements:
- The financial entity must assess whether the primary ICT provider can properly select and monitor subcontractors (Art. 3(1) draft RTS SUB).
- Contracts must ensure:
- Replication of relevant clauses into subcontractor agreements.
- Documentation and monitoring of subcontracting chains.
- Clear conditions when subcontracting is permitted.
- Notice periods and rights to object / require changes before material subcontracting changes take effect.
- Termination rights if the provider breaches subcontracting rules (Art. 7 draft RTS SUB).
Operationally: you need line-of-sight into the full subcontracting chain for critical/important functions – including location, BCM, security standards and audit rights.
Extensive risk analysis and due diligence
BaFin highlights a significant increase in depth and granularity of risk analysis and due diligence, especially for critical/important services.
For all ICT services (Art. 28(4)–(5) DORA)
- Assess compliance with supervisory conditions.
- Identify and assess all relevant risks, including ICT concentration risk.
- Assess provider suitability (due diligence).
- Identify and assess conflicts of interest.
- Ensure compliance with appropriate information-security standards; for critical services: “most up-to-date and highest quality” standards.
Additional requirements for critical/important functions (RTS TPPol Art. 5–6)
Minimum risk list (Art. 5(2) RTS TPPol):
- Operational, legal, ICT and reputational risk.
- Confidentiality and data-protection risk.
- Risks to the availability and location of data.
- Risk linked to provider location and data-processing location.
- Concentration risk.
Minimum provider-assessment criteria (Art. 6(1) RTS TPPol):
- Reputation, capabilities, ICT risk management maturity.
- Subcontracting setup and location.
- Auditability.
- ESG aspects (explicitly mentioned).
Further:
- Analyse benefits and risks of subcontracting, including long and complex chains (Art. 29(2) DORA, draft RTS SUB).
- Consider insolvency law, third-country law, data protection and enforceability issues.
- Assess whether the provider has sufficient resources to meet regulatory requirements (Art. 3(4) RTS TPPol).
- Use provider audit/assessment results even pre-contract where appropriate (Art. 6(3) RTS TPPol) – something many providers are currently not prepared for.
Changed exit & concentration-risk requirements
Exit planning is upgraded from “nice to have” to highly prescriptive and testable.
Exit strategies for critical/important ICT services
- Must allow contract exit without business disruption, without detriment to client services, and without undermining regulatory compliance (Art. 28(8) DORA).
- Must be built on plausible scenarios and assumptions and tested and periodically reviewed (RTS TPPol Art. 10).
Group-wide exemption:
- The MaRisk exemption for intra-group outsourcing exit processes (AT 9.15(d)) does not apply to ICT services under DORA.
- Only proportionality (reduced level of risk) can mitigate the level of detail, but not the need for an exit concept.
Concentration risk
- DORA requires systematic identification & monitoring of situations where:
- an ICT provider is not readily replaceable, or
- multiple critical services are sourced from the same provider.
- If such concentration exists, entities must weigh costs and benefits of alternatives (Art. 29(1) DORA; RTS TPPol Art. 5, draft RTS SUB Art. 3(1)(h)).
Governance of ICT third-party risk
DORA pushes ICT third-party risk firmly into board-level governance.
- The management body must:
- Review ICT third-party risks (Art. 28(2) DORA).
- Approve the policy on the use of ICT services supporting critical/important functions (Art. 5(2)(h) DORA; RTS TPPol Art. 3(1)).
- Establish reporting lines for the use of ICT services (Art. 5(2)(i) DORA).
- Institutions must create a role to monitor ICT third-party contracts, functionally analogous to a central outsourcing manager (Art. 5(3) DORA; see also Section 1.2).
This role is responsible for ongoing monitoring of:
- Contractual compliance,
- Performance & SLA breaches,
- Risk developments (including subcontracting and concentration risk),
- Implementation of exit strategies.
Reporting obligations & information register (only noted, not analysed)
BaFin explicitly states that reporting obligations under Art. 28(3) DORA are not analysed in detail in this guidance, but they exist and must be implemented:
- Information register covering all ICT contracts.
- Annual reporting to authorities.
- Reporting of planned contractual arrangements for ICT services supporting critical or important functions.
Source: BaFin, Supervisory statement: Guidance notes on the implementation of DORA for ICT risk management and ICT third-party risk management