ContentsICT third-party risk managementDistinction vs. “outsourcing” under MaRisk/MaGoWidening of contractual requirements1. Formal requirements2. Minimum content for all ICT contracts (Art. 30(2) DORA)3. Additional clauses where critical/important functions are supported (Art. 30(3) DORA, RTS TPPol Art. 8–9)4. Implementation impactNew rules on subcontractingExtensive risk analysis and due diligenceFor all ICT services (Art. 28(4)–(5) DORA)Additional requirements for critical/important functions (RTS TPPol Art. 5–6)Changed exit & concentration-risk requirementsExit strategies for critical/important ICT servicesConcentration riskGovernance of ICT third-party riskReporting obligations & information register (only noted, not analysed) ICT third-party risk management Distinction vs. “outsourcing” under MaRisk/MaGo DORA introduces ICT third-party risk management as a separate but parallel regime to sectoral … Continue reading ICT third-party risk managementRead More →