Contents
- Inventory of all processes that are dependent on ICT third-party service providers
Inventory of all processes that are dependent on ICT third-party service providers
Scope and Integration into the ICT Risk Management Framework (Article 8(5) DORA)
As part of the ICT risk identification obligations under Article 8 DORA, financial entities must:
- identify and
- document
all processes that are dependent on ICT third-party service providers.
This requirement applies across the full process landscape of the financial entity, wherever ICT third-party services are used.
Identification of Interconnections with ICT Third-Party Service Providers (Article 8(5) DORA)
Financial entities must, in addition:
- identify interconnections with ICT third-party service providers that provide services supporting critical or important functions.
This includes:
- technical interconnections (e.g. network links, APIs, data flows), and
- process-level dependencies where third-party ICT services underpin critical or important functions.
Inventory Maintenance and Update Requirements (Article 8(6) DORA)
For the purposes of Article 8(1), (4) and (5), financial entities must:
Maintain Relevant Inventories
- Maintain relevant inventories capturing:
- processes dependent on ICT third-party service providers; and
- interconnections to ICT third-party service providers supporting critical or important functions.
Periodic and Event-Driven Updates
- Update these inventories:
- periodically, and
- every time any major change occurs as referred to in Article 8(3) DORA
(i.e. a major ICT change having material impact on ICT risk or dependencies).