Contents
- Policy on the use of ICT services supporting critical or important functions
- Position within the ICT Risk Management Framework (Article 28(2) DORA)
- Overall Risk Profile and Complexity (Article 1 RTS TPPol)
- (a) Type of ICT Services
- (b) Location of ICT Third-Party Service Provider or Parent
- (c) EU / Third-Country Location and Data Location
- (d) Nature of Data
- (e) Intra-Group or External Provider
- (f) Supervised / Non-Supervised Providers (EU)
- (g) Supervised / Non-Supervised Providers (Third Country)
- (h) Concentration of Services
- (i) Transferability
- (j) Impact of Disruptions
- Group Application (Article 2 RTS TPPol)
- Governance Arrangements (Article 3 RTS TPPol)
- (a) Management Body Review (Article 3(1))
- (b) Methodology for Critical or Important Functions (Article 3(2))
- (c) Internal Responsibilities and Expertise (Article 3(3))
- (d) Assessment of Provider Resources (Article 3(4))
- (e) Senior Management Role and Reporting (Article 3(5))
- (f) Consistency with Other Frameworks (Article 3(6))
- (g) Independent Review and Audit (Article 3(7))
- (h) Explicit Contractual Principles (Article 3(8))
- Lifecycle of Contractual Arrangements (Article 4 RTS TPPol)
- Ex-Ante Risk Assessment (Article 5 RTS TPPol)
- Due Diligence (Article 6 RTS TPPol)
- Conflicts of Interest (Article 7 RTS TPPol)
- Contractual Clauses (Article 8 RTS TPPol)
- Monitoring of Contractual Arrangements (Article 9 RTS TPPol)
- Exit and Termination (Article 10 RTS TPPol)
- Entry into Force (Article 11 RTS TPPol)
- Article 28 (2) DORA
- Article 10 DORA
- Article 1-11 RTS TPPol
Policy on the use of ICT services supporting critical or important functions
Position within the ICT Risk Management Framework (Article 28(2) DORA)
- As part of their ICT risk management framework, financial entities (other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises) must adopt and regularly review a strategy on ICT third-party risk.
- This ICT third-party risk strategy must include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
- The strategy and the policy must apply:
– on an individual basis, and
– where relevant, on a sub-consolidated and consolidated basis. - The management body must regularly review the risks identified in contractual arrangements on the use of ICT services supporting critical or important functions, based on:
– the financial entity’s overall risk profile, and
– the scale and complexity of its business services.
Overall Risk Profile and Complexity (Article 1 RTS TPPol)
The policy must take into account the size and overall risk profile of the financial entity, and the nature, scale and complexity of its services, activities and operations, including at least:
(a) Type of ICT Services
- The type of ICT services included in the contractual arrangement on the use of ICT services supporting critical or important functions.
(b) Location of ICT Third-Party Service Provider or Parent
- The location of the ICT third-party service provider or its parent company.
(c) EU / Third-Country Location and Data Location
- Whether services are provided from within an EU Member State or a third country, including:
– the location from where services are provided, and
– the location where data is processed and stored.
(d) Nature of Data
- The nature of data shared with the ICT third-party service provider.
(e) Intra-Group or External Provider
- Whether the provider is part of the same group as the financial entity.
(f) Supervised / Non-Supervised Providers (EU)
- Whether providers are authorised, registered or supervised by an EU competent authority or under the DORA oversight framework, or not.
(g) Supervised / Non-Supervised Providers (Third Country)
- Whether providers are authorised, registered or supervised by a third-country supervisory authority, or not.
(h) Concentration of Services
- Whether ICT services supporting critical or important functions are concentrated with a single provider or a small number of providers.
(i) Transferability
- The transferability of the ICT services to another provider, including technology-specific constraints.
(j) Impact of Disruptions
- The potential impact of disruptions in the provision of ICT services supporting critical or important functions on:
– the continuity of the financial entity’s activities; and
– the availability of its services.
Group Application (Article 2 RTS TPPol)
- Where DORA applies on a sub-consolidated or consolidated basis, the parent undertaking responsible for group financial statements must ensure that:
– the policy is implemented consistently in all financial entities in the group; and
– the policy is adequate for the effective application of DORA at all relevant group levels.
Governance Arrangements (Article 3 RTS TPPol)
(a) Management Body Review (Article 3(1))
- The management body must review the policy at least once a year and update it where necessary.
- Changes must be implemented in a timely manner and as soon as possible within the relevant contractual arrangements.
- The financial entity must document the planned implementation timeline.
(b) Methodology for Critical or Important Functions (Article 3(2))
- The policy must establish or refer to a methodology for determining which ICT services support critical or important functions.
- It must specify when this assessment is conducted and when it is reviewed.
(c) Internal Responsibilities and Expertise (Article 3(3))
- The policy must clearly assign internal responsibilities for:
– approval,
– management,
– control, and
– documentation
of relevant contractual arrangements. - It must ensure that the financial entity maintains appropriate skills, experience and knowledge to effectively oversee these arrangements.
(d) Assessment of Provider Resources (Article 3(4))
- Without prejudice to the financial entity’s final responsibility, the policy must require that ICT third-party service providers are assessed as having sufficient resources to ensure that the financial entity complies with all legal and regulatory requirements for the ICT services supporting critical or important functions.
(e) Senior Management Role and Reporting (Article 3(5))
- The policy must:
– clearly identify the role or member of senior management responsible for monitoring the contractual arrangements;
– specify how this role cooperates with control functions;
– define reporting lines to the management body, including:- the nature of information to be reported;
- the documents to be provided;
- the frequency of reporting.
(f) Consistency with Other Frameworks (Article 3(6))
The policy must ensure that contractual arrangements are consistent with:
- the ICT risk management framework (Article 6 DORA);
- the information security policy (Article 9(4) DORA);
- the ICT business continuity policy (Article 11 DORA);
- the incident reporting requirements (Article 19 DORA).
(g) Independent Review and Audit (Article 3(7))
- The policy must require that ICT services supporting critical or important functions are subject to independent review and are included in the audit plan.
(h) Explicit Contractual Principles (Article 3(8))
The policy must explicitly specify that contractual arrangements:
- do not relieve the financial entity or its management body of regulatory obligations and responsibilities to clients;
- do not prevent effective supervision, nor contravene supervisory restrictions;
- require ICT third-party service providers to cooperate with competent authorities;
- require that the financial entity, its auditors, and competent authorities have effective access to data and premises relating to the ICT services supporting critical or important functions.
Lifecycle of Contractual Arrangements (Article 4 RTS TPPol)
The policy must set requirements (rules, responsibilities, processes) for all main phases of the contractual lifecycle, covering at least:
(a) Management Body Responsibilities
- The involvement of the management body in decision-making on the use of ICT services supporting critical or important functions.
(b) Planning and Approval
- Planning of contractual arrangements, including:
– risk assessment;
– due diligence (Articles 5 and 6 RTS TPPol);
– approval processes for new or materially changed arrangements (Article 8(4) RTS TPPol).
(c) Involvement of Business and Control Functions
- Involvement of business units, internal control functions and other relevant units.
(d) Implementation, Monitoring and Management
- Implementation, monitoring and management of contractual arrangements (Articles 7, 8 and 9), including at consolidated and sub-consolidated level where applicable.
(e) Documentation and Record-Keeping
- Documentation and record-keeping, taking into account the requirements of the Register of Information under Article 28(3) DORA.
(f) Exit Strategies and Termination
- Exit strategies and termination processes in line with Article 10 RTS TPPol.
Ex-Ante Risk Assessment (Article 5 RTS TPPol)
(a) Definition of Business Needs (Article 5(1))
- The policy must require that business needs are defined before concluding a contractual arrangement.
(b) Risk Assessment at Entity and Group Level (Article 5(2))
- The policy must require that a risk assessment is conducted:
– at financial-entity level; and
– where applicable, at consolidated and sub-consolidated level. - The assessment must consider all relevant DORA and sectoral requirements and must address risks arising from the provision of ICT services supporting critical or important functions, including: – operational risks,
– legal risks,
– ICT risks,
– reputational risks,
– risks linked to confidential or personal data protection,
– risks linked to data availability,
– risks linked to the location where data is processed and stored,
– risks linked to the location of the ICT third-party service provider,
– ICT concentration risks at entity level.
Due Diligence (Article 6 RTS TPPol)
(a) Selection and Assessment Process (Article 6(1))
- The policy must set an appropriate and proportionate process for selecting and assessing prospective ICT third-party service providers, taking into account intra-group vs external providers.
- Before entering a contractual arrangement, the policy must require assessment whether the provider:
- has the business reputation, abilities, expertise, and adequate financial, human and technical resources, information security standards, organisational structure, risk management and internal controls, and required authorisations/registrations;
- can monitor technological developments and identify and implement ICT security leading practices;
- uses or intends to use sub-contractors for critical or important ICT services;
- is located, or processes/stores data, in a third country and how this affects operational/reputational risks or exposure to restrictive measures, sanctions, embargos;
- consents to contractual arrangements enabling effective audits, including on-site, by the financial entity, appointed third parties and competent authorities;
- acts in an ethical and socially responsible manner, respects human and children’s rights (including prohibition of child labour), respects environmental protection principles and ensures appropriate working conditions.
(b) Required Level of Assurance (Article 6(2))
- The policy must specify the required assurance level on the effectiveness of the provider’s risk management framework for the ICT services.
- Due diligence must include an assessment of risk mitigation and business continuity measures and how they function within the provider.
(c) Evidence for Assurance (Article 6(3)–(4))
- The policy must determine the due diligence process and indicate which of the following elements are used for assurance: – audits/independent assessments by or on behalf of the financial entity;
– independent audit reports provided by the provider;
– internal audit reports of the provider;
– third-party certifications;
– other relevant information available or provided. - The policy must ensure an appropriate level of assurance, and where appropriate, more than one of these elements must be used.
Conflicts of Interest (Article 7 RTS TPPol)
(a) Identification, Prevention and Management
- The policy must specify measures to identify, prevent and manage actual or potential conflicts of interest arising from the use of ICT third-party service providers, before entering contractual arrangements, and provide for ongoing monitoring of such conflicts.
(b) Intra-Group Conditions
- Where ICT intra-group service providers are used, the policy must specify that decisions on conditions, including financial conditions, are to be taken objectively.
Contractual Clauses (Article 8 RTS TPPol)
(a) Written Form and Mandatory Content (Article 8(1))
- The policy must specify that contractual arrangements:
– are in written form; and
– include all elements referred to in Article 30(2) and (3) DORA, as well as requirements under Article 1(1)(a) DORA and other relevant Union/national law.
(b) Audit and Testing Rights (Article 8(2))
The policy must require that arrangements include rights to:
- access information;
- carry out inspections and audits;
- perform tests on ICT, using at least: – internal or third-party audits;
– pooled audits and pooled ICT testing (including TLPT) with other contracting financial entities;
– third-party certifications, where appropriate;
– internal or third-party audit reports made available by the provider.
(c) Limits on Reliance on Certifications/Audit Reports (Article 8(3))
- The financial entity shall not rely solely over time on certifications or third-party audit reports.
- The policy may permit such reliance only where the financial entity: – is satisfied with the provider’s audit plan;
– ensures the scope covers key systems/controls and regulatory requirements;
– continuously assesses the content and validity (no obsolete reports);
– ensures key systems/controls remain covered in future versions;
– is satisfied with the competence of certifying/auditing parties;
– is satisfied that certifications/audits follow widely recognised standards and test operational effectiveness;
– has contractual rights to request scope modifications;
– has contractual rights to perform individual and pooled audits and executes those rights with a risk-based frequency.
(d) Changes and Renewal (Article 8(4))
- The policy must ensure that material changes to contractual arrangements are formalised in dated and signed written documents, and must specify the renewal process.
Monitoring of Contractual Arrangements (Article 9 RTS TPPol)
(a) KPIs, Measures and SLAs (Article 9(1))
- The policy must require that contractual arrangements specify measures and key indicators to monitor provider performance on an ongoing basis, including: – confidentiality, availability, integrity and authenticity of data;
– compliance with the financial entity’s policies and procedures;
– measures where SLAs are not met, including contractual penalties where appropriate.
(b) Performance Assessment (Article 9(2))
- The policy must specify how the financial entity assesses whether providers meet appropriate performance and quality standards, ensuring: – provision of appropriate reports by the provider (periodic, incident, service delivery, ICT security, business continuity/testing);
– assessment via KPIs, KCIs, audits, self-certifications and independent reviews in line with the ICT RMF;
– receipt of other relevant information;
– notification, where appropriate, of ICT-related incidents and operational or security payment incidents;
– performance of independent reviews and audits verifying compliance with legal, regulatory and policy requirements.
(c) Documentation and Risk Assessment (Article 9(3))
- The policy must require that the assessment results are documented and used to update the risk assessment.
(d) Measures for Shortcomings (Article 9(4))
- The policy must establish appropriate measures where shortcomings are identified, including incidents or non-compliance.
- It must specify how implementation of such measures is monitored and complied with within a defined timeframe, taking into account the materiality of the shortcomings.
Exit and Termination (Article 10 RTS TPPol)
- The policy must require a documented exit plan for each contractual arrangement and periodic review and testing of the plan.
- The exit plan must consider: – unforeseen and persistent service interruptions;
– inappropriate or failed service delivery;
– unexpected termination of the arrangement. - The exit plan must be realistic, feasible, based on plausible scenarios and reasonable assumptions, and must have a planned implementation schedule compatible with contractual exit and termination terms.
Entry into Force (Article 11 RTS TPPol)
- The RTS on the policy enter into force on the twentieth day following publication in the Official Journal and are binding in their entirety and directly applicable in all Member States.