Policy regarding the use of ICT services

Policy regarding the use of ICT services

Purpose of the Requirement

The policy regarding the use of ICT services defines the principles, rules, criteria and governance mechanisms under which a financial entity engages, uses, manages and oversees ICT services provided by ICT third-party service providers.
It is a mandatory governance instrument aimed at ensuring that the outsourcing or external procurement of ICT services:

  • remains aligned with the financial entity’s ICT risk management framework,
  • safeguards operational resilience, security and regulatory compliance,
  • preserves the financial entity’s full responsibility over outsourced functions.

The policy must form an integral component of the ICT governance framework and must be explicitly approved, overseen and periodically reviewed by the management body.

Scope of Application

The policy applies to:

  • all ICT services obtained from ICT third-party service providers, including cloud, hosting, network, software, hardware, platform and managed ICT security services;
  • all contractual arrangements supporting critical or important functions (CIFs) and all non-CIF services;
  • intragroup ICT service providers, where relevant;
  • subcontractors (“fourth parties”) engaged by ICT third-party service providers;
  • legacy ICT services and newly onboarded services;
  • the end-to-end lifecycle of the relationship (assessment → onboarding → monitoring → renewal → exit).

The policy must be proportionate to the financial entity’s size, risk profile and the materiality/criticality of the ICT services used.

Mandatory Components

Governance, Responsibilities and Oversight

The policy must establish:

  • clear roles and responsibilities for ICT, procurement, legal, risk management, information security, operational resilience, business continuity and internal audit;
  • management body accountability, including approval of the policy, oversight of implementation, and periodic review;
  • decision-making thresholds for onboarding ICT services supporting critical or important functions;
  • independence requirements for assurance functions (risk, compliance, internal audit).

Conditions and Criteria for the Use of ICT Services

The policy must define:

  • objective criteria to determine whether a service constitutes a critical or important function (CIF) per Article 28(2) DORA;
  • requirements for risk assessments prior to onboarding, including ICT, operational, legal, concentration, geographical, subcontracting and exit risks;
  • minimum security, resilience and compliance requirements expected from ICT providers, aligned with Articles 9–12 DORA;
  • criteria for acceptable and prohibited service models (e.g., specific cloud deployment models, private vs. public connectivity);
  • requirements for data residency, data processing locations and cross-border transfer risks.

Contractual Requirements and Mandatory Clauses

The policy must mandate that all ICT contracts comply with:

  • Articles 30–31 DORA,
  • the RTS on ICT Third-Party Risk Management, including:
    • description of services,
    • service levels and KPIs,
    • security and resilience measures,
    • incident reporting obligations,
    • audit and access rights,
    • subcontracting conditions and approval processes,
    • exit plans and data portability,
    • termination rights and triggers.

Where services support critical or important functions, enhanced contractual requirements apply.

Ongoing Oversight, Monitoring and Performance Management

The policy must define:

  • procedures for continuous monitoring of ICT third-party performance, resilience, security, availability, latency, SLA adherence and compliance;
  • integration with incident detection and reporting obligations under Articles 17–19 DORA;
  • requirements for periodic risk reassessments, including concentration and geopolitical risks;
  • escalation and remediation processes for deteriorating service quality or repeated incidents;
  • mandatory reporting to senior management and the management body on material exposures.

Subcontracting (Fourth-Party) Oversight

The policy must state:

  • rules governing the use of subcontractors by ICT third-party service providers;
  • approval criteria for subcontracting of services supporting critical or important functions;
  • transparency obligations, including notification of changes in subcontracting chains;
  • risk assessments triggered by subcontracting changes.

Exit Strategies and Transition Planning

The policy must include:

  • requirements for exit plans, including data extraction, system transition, alternative providers and in-house fallback options (Article 28(8) DORA; Article 10 RTS TPPol);
  • testing and periodic review of exit strategies;
  • requirements to ensure continuity of critical or important functions during and after provider offboarding.

Interdependencies with Other DORA Requirements

The policy must be fully aligned with:

  • ICT risk management framework (Article 6 DORA),
  • Digital operational resilience strategy (Article 6(8) DORA),
  • Identification and classification of ICT assets (Article 8 DORA),
  • Protection and prevention measures (Articles 9–12 DORA),
  • ICT incident management (Article 17 DORA),
  • ICT business continuity and recovery (Articles 11, 24–26 RTS RMF),
  • ICT third-party risk management obligations (Articles 28–31 DORA),
  • Testing of ICT services supplied by ICT third parties (Article 25 RTS RMF).

The policy must also integrate with:

  • procurement and vendor management procedures,
  • information security management system (ISMS),
  • the business continuity management framework,
  • internal audit strategies.

Documentation Requirements

The policy must:

  • be formally documented, version-controlled and approved by the management body;
  • reference applicable laws, regulations, RTS and internal requirements;
  • provide a clear taxonomy of ICT services and criticality classifications;
  • include detailed procedural appendices (e.g., onboarding checklists, risk assessment templates, SLA monitoring rules, audit rights procedures);
  • specify the documentation obligations of ICT providers (reports, certifications, attestations, audit evidence);
  • ensure full traceability of decisions, assessments and approvals throughout the provider lifecycle.

Governance, Review and Audit

The policy must be:

  • periodically reviewed by the management body (Article 5(2)(h) DORA),
  • assessed against regulatory changes, ICT risk developments and resilience needs,
  • subject to independent internal audit reviews as part of the ICT audit plan,
  • enforced through control mechanisms ensuring compliance across all business units.

Internal audit must evaluate:

  • effectiveness of policy implementation,
  • adequacy of monitoring and oversight controls,
  • completeness and accuracy of inventories of ICT third-party services,
  • adequacy of exit plans, subcontracting oversight and risk assessment practices.

Article 5 (2)(h) DORA

Article 5 DORA – Governance and organisation