Strategy on ICT third-party risk

Strategy on ICT third-party risk

Integration into the ICT Risk Management Framework (Article 28(2) DORA)

  • The strategy on ICT third-party risk forms a mandatory component of the financial entity’s ICT risk management framework.
  • The strategy must be adopted and regularly reviewed by the financial entity.

Scope of Application (Article 28(2) DORA)

  • The requirement applies to all financial entities,
    except:
    – the entities referred to in Article 16(1), first subparagraph, and
    microenterprises.
  • The strategy must apply:
    on an individual basis, and
    where relevant, on a sub-consolidated and consolidated basis.

Mandatory Content Elements (Article 28(2) DORA)

Incorporation of the Multi-Vendor Strategy

Where applicable, the strategy must take into account the ICT multi-vendor strategy referred to in Article 6(9).

Policy on Use of ICT Services Supporting Critical or Important Functions

The strategy must include a policy governing the use of ICT services that support critical or important functions when such services are provided by ICT third-party service providers.

Management Body Oversight

The management body must regularly review the risks identified in relation to contractual arrangements for the use of ICT services supporting critical or important functions.
Such review must be conducted:

  • on the basis of an assessment of the overall risk profile of the financial entity, and
  • in consideration of the scale and complexity of the business services.

Article 28 (2) DORA

Article 28 DORA – General principles