My favourites

Chapter V – Managing of ICT third-party risk (Art. 28-44)

Art. 28 DORA - General principles arrow_right_alt

Art. 29 DORA - Preliminary assessment of ICT concentration risk at entity level arrow_right_alt

  1. When performing the identification and assessment of risks referred to in Article 28(4), point (c), financial entities shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following:
    1. contracting an ICT third-party service provider that is not easily substitutable; or
    2. having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.

Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.

  1. Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.

Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.

Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.

Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.

Art. 30 DORA - Key contractual provisions arrow_right_alt

Art. 31 DORA - Designation of critical ICT third-party service providers arrow_right_alt

Art. 32 DORA - Structure of the Oversight Framework arrow_right_alt

Art. 33 DORA - Tasks of the Lead Overseer arrow_right_alt

Art. 34 DORA - Operational coordination between Lead Overseers arrow_right_alt

Art. 35 DORA - Powers of the Lead Overseer arrow_right_alt

Art. 36 DORA - Exercise of the powers of the Lead Overseer outside the Union arrow_right_alt

Art. 37 DORA - Request for information arrow_right_alt

Art. 38 DORA - General investigations arrow_right_alt

Art. 39 DORA - Inspections arrow_right_alt

Art. 40 DORA - Ongoing oversight arrow_right_alt

Art. 41 DORA - Harmonisation of conditions enabling the conduct of the oversight activities arrow_right_alt

Art. 42 DORA - Follow-up by competent authorities arrow_right_alt

Art. 43 DORA - Oversight fees arrow_right_alt

Art. 44 DORA - International cooperation arrow_right_alt