Managing ICT providers is now a legal requirement for financial institutions under the EU Digital Operational Resilience Act (DORA), effective January 17, 2025. Here's a quick guide to help you comply:
-
What You Need to Do:
- Create a register of all ICT providers, including critical and non-critical ones.
- Document key details like provider identification, services, risks, contracts, and subcontractors.
- Submit the register to the European Supervisory Authorities by April 30, 2025.
- Update the register annually and whenever major changes occur.
-
Why It Matters:
- Non-compliance risks fines up to 2% of global turnover or $5.45 million (€5 million) for critical providers.
- Helps manage risks, improve oversight, and support regulatory audits.
-
How to Get Started:
- Use structured templates to record provider details.
- Automate data management with tools like DORApp to save time and ensure accuracy.
- Regularly test exit plans and monitor provider performance.
How to Comply with the DORA Register of Information: A Step ...
DORA ICT Register Rules
DORA requires organizations to maintain detailed records of ICT third-party providers. These records help manage risks and ensure compliance while supporting oversight and operational resilience.
Required Data Fields
For each ICT provider, you need to document the following:
| Category | Details to Include |
|---|---|
| Provider Identification | Legal name, registration number, and contact details. |
| Service Information | Description of ICT services provided, including whether they are critical or non-critical. |
| Risk Assessment | Security measures in place and an evaluation of potential risks. |
| Contractual Details | Contract references, service level agreements, and emergency response provisions. |
Make sure the data is accurate and regularly reviewed to stay compliant.
Update and Report Schedule
To meet DORA's requirements, follow these timelines:
-
Initial Submission Deadline
Submit the complete ICT provider register to the European Supervisory Authorities by April 30, 2025. -
Annual Updates
Review and update the register every year, especially when there are major changes in provider relationships. -
Documentation Standards
Keep the register in a secure and easily accessible format to simplify audits and inspections.
Finding and Ranking ICT Providers
To comply with DORA mandates, it's crucial to build and rank a list of ICT providers. This ensures proper oversight and helps manage risks effectively.
Making a Provider List
Start by identifying all providers that are essential to your operations and data integrity. Include both direct providers and subcontractors to get a full view of your ICT supply chain.
Here’s a step-by-step approach:
- Review Core Financial Operations: Focus on critical systems like transaction processing platforms, core banking software, cloud storage services, and security tools.
- Document Service Categories: Use a structured format to capture details about each service.
| Service Category | Details |
|---|---|
| Core Systems | Functions, volumes, and data types |
| Support Services | Maintenance schedules and response times |
| Data Management | Storage locations and backup facilities |
| Security Services | Protection measures and incident response |
- Map Dependencies: Highlight the connections between services and note any subcontracted providers.
Once your list is complete, it’s time to evaluate and rank providers based on their importance to your operations.
Rating Provider Importance
To assess a provider's impact, consider these factors:
| Assessment Criteria | Evaluation Metrics |
|---|---|
| Systemic Impact | Number of dependent entities and asset value |
| Service Criticality | Effect on operations and alternative options |
| Data Sensitivity | Types of data processed and security needs |
| Operational Integration | Integration with critical systems |
Key points to keep in mind include:
- How many G-SIIs or O-SIIs depend on the provider
- The complexity of switching providers
- Dependencies through subcontractors
- The provider's market position and availability of alternatives
The European Commission will introduce additional criteria for identifying critical ICT providers by July 17, 2024. Stay updated on these developments to ensure your evaluations remain compliant with regulatory requirements.
sbb-itb-107f699
Recording Provider Data
After ranking ICT providers, gather and document key details to create a DORA-compliant register.
Contract and Service Records
Start by recording contractual commitments before diving into risk-specific details. Capture all agreements with ICT providers, focusing on the following:
| Contract Element | Details to Include |
|---|---|
| Service Details | Scope, delivery locations, performance metrics |
| Data Processing | Storage locations, data types, protection measures |
| Operational Terms | Service levels, reporting obligations, contingency plans |
| Compliance Requirements | Audit rights, testing participation, security standards |
Be sure to outline data protection measures (availability, integrity, confidentiality), recovery procedures, service locations, and required notice periods.
Risk and Subcontractor Data
Next, document risk profiles and subcontractor information to ensure a clear view of the supply chain.
| Risk Category | Details to Document |
|---|---|
| Risk Assessment | Provider risk level, impact analysis, mitigation measures |
| Subcontractor Details | Service chain mapping, compliance checks, audit rights |
| Security Measures | Controls, incident response plans, testing results |
| Performance Monitoring | KPIs, service level achievements, incident history |
Key actions include:
- Using DORA-specific questionnaires to assess provider compliance
- Keeping a risk register to track and manage remediation efforts
- Logging the complete subcontracting chain with associated audit rights
- Noting any significant changes in subcontracting arrangements
Contracts should ensure your organization has the same rights of access, inspection, and audit across the entire subcontracting chain as with the primary ICT provider.
For critical or important functions, include:
- Detailed service-level descriptions
- Business contingency plans
- Security measure details
- Penetration testing participation requirements
- Documentation of unrestricted access and audit rights
Software Tools for Register Management
Automated tools simplify managing data and documentation for ICT providers, making it easier to meet DORA requirements.
DORApp Features
DORApp is designed to handle ICT provider management with automation, ensuring compliance with DORA. Here's what it offers:
| Feature Category | Capabilities |
|---|---|
| Provider Management | Automatic discovery, classification, and mapping of relationships |
| Risk Assessment | Pre-built DORA-aligned questionnaires, risk scoring, and gap analysis |
| Documentation | Contract management, audit trails, and automated report generation |
| Compliance Monitoring | Real-time updates, automated checks, and alignment with regulatory standards |
The platform significantly reduces setup time - from 8 hours to just 1.5 hours for 10 ICT services. This improvement is thanks to automated data transfers and integrated relationship mapping, which ensure updates to provider information are instantly reflected across all related records.
"We created the DORA Register because we believe that error-free management of ICT suppliers and constant access to up-to-date reports and contracts ensure compliance with DORA." - DORA Register of Information
These features make the setup process both efficient and straightforward.
Register Setup Guide
Here's how to set up your ICT provider register using DORApp:
-
Initial Configuration
Start by setting up security measures like two-factor authentication and user roles. Tailor access permissions to fit your organization's structure. -
Provider Import
Use the automated import tool to transfer existing provider data. The system enriches entries with public data, such as LEI information, to improve accuracy. -
Classification Setup
Follow DORA-specific criteria from RTS 85, which includes 19 ICT service categories, to correctly classify providers. The platform offers guidance throughout. -
Monitoring Configuration
Configure automated alerts and checks for important tasks like contract renewals, compliance document updates, and risk assessments.
The system keeps detailed audit trails and generates DORA-compliant reports with just one click. Regular updates ensure the platform stays aligned with changing DORA regulations, so you won't have to track them manually.
Register Updates and Monitoring
Keeping your ICT third-party provider register up to date is crucial for meeting DORA compliance. A structured schedule helps ensure everything stays on track.
Regular Update Process
Having a clear process in place ensures provider details and risk assessments meet DORA's standards.
| Update Type | Frequency | Key Actions |
|---|---|---|
| Provider Data Review | Every 6 months | Check contact details, services, and contracts. |
| Risk Assessment | Annual | Assess provider performance and new risks. |
| Exit Plan Testing | Annual | Test and refine transition procedures. |
Tools like DORApp can help by automating notifications for reviews and flagging changes in provider status. These updates ensure you're always prepared for audits.
Audit Preparation
Comprehensive documentation is essential for a smooth audit process. Here’s what to focus on:
- Documentation Management: Keep records of provider interactions, service updates, incidents, and performance metrics. Tools like DORApp can track changes and approvals to maintain a clear audit trail.
-
Contract Oversight: Pay close attention to resilience requirements, SLAs, and security measures.
"DORA sets high expectations for contracts between financial institutions and ICT service providers. Agreements must clearly define resilience requirements, including service-level agreements (SLAs), security measures, and accountability clauses."
- Testing and Validation: Regularly test provider resilience, document the outcomes, and update exit plans as needed.
Reporting tools can simplify audit preparation by generating documentation that proves compliance. With real-time monitoring, you can quickly provide accurate information to auditors about your provider relationships.
Summary
A DORA-compliant ICT third-party provider register plays a key role in maintaining operational resilience and meeting regulatory requirements. With the average cost of data breaches estimated at $4.8 million in 2024, managing providers effectively is critical. A well-maintained register keeps track of provider contracts, evaluates risks regularly, and includes clear exit strategies. Using automated tools can make these tasks much easier.
DORApp offers features that simplify compliance efforts:
| Feature | Benefit |
|---|---|
| Automated Monitoring | Tracks compliance in real-time |
| Data Enrichment | Ensures accurate provider information |
| Audit Trail | Simplifies regulatory reporting |
| Secure Storage | Maintains data compliance standards |
Failing to comply with DORA could result in penalties of up to 2% of annual global turnover. Keep your register up-to-date by:
- Reporting ICT incidents promptly
- Performing annual resilience tests
- Engaging in threat intelligence sharing
- Maintaining continuous monitoring systems
Related posts
- Top 5 ICT Third-Party Risk Management Best Practices
- DORA Compliance Checklist: 10 Key Requirements for 2025
- Is excel an appropriate tool to maintain the DORA ICT Third-Party Register of Information?
- Overview of DORA’s Draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)
