Professional Documents
Culture Documents
The Digital Operational Resilience Act 1713474765
The Digital Operational Resilience Act 1713474765
The Digital Operational Resilience Act 1713474765
TPRM in DORA
The Digital Operational Resilience Act (DORA)
Regulation (EU) – 2022/2554 and TPRM
-Krishnaprasad SV
learn with kp CISA, CDPSE, ISMS LA, CSA STAR Auditor
11-03-2024
Document Introduction
In the initial publication on DORA, an introduction to DORA Compliance was provided along with a summary of the final
In this follow-up, the focus is specifically on Chapter 5, which delves into the management of ICT Third-Party Risk (TPRM)
within DORA.
There are 17 articles in this chapter regarding TPRM. Each article is briefly summarized, offering a condensed overview.
However, for a more comprehensive understanding, readers are recommended to refer to the Final Text document.
To enhance clarity, an additional section detailing abbreviations and their meanings used in the document has been
Important: As this is an attempt to decode the final text of the Articles as a summary, there is room for enhancing
• Oversight and Accountability: Designate specific personnel responsible for overseeing and being accountable for
TPRM within financial entities.
• Due Diligence: Conduct thorough evaluations of third parties' cybersecurity risk profiles both before entering into
contracts and periodically thereafter. Assess factors such as technical capabilities, security controls, and incident
response preparedness.
• Contractual Requirements: Incorporate clauses into contracts that mandate third parties to adhere to specified
security standards and practices.
• Monitoring and Evaluation: Continuously monitor third-party activities and assess their performance to ensure
compliance with agreed-upon standards. Regularly review and address emerging risks.
• Termination Rights: Maintain the authority to terminate contracts with third parties that fail to comply with security
requirements.
• Incident Planning: Collaborate with third parties to develop and implement response and recovery plans for
addressing ICT security incidents effectively.
learn with kp
Managing of ICT third-party risk - Articles
"Managing ICT third-party risk," typically focuses on establishing requirements and guidelines for managing risks
associated with third-party providers of information and communication technology (ICT) services.
This includes 17 articles which covers the following,
• Article 28, General Principles of ICT third-party risk • Article 36, Exercise of the powers of the Lead Overseer
• Article 32, Structure of the Oversight Framework • Article 41, Harmonization of conditions enabling the
• Article 33, Tasks of the Lead Overseer conduct of the oversight activities
• Article 34, Operational coordination between Lead • Article 42, Follow-up by competent authorities
• Article 35, Powers of the Lead Overseer • Article 44, International cooperation
learn with kp
Abbreviations and
It's essential to grasp the following terminologies and abbreviations to comprehend the rest of this document effectively.
learn with kp
Summary of TPRM in DORA Articles
Article 30, Key contractual provisions
Financial institutions and their third-party ICT service providers must establish clear rights and responsibilities in written
contracts, incorporating service level agreements. These contracts should encompass detailed descriptions of services, data
processing locations, data protection measures, termination procedures, and collaboration with regulatory authorities. For
critical functions, contracts should additionally outline specific service level descriptions, reporting requirements, business
continuity plans, and exit strategies. Technical standards for subcontracted services, tailored to the size and risk profile of
financial entities, will be developed by the ESAs and submitted to the Commission for approval.
learn with kp
Summary of TPRM in DORA Articles
Article 34, Operational coordination between Lead Overseers
In order to maintain a unified approach to oversight and promote coordinated efforts, the three Lead Overseers designated
under Article 31(1), point (b), will establish a Joint Oversight Network (JON). This network will facilitate collaboration
during the preparatory phases and oversight activities involving critical ICT third-party service providers. Additionally, it
will manage any necessary actions outlined in Article 42. The Lead Overseers will develop a shared oversight protocol
detailing specific procedures for day-to-day coordination and ensuring prompt information exchange. The ECB and ENISA
may be invited to provide ad-hoc technical advice or participate in coordination meetings as required.
learn with kp
Summary of TPRM in DORA Articles
Article 36, Exercise of the powers of the Lead Overseer outside the Union
The Lead Overseer, as per Article 31(12), is empowered to exercise its authority on third-country premises if deemed
essential for oversight. This necessitates the third country's authority consent and cooperation agreements with EBA,
ESMA, or EIOPA. In cases where oversight outside the Union is impractical, the Lead Overseer must rely on available
information for decisions and detail any repercussions on recommendations.
learn with kp
Summary of TPRM in DORA Articles
Article 38, General investigations
To fulfill its obligations under this Regulation, the Lead Overseer, with the assistance of the joint examination team, has the
authority to conduct investigations into critical ICT third-party service providers. This includes examining records, interviewing
representatives, and requesting telecommunications data. Officials involved must be authorized in writing, with clear instructions
on the purpose of the investigation and potential penalties for non-compliance. Representatives of the service providers are
obliged to cooperate with investigations based on the Lead Overseer's decision, which also outlines penalties and legal recourse.
Prior to initiating an investigation, the Lead Overseer must inform relevant competent authorities and share pertinent information
with the joint examination team to ensure transparency and coordination.
learn with kp
Summary of TPRM in DORA Articles
Article 40, Ongoing oversight
During oversight activities, the Lead Overseer is supported by a joint examination team consisting of ESA and competent
authority staff. This team assesses critical ICT third-party service providers. Recommendations are made within three
months of investigations and shared with the provider and relevant financial entity authorities. Third-party certifications
and audit reports may be considered during oversight.
Article 41, Harmonization of conditions enabling the conduct of the oversight activities
The ESAs will create technical standards defining:
• Information required for ICT service providers applying for critical designation.
• Format and content of information needed for oversight.
• Composition and tasks of joint examination teams.
• Evaluation criteria for measures taken by providers after oversight.
• These standards will be submitted to the Commission by July 17, 2024, for approval.
learn with kp
Summary of TPRM in DORA Articles
Article 42, Follow-up by competent authorities
Critical ICT third-party service providers must either comply with or explain non-compliance within 60 days of Lead
Overseer recommendations. Failure to respond or inadequate explanations may result in public disclosure. Competent
authorities inform financial entities of identified risks and may suspend services if risks persist. Lead Overseer can issue
non-binding opinions to ensure consistent response. Competent authorities consider gravity of non-compliance before
taking action, ensuring financial entities have time to adjust contracts. Decisions are notified to Oversight Forum and JON.
Critical providers must cooperate with affected entities. Competent authorities update Lead Overseer on supervisory
actions. Lead Overseer provides further guidance if needed.
learn with kp
Summary of TPRM in DORA Articles
Article 44, International cooperation
EBA, ESMA, and EIOPA may establish administrative arrangements with third-country authorities to enhance cooperation
on ICT third-party risk. They'll periodically report to the European Parliament, Council, and Commission on discussions
with these authorities, focusing on risk evolution and its implications.
For more comprehensive understanding, it is recommended to refer to the Final Text document,
link provided in the reference section.
learn with kp
References
Links (URL)
• https,//www.digital-operational-resilience-act.com/
• https,//www.dora-info.eu/ (web version of the original legal text of the Digital Operational Resilience Act (DORA)
regulation from EUR-Lex)
• https://ensarseker1.medium.com/dora-a-new-framework-for-third-party-risk-in-the-european-union-eu-9460255aebeb
learn with kp
Thank You