Om Harishree Ganapathaye Namah,

TPRM in DORA
The Digital Operational Resilience Act (DORA)
Regulation (EU) – 2022/2554 and TPRM

-Krishnaprasad SV
learn with kp CISA, CDPSE, ISMS LA, CSA STAR Auditor
11-03-2024
 Document Introduction
In the initial publication on DORA, an introduction to DORA Compliance was provided along with a summary of the final

text document. (For Reference: https://www.linkedin.com/feed/update/urn:li:activity:7167235371703939072/ )

In this follow-up, the focus is specifically on Chapter 5, which delves into the management of ICT Third-Party Risk (TPRM)

within DORA.

There are 17 articles in this chapter regarding TPRM. Each article is briefly summarized, offering a condensed overview.

However, for a more comprehensive understanding, readers are recommended to refer to the Final Text document.

To enhance clarity, an additional section detailing abbreviations and their meanings used in the document has been

included, aiding in a better understanding of the content.

Important: As this is an attempt to decode the final text of the Articles as a summary, there is room for enhancing

the quality of the interpretations.

learn with kp
 Key TPRM Principles
The following summarizes key principles addressed in TPRM according to DORA Compliance.

• Oversight and Accountability: Designate specific personnel responsible for overseeing and being accountable for
TPRM within financial entities.
• Due Diligence: Conduct thorough evaluations of third parties' cybersecurity risk profiles both before entering into
contracts and periodically thereafter. Assess factors such as technical capabilities, security controls, and incident
response preparedness.
• Contractual Requirements: Incorporate clauses into contracts that mandate third parties to adhere to specified
security standards and practices.
• Monitoring and Evaluation: Continuously monitor third-party activities and assess their performance to ensure
compliance with agreed-upon standards. Regularly review and address emerging risks.
• Termination Rights: Maintain the authority to terminate contracts with third parties that fail to comply with security
requirements.
• Incident Planning: Collaborate with third parties to develop and implement response and recovery plans for
addressing ICT security incidents effectively.
learn with kp
 Managing of ICT third-party risk - Articles
"Managing ICT third-party risk," typically focuses on establishing requirements and guidelines for managing risks
associated with third-party providers of information and communication technology (ICT) services.
This includes 17 articles which covers the following,

• Article 28, General Principles of ICT third-party risk • Article 36, Exercise of the powers of the Lead Overseer

• Article 29, Preliminary assessment of ICT outside the Union

concentration risk at entity level • Article 37, Request for information

• Article 30, Key contractual provisions • Article 38, General investigations

• Article 31, Designation of critical ICT third-party • Article 39, Inspections

service providers • Article 40, Ongoing oversight

• Article 32, Structure of the Oversight Framework • Article 41, Harmonization of conditions enabling the

• Article 33, Tasks of the Lead Overseer conduct of the oversight activities

• Article 34, Operational coordination between Lead • Article 42, Follow-up by competent authorities

Overseers • Article 43, Oversight fees

• Article 35, Powers of the Lead Overseer • Article 44, International cooperation

learn with kp
 Abbreviations and
It's essential to grasp the following terminologies and abbreviations to comprehend the rest of this document effectively.

Abbrevations / Terminologies Details

DORA Digital Operational Resilience Act
EBA European Banking Authority
ECB European Central Bank
EIOPA European Insurance and Occupational Pensions Authority
ENISA European Union Agency for Cybersecurity
ESA European Supervisory Authorities
ESA European Supervisory Authorities
ESMA European Securities and Markets Authority
ICT Information and Communication Technology
ICT third-party service a company that offers services related to information and communication technology (ICT) to
provider other organizations, such as financial institutions.
a collaborative body involving the European Supervisory Authorities (ESAs), which include the
EBA, ESMA, EIOPA. This committee works together to develop and implement regulatory
Joint Committee standards and guidelines related to digital operational resilience across the financial sector.
JON Joint Oversight Network
A designated authority responsible for overseeing critical ICT (Information and Communication
Lead Overseer Technology) third-party service providers.
TPRM Third Party Risk Management
learn with kp
 Summary of TPRM in DORA Articles
Article 28, General Principles of ICT third-party risk
Financial entities must manage ICT third-party risk within their framework, remaining responsible for compliance with
regulations. They should assess risks proportionally and maintain a register of contractual arrangements. Before entering
into contracts, they must assess risks, ensure compliance with security standards, and have exit strategies. The ESAs will
develop standards for registers and policies on critical function support.

Article 29, Preliminary assessment of ICT concentration risk at entity level

Financial entities must consider ICT concentration risk when assessing risks related to ICT services supporting critical
functions. This includes evaluating the substitutability of third-party providers and the potential risks of multiple
arrangements with the same provider. They should weigh the benefits and costs of alternative solutions, considering how
they align with their digital resilience strategy. Additionally, financial entities need to assess the implications of
subcontracting critical ICT services, especially regarding third-country subcontractors and insolvency law provisions.
Compliance with Union data protection rules and effective law enforcement in third countries should also be considered,
along with the impact of complex subcontracting chains on monitoring and regulatory supervision.

learn with kp
 Summary of TPRM in DORA Articles
Article 30, Key contractual provisions
Financial institutions and their third-party ICT service providers must establish clear rights and responsibilities in written
contracts, incorporating service level agreements. These contracts should encompass detailed descriptions of services, data
processing locations, data protection measures, termination procedures, and collaboration with regulatory authorities. For
critical functions, contracts should additionally outline specific service level descriptions, reporting requirements, business
continuity plans, and exit strategies. Technical standards for subcontracted services, tailored to the size and risk profile of
financial entities, will be developed by the ESAs and submitted to the Commission for approval.

Article 31, Designation of critical ICT third-party service providers

The ESAs, with input from the Oversight Forum, will designate critical ICT third-party service providers based on criteria
evaluating their systemic impact, importance to financial entities, and substitutability. Lead Overseers will be appointed for
each critical provider. Criteria include the impact on financial stability, reliance of systemic institutions, interdependence
with other entities, and the difficulty of switching providers. The designation process involves notifying providers and
financial entities, with the Commission empowered to further specify criteria. Certain providers are exempt, and a yearly
list of critical providers will be published. Providers not on the list can apply for designation. Financial entities can only use
services
learn with kp from designated providers with a Union subsidiary, and changes to subsidiary management must be reported to
 Summary of TPRM in DORA Articles
Article 32, Structure of the Oversight Framework
The Oversight Forum, an arm of the Joint Committee, spearheads efforts to monitor ICT third-party risk within financial sectors. It
crafts joint positions, fosters dialogue on emerging trends, and conducts collective assessments of oversight activities. Comprising
ESA leaders, high-level representatives from competent authorities, and observers, it ensures a comprehensive approach to digital
resilience. Independent experts may offer insights, and guidelines for ESA-competent authority cooperation will be unveiled by July
2024. Annual reports to the European Parliament, the Council, and the Commission will highlight the framework's application.

Article 33, Tasks of the Lead Overseer

The Lead Overseer, designated under Article 31(1), point (b), spearheads oversight activities for assigned critical ICT third-party
service providers, acting as their primary contact. They assess the providers' ICT risk management frameworks, focusing on critical
functions and extending to other relevant areas as needed. This covers various aspects like ICT security, risk management
processes, incident response, and compliance with standards. The Lead Overseer, in coordination with the Joint Oversight Network,
develops detailed oversight plans annually, communicating them to the providers for review. Prior to finalizing plans, providers can
offer feedback on potential impacts and propose risk mitigation strategies. Finalized plan will be communicated, competent
authorities must collaborate with the Lead Overseer on any measures related to these critical providers.

learn with kp
 Summary of TPRM in DORA Articles
Article 34, Operational coordination between Lead Overseers
In order to maintain a unified approach to oversight and promote coordinated efforts, the three Lead Overseers designated
under Article 31(1), point (b), will establish a Joint Oversight Network (JON). This network will facilitate collaboration
during the preparatory phases and oversight activities involving critical ICT third-party service providers. Additionally, it
will manage any necessary actions outlined in Article 42. The Lead Overseers will develop a shared oversight protocol
detailing specific procedures for day-to-day coordination and ensuring prompt information exchange. The ECB and ENISA
may be invited to provide ad-hoc technical advice or participate in coordination meetings as required.

Article 35, Powers of the Lead Overseer

The Lead Overseer, appointed under Article 31(1), point (b), has powers over critical ICT third-party service providers,
including information requests, investigations, and issuing recommendations. They coordinate with the Joint Oversight
Network (JON) and consult relevant authorities to avoid duplication. The Lead Overseer involves the Oversight Forum
before recommendations and informs the JON of outcomes. Non-compliance may lead to penalty payments, disclosed to the
public, respecting the rights of defense.

learn with kp
 Summary of TPRM in DORA Articles
Article 36, Exercise of the powers of the Lead Overseer outside the Union
The Lead Overseer, as per Article 31(12), is empowered to exercise its authority on third-country premises if deemed
essential for oversight. This necessitates the third country's authority consent and cooperation agreements with EBA,
ESMA, or EIOPA. In cases where oversight outside the Union is impractical, the Lead Overseer must rely on available
information for decisions and detail any repercussions on recommendations.

Article 37, Request for information

The Lead Overseer has the authority to request critical ICT third-party service providers to provide necessary information
for regulatory duties. This includes business documents, contracts, policies, and ICT-related reports. Requests can be made
either informally or by formal decision. In both cases, the Lead Overseer must specify the purpose, required information,
and deadline for submission. Failure to comply may result in penalty payments. Representatives of the service providers
are obligated to provide accurate information, and the Lead Overseer must notify relevant authorities of any decisions
made.

learn with kp
 Summary of TPRM in DORA Articles
Article 38, General investigations
To fulfill its obligations under this Regulation, the Lead Overseer, with the assistance of the joint examination team, has the
authority to conduct investigations into critical ICT third-party service providers. This includes examining records, interviewing
representatives, and requesting telecommunications data. Officials involved must be authorized in writing, with clear instructions
on the purpose of the investigation and potential penalties for non-compliance. Representatives of the service providers are
obliged to cooperate with investigations based on the Lead Overseer's decision, which also outlines penalties and legal recourse.
Prior to initiating an investigation, the Lead Overseer must inform relevant competent authorities and share pertinent information
with the joint examination team to ensure transparency and coordination.

Article 39, Inspections

The Lead Overseer, aided by joint examination teams, can conduct on-site inspections at ICT third-party service providers'
premises, including entry and sealing when necessary. Authorized officials need written permission stating the purpose and
penalties for non-compliance. Competent authorities of financial entities using their services must be notified beforehand.
Inspections cover all relevant ICT systems and data. Reasonable notice is given unless in emergencies. Providers must comply with
inspection orders, or face penalties, including possible contract termination if they resist.

learn with kp
 Summary of TPRM in DORA Articles
Article 40, Ongoing oversight
During oversight activities, the Lead Overseer is supported by a joint examination team consisting of ESA and competent
authority staff. This team assesses critical ICT third-party service providers. Recommendations are made within three
months of investigations and shared with the provider and relevant financial entity authorities. Third-party certifications
and audit reports may be considered during oversight.

Article 41, Harmonization of conditions enabling the conduct of the oversight activities
The ESAs will create technical standards defining:
• Information required for ICT service providers applying for critical designation.
• Format and content of information needed for oversight.
• Composition and tasks of joint examination teams.
• Evaluation criteria for measures taken by providers after oversight.
• These standards will be submitted to the Commission by July 17, 2024, for approval.

learn with kp
 Summary of TPRM in DORA Articles
Article 42, Follow-up by competent authorities
Critical ICT third-party service providers must either comply with or explain non-compliance within 60 days of Lead
Overseer recommendations. Failure to respond or inadequate explanations may result in public disclosure. Competent
authorities inform financial entities of identified risks and may suspend services if risks persist. Lead Overseer can issue
non-binding opinions to ensure consistent response. Competent authorities consider gravity of non-compliance before
taking action, ensuring financial entities have time to adjust contracts. Decisions are notified to Oversight Forum and JON.
Critical providers must cooperate with affected entities. Competent authorities update Lead Overseer on supervisory
actions. Lead Overseer provides further guidance if needed.

Article 43, Oversight fees

Lead Overseer charges critical ICT third-party service providers fees to cover oversight expenses, including joint
examination team costs and advice from independent experts. Fees are proportionate to turnover. Commission determines
fee amounts and payment methods through a delegated act.

learn with kp
 Summary of TPRM in DORA Articles
Article 44, International cooperation
EBA, ESMA, and EIOPA may establish administrative arrangements with third-country authorities to enhance cooperation
on ICT third-party risk. They'll periodically report to the European Parliament, Council, and Commission on discussions
with these authorities, focusing on risk evolution and its implications.

For more comprehensive understanding, it is recommended to refer to the Final Text document,
link provided in the reference section.

learn with kp
 References

Links (URL)

• https,//www.digital-operational-resilience-act.com/
• https,//www.dora-info.eu/ (web version of the original legal text of the Digital Operational Resilience Act (DORA)
regulation from EUR-Lex)
• https://ensarseker1.medium.com/dora-a-new-framework-for-third-party-risk-in-the-european-union-eu-9460255aebeb

learn with kp
 Thank You

Thank & Regards,

learn with kp Kr!shnaprasad SV
https,//www.linkedin.com/in/krishnaprasadsv/