Friday with DORA: Review of risk management rules from external ICT service providers

One of the obligations imposed on, among others, national payment institutions and small payment institutions by Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (hereinafter referred to as “DORA” or “the Regulation”) is to manage risks from third-party ICT service providers.

Accordingly, under the DORA, financial entities are required to:

• •  provide information to the competent authority at least annually on the number of new arrangements for the use of ICT services, the categories of external ICT service providers, the type of contractual arrangements, and the ICT services provided and functions supported;
  • make available to the competent authority (upon request) the full register of information or specific sections of that register, together with any information deemed necessary to enable effective supervision of the financial entity in question.
  • inform the competent authority in a timely manner of any planned contractual arrangements for the use of ICT services supporting critical or essential functions, and that a function has become critical or essential.

! According to the draft law published on April 18, 2024 on amending certain laws in connection with ensuring the operational digital resilience of the financial sector, the designated supervisory authority in Poland is to be the Financial Supervision Commission.

In addition, as part of ICT risk management, certain financial entities – including NIPs (not applicable to MIPs) should, in particular:

1. 1. adopt a strategy on risks from third-party ICT service providers and review it regularly;
   2. develop and adopt a policy on the use of ICT services to support critical or essential functions provided by external ICT service providers;
   3. conduct a risk review of contracts for the use of ICT services supporting critical or essential functions.

The regulation also requires financial entities to conduct an initial concentration risk assessment when entering into a planned contractual arrangement in connection with ICT services supporting critical or essential functions would lead to any of the following:

• • entering into a contract with an external ICT service provider that cannot be easily replaced, or
  • having multiple contractual arrangements for the provision of ICT services supporting critical or essential functions with the same external ICT service provider or with closely related external ICT service providers.