DORA – 3rd Party Technology Outsource Providers
Further to our recent LinkedIn posts on the EU DORA regulation, we thought it would be useful to outline the plans for dealing with 3rd Party technology outsource providers.
The financial sector makes a lot of use of Technology Service Providers (TSP’s) and so this will be a significant area of interest.
DORA plans to embrace a new approach to monitoring CTPP’s (Critical Third Party Providers), which refers to those TSP’s who are deemed “critical”.
- The EBA, ESMA, and EIOPA (collectively known as the ESA) will designate those TSP’s that are deemed to be “critical”, and therefore a CTPP.
- The most appropriate of the ESA’s will assume direct oversight of a CTPP as “lead overseer”
- CTTP’s will be monitored on a Pan-European basis by the lead overseer.
- CTTP’s will be assessed by the ESA’s on the systemic impact of their services, systemic importance, resilience, and substitutability.
Whether a TSP is designated as a CTPP or not, the whole technology and cyberthreats security framework remains the responsibility of the organisation who has decided to outsource, and they must incorporate a robust strategy around such 3rd party risk. The ESA’s monitoring of CTPP’s may give some additional comfort but does not alleviate the responsibilities.
Firms will still be expected to:-
- Complete due diligence for all technology outsource providers
- Ensure that everything necessary is in place with providers to deal with any of the provisions of DORA
- Monitor arrangements ongoing and keep them in line with the organisation’s own DORA provisions