FFinTech

From Onboarding to Offboarding: Lifecycle Management of ICT Third-Party Relationships under DORA

From Onboarding to Offboarding: Lifecycle Management of ICT Third-Party Relationships under DORA 1
0
Shares
0
0
0
0
0
0

With the Digital Operational Resilience Act (DORA – Regulation (EU) 2022/2554), the EU has introduced a harmonised framework for managing ICT third-party providers across the financial sector. Uniformly applicable across all member states, DORA mandates that financial entities no longer manage their relationships with IT and cloud providers in an ad hoc manner upon contract conclusion. Instead, they must implement a structured lifecycle management approach, from the selection of service providers, contract drafting and continuous monitoring, through to termination and exit management.

This represents a cultural shift, particularly for FinTechs and younger institutions: the previous model of flexible, rapid procurement of cloud or IT services without robust governance structures is obsolete. DORA requires consistent, documented, and auditable management that takes into account risk, supervisory expectations, and exit strategies. The focus shifts from purely operational use of ICT services to strategic lifecycle management of ICT third-party relationships.

The core obligations governing ICT third-party relationships are found in Article 28 DORA and further detailed in the Level 2 Regulatory Technical Standards (RTS) on the use of ICT services (RTS Third Party Policy – RTS TPPol).

Under Article 28(2) DORA, financial entities (except those applying the simplified risk management framework under Article 16 DORA) must establish and regularly review a strategy for ICT third-party risk. This includes group or entity-level strategies for multi-provider use (Article 6(9) DORA) and specifically, a policy for the use of ICT services supporting critical or important functions. This applies both at individual and consolidated group levels. The management body must assess the overall risk profile and complexity of operations and evaluate third-party contract risks on an ongoing basis.

Financial entities must also develop a policy (Article 4 RTS TPPol) that documents and operationalises the requirements for managing ICT third-party relationships. This policy is the standard for provider selection, contract drafting, monitoring, and exit, and forms a binding framework for both internal stakeholders and supervisory authorities. It must cover all relevant risk factors (Article 1 RTS TPPol), including service type, location, data handling, licensing/supervision, concentration risk, portability, and business continuity.

The policy must be reviewed annually, updated as necessary, and include methods for classifying critical or important ICT services, assigning responsibilities, ensuring internal expertise, and verifying the adequacy of provider resources. A responsible management member must be designated. The policy must align with DORA frameworks on risk, information security, business continuity, and incident reporting. It should also include independent audits and ensure that contracts safeguard supervisory access, audit rights, and cooperation with authorities (Article 3 RTS TPPol).

Phases of ICT Third-Party Lifecycle Management

DORA recognises that risks from using external ICT providers span the entire lifecycle of the relationship. The regulatory aim is to ensure financial firms manage these dependencies in a structured, transparent, and risk-oriented way. The four lifecycle phases are:

Phase 1 – Planning

(Legal Basis: Article 28(4) DORA; Articles 5–7 RTS TPPol; Article 29 DORA; Articles 6–8 RTS TPPol)

Before entering into an agreement with an ICT third-party provider, firms must carry out a comprehensive planning phase:

  • Categorisation: Assess whether the planned service qualifies as an ICT service under DORA.
  • Criticality Assessment: Determine if the service supports a critical or important function, which influences regulatory requirements.
  • Internal Strategic Compliance: Ensure the planned service aligns with the institution’s strategy and governance.
  • Regulatory Compliance: Evaluate whether supervisory requirements for outsourcing are met.
  • Ex-ante Risk Assessment: Conduct a risk analysis covering operational, legal, and security aspects. Assess concentration risk per Article 29 DORA.
  • Due Diligence: Follow internal guidelines for selecting and evaluating third-party providers, assessing their reputation, resources, security, risk management, licensing, ethics, subcontracting, third-country operations, and audit/access rights.
  • Sub-outsourcing Decisions: Decide whether the provider may use subcontractors, and assess their capability to manage these.
  • Conflict of Interest: Identify and address potential conflicts.
  • Minimum Contractual Requirements: Ensure minimum contractual terms under Article 30 DORA and Article 8 RTS TPPol.
  • Information Security Standards: Providers must meet appropriate information security standards. For critical functions, they must meet the highest standards.

Phase 2 – Notification and Register Obligations

(Legal Basis: Article 28(3) DORA)

After planning, firms must fulfil transparency and record-keeping duties:

  • BaFin Notifications: Notify the supervisory authority of intended material outsourcing or changes that render a service critical.
  • Information Register: Maintain a register of all contracts with ICT providers, including service details, criticality, and provider location. Submit the register to the supervisor annually or upon request. New critical services must be reported immediately.

Phase 3 – Ongoing Monitoring

(Legal Basis: Article 9 RTS TPPol; Article 28(6) DORA)

Ongoing monitoring is required to manage third-party risks during contract duration:

  • Performance Monitoring: Review service delivery against KPIs, KRIs, SLAs, and security standards.
  • Provider Reports: Evaluate regular reports (e.g. incident logs, continuity reports) and include them in risk management.
  • Audits: Conduct risk-based audits to verify compliance. Internal or external auditors must have adequate expertise.
  • Corrective Actions and Escalation: Address deficiencies through penalties, escalation, or contractual amendments.
  • Subcontractor Oversight: Maintain transparency and evaluate risks related to subcontractors.
  • Internal Reporting: Regularly report monitoring results to senior management.
  • Supervisory Reporting: Annually report provider types and services to BaFin via the information register.

Phase 4 – Termination and Exit

(Legal Basis: Article 28(7–8) DORA; Article 10 RTS TPPol)

DORA requires a clear exit plan to ensure operational continuity:

  • Termination Rights: Contracts must include termination triggers, such as major breaches or information security failures.
  • Exit Strategy: Define exit paths, data portability, and vendor lock-in mitigation. Plans must be realistic and embedded in continuity planning.
  • Orderly Wind Down: Upon triggering exit, firms must execute the plan through technical, legal, and organisational measures. Actions must be documented and managed as formal exit projects, depending on complexity.

DORA’s four phases establish a robust lifecycle framework. Financial firms must identify, manage, and document risks continuously. DORA thus ensures that dependencies remain controllable, operational resilience is reinforced, and regulatory oversight is guaranteed.

Practical Challenges

Implementation presents real-world challenges:

  • Hyperscaler Dependence: Providers like AWS, Azure, and Google dominate the market, leaving firms with limited negotiation power. Customised clauses required by DORA often clash with standardised offerings. Firms must develop risk-mitigation strategies and document any deviations.
  • Resource-Limited Compliance Teams: Smaller institutions and FinTechs face resource constraints. Scalable solutions include automation, external audits (ISAE 3402, SOC 2), or outsourcing due diligence.
  • Non-EU Providers: Services often involve third countries, posing regulatory and geopolitical risks. DORA requires detailed risk assessments and robust exit strategies.
  • Technical Integration: The DORA-mandated register must integrate with existing ICT and contract management systems. This often demands ICT and process modernisation.

Conclusion and Outlook

DORA’s lifecycle model clarifies that managing ICT third-party dependencies is a continuous, strategic task. From careful planning, notification, and monitoring, to exit execution, DORA imposes a comprehensive framework ensuring transparency, resilience, and compliance.

ICT third-party management is no longer just procurement—it is a cornerstone of digital resilience. With DORA, the EU establishes a unified lifecycle framework, demanding:

  • More governance, less ad hoc decisions
  • Greater transparency through registers and reporting
  • More scrutiny through audits and monitoring
  • Increased resilience via structured exits and risk-based management

Especially FinTechs must adapt rapidly, building compliance structures often found only in large banks. While the regulation provides clarity, real-world implementation is complex and resource-intensive. Yet as ICT reliance grows, DORA’s role will only become more central—possibly expanding to address European digital sovereignty, tech independence, and the supervision of critical third parties.

0
0

Josefine Spengler is a lawyer and IT law specialist at Annerton's Berlin office. She has many years of in-house experience as Head of Legal and Data Protection Officer at a payment service provider. As an expert in the IT and FinTech segment, Josefine Spengler advises national and international clients on all issues at the interface between regulatory law and IT law as well as on compliance and AML issues. Josefine Spengler is a regular speaker at events on IT law and regulatory requirements for the IT of financial companies.



By continuing, you accept our privacy policy.
You May Also Like