DORA requires IT companies that provide their services to financial organizations in the European Union to be compliant with security standards, and to follow specific contractual requirements. If an IT provider is considered critical, then DORA specifies much stricter requirements.
Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework.
Financial entities must manage ICT third-party risk in a proportionate manner, considering the nature, scale, complexity, and importance of ICT dependencies. They should also assess risks arising from ICT service contracts, focusing on the criticality of the services and their potential impact on the continuity and availability of financial services and activities, both at an individual and group level.
Financial entities must include a strategy for ICT third-party risk within their ICT risk management framework and review it regularly, considering a multi-vendor approach. This strategy must include a policy for using ICT services that support critical or important functions provided by third-party providers. The management body should regularly assess and review risks related to ICT service contracts, based on the entity's overall risk profile and the scale and complexity of its operations.
Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.
Critical service providers are overseen by a Lead Overseer appointed by the ESAs, who continuously evaluates whether the provider has effective measures in place to manage ICT risks to financial entities.
Supervision incurs a cost, which the Lead Overseer calculates annually. The oversight fees charged to critical ICT third-party service providers, including the minimum annual fee of 50,000 euros, are determined along with the payment process.
The Lead Overseer is responsible for ensuring compliance with key ICT requirements, including security, availability, continuity, scalability, and service quality. This includes maintaining high standards of data integrity and confidentiality, assessing physical security, and reviewing risk management processes, such as business continuity and recovery plans. Governance structures, incident management (especially cyber-attacks), and data portability are also checked. The Overseer evaluates ICT system testing, audits, and ensures adherence to relevant national and international standards for ICT services provided to financial entities.
DORA specifies fines for critical ICT third-party service providers that fail to comply, which can be up to 1% of their global annual turnover. The fine amount depends on the duration of non-compliance. Additionally, the Lead Overseer is required to issue a public notice disclosing the name of the service provider that was fined.