DORA Third-Party Risk Management Compliance

Simplify DORA Third-Party Assessments

The Digital Operational Resilience Act (DORA) is designed to ensure that the European financial sector is able to maintain resilience during severe operational disruptions.

DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector such as banks, insurance companies, and investment firms.

DORA creates a regulatory framework for digital operational resilience whereby all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats. It also applies to critical third parties that provide ICT (Information Communication Technologies) services to the financial services industry, such as cloud platforms or data analytics services.

Relevant Requirements

Assess risks related to ICT third-party providers, including operational risks, concentration risks, and systemic risks.
Ensure that third-party vendor contracts include rights and obligations that can be continuously assessed.
Maintain a register of all ICT third-party providers and services.
Develop recovery and contingency plans in case of large-scale cyberattacks or outages.
Conduct comprehensive due diligence before entering into contracts with third-party ICT service providers.
Monitor concentration risks related to ICT third-party providers.
Test ICT third-party providers’ operational resilience capabilities.
Ensure that subcontractors are subject to the same standards of due diligence, monitoring, and risk management.

The DORA Third-Party Compliance Checklist

This comprehensive checklist examines key articles in DORA Chapter V: Managing of ICT Third-Party Risk and provides guidance for meeting the requirements.

Read Now

Mapping Prevalent Capabilities to Requirements in DORA Chapter V: Managing of ICT Third-Party Risk

Chapter V, Section I, Articles 28-30 include the practices to meet the regulatory oversight requirements.
NOTE: This is not a comprehensive list of DORA requirements. For a full view of DORA requirements, please see the complete Act and consult your organization’s audit team or external auditor.

Chapter V: Managing of ICT Third Party Risk
Section I: Key Principles for a Sound Management of ICT Third-Party Risk

DORA Requirement	Corresponding Third-Party Risk Management Best Practice
Article 28: General Principles
28 (1). Financial entities shall manage ICT third party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 6(1), and in accordance with the following principles: (a) financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under this regulation and applicable financial services law; (b) financial entities’ management of ICT third party risk shall be implemented in light of the principle of proportionality, taking into account: (i) the nature, scale, complexity and importance of ICT-related dependencies, (ii) the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level. 28 (2). As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than micro-enterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services sup-porting critical or important functions.	Prevalent collaborates with your team on defining and implementing TPRM strategies, processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding. As part of this process, Prevalent helps you define: Clear roles and responsibilities (e.g., RACI). Third-party inventories. Risk scoring and thresholds based on your organization’s risk tolerance. Assessment and monitoring. methodologies based on third-party criticality. Fourth-party mapping to understand risk in your extended vendor ecosystem. Sources of continuous monitoring data (cyber, business, reputational, & financial). Key performance indicators (KPIs) and key risk indicators (KRIs). Governing policies, standards, systems and processes to protect data. Compliance and contractual reporting requirements against service levels. Incident response requirements. Risk and internal stakeholder reporting. Risk mitigation and remediation strategies.
28 (3). As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers. The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not. Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided. Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity. Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.	With Prevalent, you can build a centralized third-party inventory by importing suppliers via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise can populate key supplier details with a centralized intake form and associated work-flow tasks. This is available to everyone via email invitation, without requiring any training or solution expertise. As part of this process, Prevalent creates comprehensive supplier profiles that contain all documentary evidence related to the third party, plus demographics, 4th-parties, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This adds needed context for audit processes. As well, Prevalent quantifies inherent risks for all suppliers to effectively tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments. Criteria used to calculate inherent risk for supplier tiering include: Criticality to business performance and operations. Location(s) and related legal or regulatory considerations. Interaction with protected data, customer data or customer-facing systems. Part of the tiering process is identifying fourth-party and Nth-party suppliers in your supplier ecosystem as critical dependencies can impact tiering decisions. With Prevalent, you can conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk.
28 (5). Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards. 28 (6). In exercising access, inspection and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards. Where contractual arrangements concluded with ICT third-party service providers on the use of ICT services entail high technical complexity, the financial entity shall verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments.	Leverage a standardized risk assessment in the Prevalent Platform, such as one based on ISO 27001 to determine adherence to key third-party risk management principles. Workflow automations, task management, and automated evidence review capabilities to evaluate risk scores simplifies the process. Complement periodic questionnaire-based risk assessments with continuous tracking and analysis of external threats to third parties with Prevalent. As part of this, Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities. Monitoring sources include: Criminal forums, onion pages, dark web special access forums, threat feeds, and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases. Databases containing several years of data breach history for thousands of companies around the world. All monitoring data should is correlated with assessment results and centralized in a unified risk register for each supplier, streamlining risk review, reporting, remediation, and response initiatives, and simplifying audits. Once all assessment and monitoring data is correlated into a central risk register, Prevalent applies risk scoring and prioritization according to a likelihood and impact model. This model frames risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those. Assign owners and track risks and remediations to a level acceptable to the business. Importantly, suggest remediations for low maturity supplier controls that ex-ceed the risk appetite for the organization. Prevalent includes built-in remediation recommendations based on risk assessment results to ensure that your suppliers address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.
28 (7). Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances: (a) significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms; (b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider; (c) ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; (d) where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement. 28 (8). For ICT services supporting critical or important functions, financial entities shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part, a deterioration of the quality of the ICT services provided, any business disruption due to inappropriate or failed provision of ICT services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providers under any of the circumstances listed in paragraph 7. Financial entities shall ensure that they are able to exit contractual arrangements with-out: (a) disruption to their business activities, (b) limiting compliance with regulatory requirements, (c) detriment to the continuity and quality of services provided to clients. Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested and reviewed periodically. Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-house. Financial entities shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in the first subparagraph.	With Prevalent, you can automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure. Schedule tasks to review contracts to ensure all obligations have been met. Issue contract assessments to evaluate status. Leverage surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, etc.. Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Analyze documents to confirm key criteria are addressed. Take actionable steps to reduce vendor risk with remediation recommendations and guidance. Visualize and address compliance requirements by automatically mapping assessment results to regulations and frameworks.
28 (9) and 28 (10) are specific provisions for supervisory authorities and the Joint Committee.
Article 29: Preliminary Assessment of ICT Concentration Risk at Entity Level
29 (1). When performing the identification and assessment of risks referred to in Article 28(4), point (c), financial entities shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following: (a) contracting an ICT third-party service provider that is not easily substitutable; or (b) having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers. Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.	If an alternate third party is required due to non-compliance, higher risk score, or excessive and concentrated use, Prevalent provides networks of completed third-party risk assessments standardized on a common industry framework to determine a suitable replacement. Our on-demand risk assessment libraries feature access to tens of thousands of completed and verified assessments and supporting evidence and can serve as a repository of potential new third parties that have already been vetted against stringent ICT security guidelines.
29 (2). Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country. Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data. Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country. Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.	With Prevalent, you can identify fourth-party and Nth-party subcontracting relationships in your third-party ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies and information flows that could expose your organization to risk. Then, leverage contractual provisions such as right-to-audit to extend risk assessments to these fourth and Nth parties.
Article 30: Key Contractual Provisions
30 (1). The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format. 30 (2). The contractual arrangements on the use of ICT services shall include at least the following elements: (a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting; (b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations; (c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data; (d) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements; (e) service level descriptions, including updates and revisions thereof; (f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs; (g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them; (h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; (i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programs and digital operational resilience training in accordance with Article 13(6). 30 (3). The contractual arrangements on the use of ICT services supporting critical or important functions shall include, in addition to the elements referred to in paragraph 2, at least the following: (a) full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met; (b) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels; (c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework; (d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27; (e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following: (i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies; (ii) the right to agree on alternative assurance levels if other clients’ rights are affected; (iii) the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and (iv) the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits; (f) exit strategies, in particular the establishment of a mandatory adequate transition period: (i) during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring; (ii) allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided. By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a micro-enterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time. 30 (4). When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services.	Prevalent centralizes the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include: Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customized, role-based views. Workflow capabilities (based on user or contract type) to automate the contract management lifecycle. Automated reminders and overdue notices to streamline contract reviews. Centralized contract discussion and comment tracking. Contract and document storage with role-based permissions and audit trails of all access. Version control tracking that supports offline contract and document edits. Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access. Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities by measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle with the Prevalent Platform. With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.
30 (5). Includes specific provisions for supervisory authorities and the Joint Committee.

DORA Requirement

Corresponding Third-Party Risk Management Best Practice

Article 28: General Principles

28 (1). Financial entities shall manage ICT third party risk as an integral component of ICT risk within their ICT risk management framework as
referred to in Article 6(1), and in accordance with the following principles:

(a) financial entities that have in place
contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for
compliance with, and the discharge of, all
obligations under this regulation and applicable
financial services law;

(b) financial entities’ management of ICT third party
risk shall be implemented in light of the
principle of proportionality, taking into account:

(i) the nature, scale, complexity and importance of ICT-related dependencies,

(ii) the risks arising from contractual
arrangements on the use of ICT services
concluded with ICT third-party service providers,
taking into account the criticality or importance
of the respective service, process or function, and the potential impact on the continuity and
availability of financial services and activities, at
individual and at group level.

28 (2). As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than micro-enterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services sup-porting critical or important functions.

Prevalent collaborates with your team on defining and implementing TPRM strategies, processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding.

As part of this process, Prevalent helps you define:

Clear roles and responsibilities (e.g., RACI).
Third-party inventories.
Risk scoring and thresholds based on your organization’s risk tolerance.
Assessment and monitoring. methodologies based on third-party criticality.
Fourth-party mapping to understand risk in your extended vendor ecosystem.
Sources of continuous monitoring data (cyber, business, reputational, & financial).
Key performance indicators (KPIs) and key risk indicators (KRIs).
Governing policies, standards, systems and processes to protect data.
Compliance and contractual reporting requirements against service levels.
Incident response requirements.
Risk and internal stakeholder reporting.
Risk mitigation and remediation strategies.

28 (3). As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not.
Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.
Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.
Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

With Prevalent, you can build a centralized third-party inventory by importing suppliers via a spreadsheet template or through an API connection to an existing procurement solution. Teams throughout the enterprise can populate key supplier details with a centralized intake form and associated work-flow tasks. This is available to everyone via email invitation, without requiring any training or solution expertise.

As part of this process, Prevalent creates comprehensive supplier profiles that contain all documentary evidence related to the third party, plus demographics, 4th-parties, ESG scores, recent business and reputational insights, data breach history, and recent financial performance. This adds needed context for audit processes.

As well, Prevalent quantifies inherent risks for all suppliers to effectively tier suppliers, set appropriate levels of further diligence, and determine the scope of ongoing assessments. Criteria used to calculate inherent risk for supplier tiering include:

Criticality to business performance and operations.
Location(s) and related legal or regulatory considerations.
Interaction with protected data, customer data or customer-facing systems.

Part of the tiering process is identifying fourth-party and Nth-party suppliers in your supplier ecosystem as critical dependencies can impact tiering decisions. With Prevalent, you can conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies that could expose your organization to risk.

28 (5). Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.

28 (6). In exercising access, inspection and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.
Where contractual arrangements concluded with ICT third-party service providers on the use of ICT services entail high technical complexity, the financial entity shall verify that auditors, whether internal or external, or a pool of auditors, possess appropriate skills and knowledge to effectively perform the relevant audits and assessments.

Leverage a standardized risk assessment in the Prevalent Platform, such as one based on ISO 27001 to determine adherence to key third-party risk management principles. Workflow automations, task management, and automated evidence review capabilities to evaluate risk scores simplifies the process.

Complement periodic questionnaire-based risk assessments with continuous tracking and analysis of external threats to third parties with Prevalent. As part of this, Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities.

Monitoring sources include:

Criminal forums, onion pages, dark web special access forums, threat feeds, and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.
Databases containing several years of data breach history for thousands of companies around the world.

All monitoring data should is correlated with assessment results and centralized in a unified risk register for each supplier, streamlining risk review, reporting, remediation, and response initiatives, and simplifying audits.
Once all assessment and monitoring data is correlated into a central risk register, Prevalent applies risk scoring and prioritization according to a likelihood and impact model. This model frames risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those. Assign owners and track risks and remediations to a level acceptable to the business.
Importantly, suggest remediations for low maturity supplier controls that ex-ceed the risk appetite for the organization. Prevalent includes built-in remediation recommendations based on risk assessment results to ensure that your suppliers address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

28 (7). Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances:

(a) significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;

(b) circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;

(c) ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data;

(d) where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement.

28 (8). For ICT services supporting critical or important functions, financial entities shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part, a deterioration of the quality of the ICT services provided, any business disruption due to inappropriate or failed provision of ICT services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providers under any of the circumstances listed in paragraph 7.
Financial entities shall ensure that they are able to exit contractual arrangements with-out:

(a) disruption to their business activities,

(b) limiting compliance with regulatory requirements,

(c) detriment to the continuity and quality of services provided to clients.

Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested and reviewed periodically.
Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-house.
Financial entities shall have appropriate contingency measures in place to maintain business continuity in the event of the circumstances referred to in the first subparagraph.

With Prevalent, you can automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

Schedule tasks to review contracts to ensure all obligations have been met.
Issue contract assessments to evaluate status.
Leverage surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, etc..
Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts.
Analyze documents to confirm key criteria are addressed.
Take actionable steps to reduce vendor risk with remediation recommendations and guidance.
Visualize and address compliance requirements by automatically mapping assessment results to regulations and frameworks.

28 (9) and 28 (10) are specific provisions for supervisory authorities and the Joint Committee.

Article 29: Preliminary Assessment of ICT Concentration Risk at Entity Level

29 (1). When performing the identification and assessment of risks referred to in Article 28(4), point (c), financial entities shall also take into account whether the envisaged conclusion of a contractual arrangement in relation to ICT services supporting critical or important functions would lead to any of the following:

(a) contracting an ICT third-party service provider that is not easily substitutable; or

(b) having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same ICT third-party service provider or with closely connected ICT third-party service providers.

Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy.

If an alternate third party is required due to non-compliance, higher risk score, or excessive and concentrated use, Prevalent provides networks of completed third-party risk assessments standardized on a common industry framework to determine a suitable replacement.

Our on-demand risk assessment libraries feature access to tens of thousands of completed and verified assessments and supporting evidence and can serve as a repository of potential new third parties that have already been vetted against stringent ICT security guidelines.

29 (2). Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.

Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider’s bankruptcy as well as any constraint that may arise in respect to the urgent recovery of the financial entity’s data.

Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also consider the compliance with Union data protection rules and the effective enforcement of the law in that third country.

Where the contractual arrangements on the use of ICT services supporting critical or important functions provide for subcontracting, financial entities shall assess whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.

With Prevalent, you can identify fourth-party and Nth-party subcontracting relationships in your third-party ecosystem. Conduct a questionnaire-based assessment of your suppliers or passively scan the supplier’s public-facing infrastructure. The resulting relationship map depicts extended dependencies and information flows that could expose your organization to risk.
Then, leverage contractual provisions such as right-to-audit to extend risk assessments to these fourth and Nth parties.

Article 30: Key Contractual Provisions

30 (1). The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.

30 (2). The contractual arrangements on the use of ICT services shall include at least the following elements:

(a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;

(b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations;

(c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;

(d) provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;

(e) service level descriptions, including updates and revisions thereof;

(f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
(g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;

(h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;

(i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programs and digital operational resilience training in accordance with Article 13(6).

30 (3). The contractual arrangements on the use of ICT services supporting critical or important functions shall include, in addition to the elements referred to in paragraph 2, at least the following:

(a) full service level descriptions, including updates and revisions thereof with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;

(b) notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider’s ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;

(c) requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;

(d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27;

(e) the right to monitor, on an ongoing basis, the ICT third-party service provider’s performance, which entails the following:

(i) unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;

(ii) the right to agree on alternative assurance levels if other clients’ rights are affected;

(iii) the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and

(iv) the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;

(f) exit strategies, in particular the establishment of a mandatory adequate transition period:

(i) during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring;
(ii) allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
By way of derogation from point (e), the ICT third-party service provider and the financial entity that is a micro-enterprise may agree that the financial entity’s rights of access, inspection and audit can be delegated to an independent third party, appointed by the ICT third-party service provider, and that the financial entity is able to request information and assurance on the ICT third-party service provider’s performance from the third party at any time.

30 (4). When negotiating contractual arrangements, financial entities and ICT third-party service providers shall consider the use of standard contractual clauses developed by public authorities for specific services.

Prevalent centralizes the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include:

Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders and status – with customized, role-based views.
Workflow capabilities (based on user or contract type) to automate the contract management lifecycle.
Automated reminders and overdue notices to streamline contract reviews.
Centralized contract discussion and comment tracking.
Contract and document storage with role-based permissions and audit trails of all access.
Version control tracking that supports offline contract and document edits.
Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access.

Continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities by measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle with the Prevalent Platform.

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

30 (5). Includes specific provisions for supervisory authorities and the Joint Committee.

Featured Resources

Blog Post
How to Meet European Banking Authority Third-Party Risk Requirements

The EBA Guidelines set out the internal governance arrangements that credit, payment, and electronic money institutions...
Blog Post
A GDPR Compliance Checklist for Third-Party Risk Management

Mitigate privacy risks and comply with GDPR requirements by assessing third-party data protection controls with these...
Blog Post
EU Digital Operational Resilience Act (DORA) & Third-Party Risk Management

With compliance mandated by January 2025, now is the time for organizations to examine their third-party...

Ready for a demo?
Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
Request a Demo

EU Digital Operational Resilience Act Compliance

Relevant Requirements

How to Meet European Banking Authority Third-Party Risk Requirements

A GDPR Compliance Checklist for Third-Party Risk Management

EU Digital Operational Resilience Act (DORA) & Third-Party Risk Management