Requirement
DORA.TP-1.1: The financial entity shall adopt and implement an ICT third-party risk management policy and strategy, approved by the management body, that governs the use of ICT services, the assessment of associated risks, and the ongoing oversight of ICT service providers (Art. 28(1) DORA).
Guidance
The policy should define: scope of ICT third-party services covered; risk classification tiers for providers (e.g. critical, important, standard); requirements for due diligence by tier; escalation procedures for high-risk providers; and linkage to the entity's digital operational resilience strategy.
Documentation
Implementation
Requirement
DORA.TP-2.1: The financial entity shall maintain a complete, up-to-date register of all ICT third-party service providers, documenting the services provided, criticality classification, contractual arrangements, and sub-outsourcing chains, and notify the competent authority in accordance with DORA Art. 28(3) requirements.
Guidance
The register should include: provider name and contact; services provided and criticality classification; contract start/end dates; key contractual commitments; sub-processor details; last due diligence date; and flag for providers designated as critical ICT third-party service providers by supervisory authorities.
Documentation
Implementation
Requirement
DORA.TP-3.1: Before entering into and periodically during contractual arrangements with ICT service providers, the financial entity shall conduct risk-proportionate due diligence covering information security practices, operational resilience, sub-outsourcing arrangements, business continuity capabilities, and compliance with applicable regulations (Art. 28(4) DORA).
Guidance
Due diligence should be proportionate to the criticality tier of the provider and cover: information security certifications (ISO 27001, SOC 2 Type II); BCP and DR capabilities; data breach history; sub-processor arrangements and controls; regulatory standing; financial stability; and audit rights under the proposed contract.
Documentation
Implementation
Requirement
DORA.TP-4.1: The financial entity shall develop and maintain documented exit strategies for critical ICT third-party service providers, ensuring the ability to terminate arrangements and transition services to an alternative provider or in-house, without undue disruption to critical or important functions (Art. 28(8) DORA).
Guidance
Exit strategies should address: trigger conditions for invoking exit (including regulatory direction); transition planning and migration timelines; data portability and retrieval procedures; identification of alternative providers; minimum contractual notice periods; and testing of exit arrangements.
Documentation
Implementation
Maturity Scale
Target: ≥ 3/5 for all categories
Documentation
No process documentation or not formally approved by management.
Implementation
Standard process does not exist. Actions are ad hoc and undocumented.
Documentation
Formally approved process documentation exists but has not been reviewed in the previous 2 years.
Implementation
Ad-hoc process exists and is performed informally. Results are inconsistent.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 5% of activities.
Implementation
Formal process exists and is implemented. Evidence available for most activities. Less than 10% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 3% of activities.
Implementation
Formal process fully implemented. Evidence available for all activities. Detailed metrics captured and reported. Less than 5% process exceptions.
Documentation
Formally approved process documentation exists; exceptions are documented and approved. Documented & approved less than 0.5% of activities.
Implementation
Formal process fully implemented and continually improving. Minimal exceptions (<1%). Process improvements tracked and evidenced.