In the ever-evolving landscape of European financial regulation, a new wave is about to hit the shores of financial entities: DORA (Digital Operational Resilience Act). This legislation, which promises to revolutionize the management of technological risks in the financial sector, brings with it a series of obligations that cannot be overlooked. Among these, the requirement to maintain a comprehensive record of all contractual agreements related to ICT services provided by third parties stands out.
We present this collaboration in video format, which you can watch below:
The Burden of Responsibility
DORA makes it clear that the ultimate responsibility for regulatory compliance lies with financial entities. There is no room for excuses: each entity must implement a proportionate approach to monitor the risks arising from their ICT service providers. This entails a meticulous assessment of the nature, scale, complexity, and importance of their technological dependencies.
Strategy as a Fundamental Pillar
The governing body of each financial entity must adopt a specific strategy to manage third-party risks in the realm of ICT. This strategy is not merely a bureaucratic formality but a continuous and thorough examination of all third-party technological dependencies.
Contract Register: More Than Just an Inventory
Perhaps one of the most challenging aspects of DORA is the obligation to maintain a detailed record of all contractual agreements with ICT service providers. This register is not merely an administrative exercise; it becomes a crucial tool for financial supervisors, who may request access to this information to better understand the entities’ technological dependencies.
Due Diligence: An Unavoidable Step
Before formalizing any contractual agreement, financial entities must conduct a thorough analysis. This process must consider the criticality of the services, any necessary regulatory approvals, concentration risks, and a rigorous evaluation of the providers. For essential functions, providers must be required to use the most up-to-date and stringent information security standards.
Si te ha interesado este artículo no dudes en leer:
DORA: Digital Resilience in the Financial Sector. Balancing Regulation and Flexibility
The Sword of Damocles: Contract Termination
DORA clearly establishes the circumstances that may lead to the termination of contracts with ICT service providers. These include significant breaches of the law or contract, deficiencies in ICT risk management, or the inability of competent authorities to effectively supervise the financial entity.
Is Your Entity Prepared for This Regulatory Tsunami? The Time to Act is Now.
If you enjoyed this article, you might also find the following reading interesting:
DORA: Essential Contractual Clauses for the Digital Resilience of Financial Entities
