DORA ICT third-party service providers

Understanding whether an Information Communication & Technology (ICT) Supplier is in scope for DORA regulation can be tricky.  There are a number of regulations which help to determine scope but the overriding factor in all of these is the criticality of the service delivered by the provider in the ability of the Financial Services firm to deliver its services.  If the ICT provider is fully outside of the EU they will have 12 months to establish an EU subsidiary.

Below we take a light-hearted and non technical review of the classifications.  If you are in any doubt as to whether as a supplier you fall under the scope of DORA or are a Financial Services entity unsure which suppliers to include - our DORA experts can help you.

YourDigitalCTO are specialists in ensuring compliance to a wide range of standards (including DORA, cyber, GDPR, supplier management etc)

We offer a range of DORA specific services to ensure your compliance as a financial services entity or a supplier to financial services.

We work with your existing team, suppliers and capabilities to ensure rapid compliance with the least effort and cost.

Understanding ICT Third-Party Service Providers under the EU Digital Operational Resilience Act (DORA)

Imagine you're the owner of a small business, let’s say a quaint little bakery. You focus on crafting delicious pastries and cakes, but you rely on other businesses to help run things smoothly. For instance, you might use a company that manages your online orders, another that keeps your payment systems secure, and perhaps even one that handles all your customer data in the cloud. These companies are your third-party service providers—they’re crucial to your business, even if they’re not making croissants in your kitchen.

In the world of Information and Communication Technology (ICT), many organizations depend on third-party service providers to keep things running. These third-party companies offer services like data storage, cybersecurity, software development, and more. The challenge is that if something goes wrong with one of these service providers—say they get hacked, or their systems go down—it could have a big impact on the organizations that rely on them. This is where the EU Digital Operational Resilience Act (DORA) comes into play.

What is DORA?

The EU Digital Operational Resilience Act, or DORA, is a regulation that was introduced by the European Union to ensure that financial institutions and other important organizations can withstand all kinds of disruptions to their digital services. Whether it’s a cyberattack, a technical glitch, or some other unexpected issue, DORA is designed to make sure that these organizations can keep operating smoothly, no matter what.

One key aspect of DORA is that it doesn’t just apply to the organizations themselves—it also applies to the third-party service providers they rely on. In other words, if your business depends on another company to provide crucial ICT services, that company might be considered an “ICT third-party service provider” under DORA.

What Makes a Company an ICT Third-Party Service Provider?

So, how do you know if a company is considered an ICT third-party service provider under DORA? It boils down to a few key factors:

  1. The Services They Provide: If a company provides services that are crucial to the functioning of another organization’s ICT systems, they might be considered a third-party service provider. This includes things like cloud services, cybersecurity services, data analytics, software, and even certain kinds of consulting.
  2. The Impact of Their Services: If the failure of a company’s services could cause significant disruption to the organization they’re serving—say, bringing down a bank’s online banking platform or exposing sensitive customer data—that company would likely be classified as an ICT third-party service provider under DORA.
  3. The Sector They Serve: DORA is primarily focused on financial institutions, like banks, insurance companies, and investment firms, but it can also apply to other sectors that are deemed critical. If a company provides ICT services to these kinds of organizations, they could fall under the scope of DORA.

Examples of ICT Third-Party Service Providers

To make this a bit more concrete, let’s look at some examples of companies that might be considered ICT third-party service providers under DORA:

  • Cloud Service Providers: Think of companies like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud. These companies offer cloud computing services that are essential for many organizations to run their day-to-day operations. If one of these services were to go down, it could have a major impact on their clients.
  • Cybersecurity Firms: Companies that specialize in protecting organizations from cyber threats, like FireEye or Palo Alto Networks, would also be considered ICT third-party service providers. They play a crucial role in ensuring that their clients’ systems are secure and protected from attacks.
  • Software Developers: If a company develops and maintains software that is essential to the functioning of a financial institution—like a payment processing system or trading platform—they might fall under DORA’s scope.
  • Data Management Services: Companies that manage and store large amounts of data, especially sensitive financial data, are also likely to be considered ICT third-party service providers. For example, a company like IBM, which offers extensive data management services, would be a prime candidate.

Why It Matters

You might be thinking, "Why should I care if a company is classified as an ICT third-party service provider under DORA?" Well, the classification has significant implications. If a company falls under DORA’s scope, it will be subject to strict regulations designed to ensure that it can continue providing its services even in the face of disruptions. This includes requirements for risk management, reporting, and even regular testing of their systems to ensure they’re resilient.

For organizations that rely on these providers, DORA means greater peace of mind. Knowing that your third-party service providers are held to high standards of operational resilience means that your business is less likely to be impacted by outages or cyberattacks.

Conclusion

In a nutshell, if an organization provides ICT services that are critical to another company’s operations—especially in sectors like finance—it might be classified as an ICT third-party service provider under DORA. This classification ensures that these providers are held to high standards, making the digital world a safer and more reliable place for everyone. So whether you're running a bakery or a bank, DORA is here to help keep the wheels turning, no matter what.

How does DORA impact non EU based ICT providers?

The EU Digital Operational Resilience Act (DORA) doesn’t just impact companies within the European Union; it also extends its reach to non-EU-based ICT third-party service providers. If you’re a company outside the EU that provides critical ICT services to financial institutions or other regulated entities within the EU, DORA is something you need to pay attention to.

DORA requires that all ICT service providers, regardless of where they are based, meet certain operational resilience standards if they serve EU-based entities. This means that even if your company is located in the United States, Asia, or anywhere else outside the EU, you’ll need to comply with DORA’s requirements if you’re offering services like cloud computing, cybersecurity, or data management to EU financial institutions.

Key implications for non-EU providers include the need to implement rigorous risk management processes, ensure high levels of operational resilience, and be prepared for regular testing and reporting to meet EU standards. Additionally, these providers may need to appoint a local representative within the EU to ensure compliance with DORA’s requirements.  This last point shouldn't be under-estimated - this means that within 12 months of being designated as falling under DORA the organisation will need to establish a subsidiary within the EU.

Failure to comply can result in significant penalties, and more importantly, the potential loss of business with EU-based clients who are required to work only with compliant service providers. For non-EU ICT service providers, aligning with DORA’s standards is not just a legal obligation but also a critical step in maintaining and expanding their business in the European market.

YourDigitalCTO Services Flyer 1

Who are we?

We are a team of compliance experts who help businesses of all shapes and sizes in plain English.  We understand that your time is valuable, so we minimise its use by doing things quickly, correctly & speaking directly to your technical partners.

Our goal is to ensure you have a complete picture of any compliance requirements, gaps to meet DORA compliance and options to meet those gaps. Simply ask your providers to close the gaps or we can work directly with them to ensure they meet the demands.

Confidentiality assured, always.

Terms & Conditions   Privacy Policy   Acceptable Use Policy   Website Disclaimer   Contact

Copyright © 2024 YourDigitalCTO | All Rights Reserved.  YourDigitalCTO™ is a trade mark of YourDigitalCTO Ltd.

The content of this website is protected by the copyright laws of England and Wales and by international laws and conventions.  No content from this website may be copied, reproduced or revised without the prior written consent of YourDigitalCTO Ltd.  Copies of content may be saved and/or printed for personal use only.