RTS/ITS on ICT Third-Party Risk

Bottom Line

DORA mandates specific contractual clauses in every ICT service contract, a prescriptive register of information for all third-party providers, and exit strategies for anyone supporting a critical function. The deadline for contract updates was 17 January 2025. If you missed it, document your remediation plan — because your auditor will ask.

What Auditors Will Actually Look For

• A complete, current register of information covering every ICT third-party provider — not just the obvious ones.
• Evidence that legacy contracts were reviewed and updated (or a documented remediation plan where renegotiation is ongoing).
• Audit rights clauses in contracts — specifically the right for the financial entity and competent authority to conduct on-site inspections.
• Exit strategies for all providers supporting critical or important functions: transition timelines, named alternatives, data portability mechanisms.
• A documented concentration risk assessment — including geographic concentration — reviewed at least annually.
• Sub-contractor visibility: who your providers are sub-contracting to, and whether those sub-contractors have been assessed.
• If you use a CTPP (Critical Third-Party Provider): evidence of cooperation with the Lead Overseer and responses to information requests.

Common Mistakes

• Register populated at DORA go-live and never updated — new providers added, old ones never removed.
• Audit rights clause present in contract but never exercised — regulators treat an unexercised right as a gap in oversight.
• Exit strategies that name "alternative providers TBD" — vague plans do not satisfy the requirement.
• No sub-contractor mapping: the entity knows its direct providers but not what those providers outsource to.

Mandatory Contractual Clauses (Art. 30 RTS)

Every ICT service contract — not just critical ones — must contain these minimum provisions. Absence of any clause is a direct compliance finding.

• Service description and SLAs: defined availability, performance metrics, and consequences of breach.
• Audit rights: right for the financial entity and its competent authority to audit the provider, including on-site.
• Data location: provider must disclose where data is processed and stored, and notify of any changes.
• Sub-contracting: prior consent required before sub-contracting material services; obligations must flow down.
• Business continuity: provider must maintain and test a BCP for services provided to the entity.
• Exit and termination: explicit exit rights including termination for regulatory direction or provider financial instability.
• Cooperation: provider must cooperate with supervisory authorities and provide information on request.
• Security requirements: minimum ICT security standards the provider must maintain throughout the contract.

The Register of Information (Art. 28 ITS)

The ITS prescribes exact fields. A register that is missing fields, out of date, or covers only "important" providers will not pass scrutiny.

• Provider identity: legal name, registration number, LEI, country of incorporation.
• Service category: type of ICT service (cloud, software, data, network, etc.).
• Criticality classification: whether the service supports a critical or important function.
• Contract reference: contract ID, start date, expiry date, renewal terms.
• Data residency: countries where data is stored, processed, or transmitted.
• Sub-contractors: identity of material sub-contractors and their residency.
• Concentration risk flag: whether the provider is shared across multiple group entities.
• Last risk assessment date and outcome.

Critical Third-Party Provider (CTPP) Designation

The ESAs can designate ICT providers as "critical" based on systemic importance. If you use a designated CTPP, you have additional obligations.

• Designation is based on: number and type of financial entities using the provider, substitutability, and systemic impact of failure.
• Each CTPP is assigned a Lead Overseer (EBA, ESMA, or EIOPA) based on primary sector served.
• CTPPs must cooperate with the Lead Overseer — document requests, information submissions, and inspection responses.
• Non-compliance by a CTPP can result in fines of up to 1% of daily worldwide turnover.
• Financial entities using CTPPs should monitor Lead Overseer recommendations — they signal where your provider may need to improve.

3-Step Action Checklist

• 1. This week: Pull your register of information and verify it is complete and current. Identify any providers added or removed in the past 6 months that are not reflected. Flag any contracts still missing mandatory clauses.
• 2. This month: Review exit strategies for your top 5 providers by criticality. Confirm each names specific alternatives (not "TBD"), includes a realistic transition timeline, and has been reviewed in the past 12 months.
• 3. This quarter: Commission a sub-contractor mapping exercise for your three most critical providers. Where your providers sub-contract material services, confirm those sub-contractors are visible and assessed in your third-party risk register.