ICT Third-Party Due Diligence Framework

Bottom Line

Every ICT provider must be in your register. Tier 1 providers need full due diligence before onboarding, annually thereafter, and a documented exit strategy. Every contract needs the Art. 30 mandatory clauses. None of this is discretionary — and auditors check all of it.

What Auditors Will Actually Look For

• A complete provider inventory — including shadow IT, departmental SaaS subscriptions, and embedded software.
• Documented tiering criteria and evidence that every provider has been assigned a tier.
• Pre-onboarding DDQ results for Tier 1 and Tier 2 providers — completed before contract signature, not after.
• Mandatory Art. 30 contractual clauses in every ICT contract — not just critical ones.
• Annual review evidence for Tier 1 providers: updated DDQs, certification reviews, incident history assessed.
• A concentration risk assessment reviewed in the last 12 months — covering single-provider, geographic, and technology concentration.
• Exit strategies for all Tier 1 providers that name specific alternatives and realistic transition timelines.

Common Mistakes

• Provider inventory that only covers "IT-managed" contracts — missing dozens of departmental SaaS tools that process sensitive data.
• Tiering applied once at onboarding and never updated when the provider's scope or criticality changes.
• Exit strategies that say "alternative provider to be identified" — this is not an exit strategy.
• Annual reviews scheduled but not completed — the calendar entry exists, the evidence does not.

Step 1 — Build a Complete Provider Inventory

You cannot manage risks you haven't mapped. Most entities undercount their ICT providers by 30–50%.

• Sweep all ICT service contracts: cloud, SaaS, managed services, data processing, network, co-location, and embedded software.
• Include shadow IT: survey business units, check expense claims and procurement records for unapproved tools.
• Capture every provider in the ICT Third-Party Provider Register with the ITS-required fields.
• Map each provider to the business functions and ICT systems it supports.
• Flag providers that appear across multiple functions or entities — concentration risk indicator.

Step 2 — Risk-Based Tiering

Proportionality is a DORA principle. Tier providers so due diligence effort matches actual risk.

Step 3 — Pre-Onboarding Due Diligence

Due diligence must complete before contract signature — not as a post-onboarding catch-up.

• Issue a DDQ covering: information security controls, BCP/DR capability, sub-contracting arrangements, financial stability, and regulatory compliance.
• Request and review certifications: ISO 27001, SOC 2 Type II, PCI-DSS (where applicable). Check they are current.
• Assess data residency: where will data be stored and processed? Are those jurisdictions acceptable?
• Review the provider's incident history — ask directly and check public sources.
• Assess substitutability: how long to migrate to an alternative? Is that timeline within your risk tolerance?
• Document the assessment outcome and the rationale for proceeding.

Step 4 — Mandatory Contractual Clauses (Art. 30)

Every ICT service contract — not just critical ones — must contain DORA's minimum provisions.

• Service description and measurable SLAs with breach consequences.
• Audit and inspection rights — including for the competent authority.
• Data location disclosure and notification of any changes.
• Sub-contracting consent and obligation flow-down.
• BCP and DR commitments from the provider.
• Exit rights: termination for cause, regulatory direction, and provider financial distress.
• Security baseline requirements maintained throughout the contract.

Step 5 — Ongoing Monitoring and Exit Planning

Due diligence is a lifecycle activity. A provider assessed once and left alone is an unmanaged risk.

• Annual review for Tier 1: updated DDQ, refreshed certifications, incident and change assessment.
• Biennial review for Tier 2; periodic self-certification for Tier 3.
• Monitor for risk signals: financial distress, major incidents, regulatory sanctions, ownership changes.
• Exit strategies for all Tier 1 providers must name specific alternatives, realistic transition timelines, and data portability mechanisms.
• Review sub-contractor chains annually — providers change their own suppliers without proactive disclosure.

3-Step Action Checklist

• 1. This week: Pull your current provider inventory and assess completeness. Survey the three largest business units for SaaS tools and subscriptions not in the register. Add anything missing.
• 2. This month: Review tiering for your top 10 providers by criticality. Confirm tiering criteria are documented and each provider has been tiered against those criteria within the last 12 months.
• 3. This quarter: For every Tier 1 provider, verify an exit strategy exists, names specific alternatives, and has been reviewed in the last 12 months. Escalate any provider without a viable exit strategy to the risk committee.