So DORA is nearly here. What does Article 30 mean for CSPs?
The Lead Overseer shall assess whether each critical ICT third-party service provider
has in place comprehensive, sound and effective rules, procedures, mechanisms and
arrangements to manage the ICT risks which it may pose to financial entities. That
assessment shall primarily focus on the ICT services supporting critical or important
functions provided by the critical ICT third-party service providers to financial
entities, but may also be broader if relevant to the assessment of the risks to those
functions.
2. The assessment referred to in paragraph 1a shall include:
(a) ICT requirements to ensure, in particular, the security, availability, continuity,
scalability and quality of services which the critical ICT third-party service
provider provides to financial entities, as well as the ability to maintain at all
times high standards of security, confidentiality and integrity of data;
(b) the physical security contributing to ensuring the ICT security, including the
security of premises, facilities, datacentres;
(c) the risk management processes, including ICT risk management policies, ICT, business continuity and ICT disaster recovery plans;
(d) the governance arrangements, including an organisational structure with clear,
transparent and consistent lines of responsibility and accountability rules
enabling an effective ICT risk management;
(e) the identification, monitoring and prompt reporting of major ICT-related
incidents to the financial entities, the management and resolution of those
incidents, in particular cyber-attacks;
(f) the mechanisms for data portability, application portability and interoperability,
which ensure an effective exercise of termination rights by the financial entities;
(g) the testing of ICT systems, infrastructure and controls;
(h) the ICT audits;
(i) the use of relevant national and international standards applicable to the
provision of its ICT services to the financial entities.
Comments