Exploring Digital resilience third-party registers

  • Release version: Washingtondc
  • Updated September 23, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exploring Digital Resilience Third-Party Registers

    The Digital Resilience Third-Party Registers application is designed for financial entities to manage their contracts with ICT third-party service providers in compliance with the Digital Operational Resilience Act (DORA). This application allows for the maintenance of comprehensive registers at various organizational levels, aiding in the management of third-party risks and ensuring regulatory compliance.

    Show full answer Show less

    Key Features

    • Digital Operational Resilience Management: Facilitates the uploading and downloading of DORA tables.
    • Digital Resilience Third-Party Information Register: Provides an Excel template for recording and reporting on ICT third-party service provider contracts.
    • Bulk and Individual Record Management: Users can create or edit records for assessments, contracts, and third-party engagements using Excel upload/download capabilities.
    • Workspace Access: Available in both Operational Resilience and TPRM workspaces depending on the user's license.

    Key Outcomes

    By utilizing the Digital Resilience Third-Party Registers application, financial entities can:

    • Effectively track and manage ICT third-party risks.
    • Ensure compliance with DORA regulations, enhancing the security of their operations.
    • Facilitate oversight by competent authorities and European Supervisory Authorities regarding third-party risk management.
    • Automate the population of information registers, streamlining the management of contractual details.

    This application empowers financial entities to safeguard their operational integrity and maintain service continuity, even during disruptions. Ensuring compliance with DORA not only protects the organization but also contributes to the stability of the wider financial sector.

    The Digital resilience third-party registers application empowers the financial entities to maintain registers of contractual arrangements with Information and Communication Technology (ICT) third-party service providers and comply with Digital Operational Resilience Act (DORA) regulation.

    Applications for DORA compliance

    Beginning with Release 19.1.x, the following applications are supported for ICT Third-party Risk Management as part of DORA compliance.
    • Digital Operational Resilience Management: This application is used for uploading and downloading of all individual DORA tables.
    • Digital Resilience Third-party Information Register: This application is used to download the Digital resilience third-party registers. The application contains the Microsoft Excel template that includes all tabs for reporting purposes. It helps the financial entities to maintain a comprehensive register of their contractual arrangements with ICT Third-party service providers at the individual entity, sub-consolidated, and consolidated levels.

      Customers use Digital resilience third-party registers to create or edit the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Microsoft Excel upload and download feature.

      Note:
      The IRM Professional license users can access Digital resilience third-party registers in the Operational Resilience Workspace. The TPRM license users can access Digital resilience third-party registers in the TPRM Workspace.
      The Digital resilience third-party registers application fulfills multiple functions for the entities:
      • Assists the entities in tracking their ICT third-party risks.
      • Empowers the competent authorities in European Union to oversee ICT and third-party risk management within financial entities.
      • Aids European Supervisory Authorities (ESA) in identifying Critical ICT third-party service providers (CTPP) for EU level supervision.

    Digital Operational Resilience

    Digital Operational Resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability. It ensures that the entity has the full range of ICT related capabilities that are needed to secure its network and information systems. These systems support the continuous provision of financial services and maintain their quality, even during disruptions. The continuity can be achieved directly or indirectly with the services provided by the ICT third-party service providers.

    Digital Operational Resilience Act (DORA)

    Digital Operational Resilience aligns with the Digital Operational Resilience Act (DORA). It is a European Union (EU) regulation that came into effect on 16 January 2023 and it will be applicable from January 17, 2025. It enhances the ICT security of financial entities supervised by the European Supervisory Authorities (ESA)s and protects Europe's financial sector from major digital disruptions.

    Regulatory Technical Standards

    DORA Regulation mandates that financial entities incorporate and periodically review a strategy for managing ICT third-party risk within their ICT risk management framework. This strategy must include a policy governing the use of ICT services that support critical or important functions, as provided by third-party ICT service providers.

    A financial institution's policy on using third-party ICT service providers plays a crucial role in defining key aspects of its governance, risk management, and internal control frameworks for these services. Financial entities must perform risk assessments and due diligence before signing contracts with third-party ICT service providers. They must also ensure they can terminate these arrangements if needed and maintain business continuity for critical or important functions. For instance, an action could be necessary where the service is not optimal, external ICT systems malfunction, or the service is disrupted due to sanctions.

    Pillars for DORA

    Digital Operational Resilience Act (DORA) comprises the important pillars:
    1. ICT Risk Management
    2. ICT Incident Reporting
    3. Digital Operational Resilience Testing
    4. ICT Third-party Risk Management
    5. Information and Intelligence Sharing
    Pillars.
    Note:
    Operational Resilience, Release 19.1.x focuses on the ICT Third-party Risk Management pillar only.

    Processing the records using GUI or Microsoft Excel

    Customers can manage the contractual arrangements by processing the records by using the graphical user interface (GUI) or by importing or exporting Microsoft Excel files in the Digital resilience third-party registers application.

    For information on processing the records through the graphical user interface (GUI) or by importing or exporting Microsoft Excel files, see Using Digital resilience third-party registers.

    Licensing requirements

    Users can access the Digital resilience third-party registers application in the following ways:
    • Beginning with Release 19.1.x, customers who already have the Operational Resilience or the TPRM applications can access the Digital resilience third-party registers.
    • These customers can download, install, and start using the Digital resilience third-party registers application.

    The licensing information and the associated workspaces are listed in the following table.

    Table 1. Licensing and associated workspaces
    License Application displayed in the UI Associated workspaces
    IRM Professional Digital resilience third-party registers Operational Resilience Workspace
    TPRM Digital resilience third-party registers TPRM Workspace

    Digital resilience third-party registers in Operational Resilience Workspace

    Upon opening the Operational Resilience Workspace, the menu featuring Digital resilience third-party registers is displayed.

    Workspace menu.

    Digital resilience third-party registers in the TPRM Workspace

    For information on Digital resilience third-party registers in the TPRM Workspace, see Third-party Risk Management.