Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Global Press Room
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Back to main
Publication

ICT TPPs (Third party service providers)

14 Jun 2024 International 2 min read

On this page

    DORA affects third party ICT providers to financial institutions by imposing mandatory rules on their operations.

    Services for ICT service providers include:

    1.  Advice on the implementation of DORA regulation, in particular the following topics:

    • Analysing whether the ICT service provider and ICT services fall under the effect of DORA
    • Analysing whether the ICT service/service provider qualifies as which supports critical or important function of the financial entity
    • Analysing whether the ICT service provider qualifies as key (critical) provider
    • Due diligence by financial institutions
    • Registering of LEI numbers
    • Interplay between NIS2 and DORA

    2.  Assistance in the preparation of the necessary DORA documentation:

    • Preparing checklist for internal policies and procedures
    • Internal policies, such as Information Security Policy, ICT Business Continuity Plan, Disaster Recovery Plan
    • Incident management policies and processes

    3.  Trainings for board members and employees responsible for DORA compliance:

    • Preparing the training materials: PPT presentation and word summary
    • Answering client-specific questions

    4.  Assistance in contracting with financial institutions:

    • Preparing DORA contract template with financial institutions including the mandatory contractual provisions
    • Preparing DORA questionnaire for self-assessment purposes
    • Preparing DORA due diligence questionnaire for ICT subcontractors
    • Assisting in completing the due diligence questionnaire of financial institutions
    • Negotiating all the DORA contracts with ICT service providers:
    • Preparing the ICT service provider specific DORA contracts, including the individually negotiated parts from the previous outsourcing contracts,
    • Negotiating the contracts with the financial institutions.

    5.  Assistance in reporting and managing ICT related incidents/events to the financial institution:

    • Assisting in risk analysis
    • Assisting in classification of ICT related incidents/events
    • Preparing incident reports
    • Assisting in crisis communication

    6.  To critical ICT service providers:

    Special services to critical ICT service providers:

    1. Analysing whether the ICT service provider qualifies as key (critical) provider
    2. Representation in supervising framework before the lead authority in the different proceeding (general investigation, controls, continuous supervision, etc.)

    Digital Operational Resilience Act (DORA): Impact on the funds sector

    International Digital Regulation Hub | CMS

    previous page

    1. DORA batch 2 is here!

    next page

    3. Regulated entities

    More insights
    Banking & Finance Funds TMC - Technology, Media & Communications

    Explore more

    Expert Guide International

    CMS Expert Guide on Taking Security

    2 min read
    Event International

    Green claims in focus

    16 Apr 2026
    Publication International

    CMS Global Radar 2026

    12 Feb 2026 2 min read
    Back to top Back to top
    Warning: Fraudulent emails and messages
    Find out more
    If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.