# ICT Third-Party Risk Policy (DORA) > Draft the ICT third-party risk management policy required by DORA Art. 28 and RTS 2024/1773, covering strategy, due diligence, contractual provisions (Art. 30), monitoring, exit planning, concentration risk, and sub-outsourcing governance. Tags: DORA, Third-Party Risk, ICT Outsourcing, EU Regulation, Financial Services, Vendor Management ## Example Prompts - Draft our DORA ICT third-party risk policy for supervisory review - Define exit strategies for our critical cloud service providers - Assess ICT concentration risk across our third-party arrangements - Establish the contractual provisions checklist per DORA Art. 30 URL: https://rakenne.app/skills/dora-third-party-policy/index.md Try this skill: https://rakenne.app/a/?skill=dora-third-party-policy ## Overview Draft the ICT third-party risk management policy required by DORA Art. 28 and RTS 2024/1773, covering strategy, due diligence, contractual provisions (Art. 30), monitoring, exit planning, concentration risk, and sub-outsourcing governance. ## What It Covers - **ICT third-party risk strategy** aligned with the digital operational resilience strategy (Art. 28(2)) - **Due diligence process** for prospective ICT service providers, including financial stability, security capabilities, and substitutability assessment - **Art. 30 contractual provisions** checklist covering SLAs, data locations, audit rights, termination rights, incident notification, and data return/deletion - **Ongoing monitoring** framework with KPIs/KRIs, audit planning, and escalation procedures - **Exit strategies** for critical function providers with transition plans, data portability, and tested contingency measures (Art. 28(8)) - **ICT concentration risk** assessment across providers, geographies, and technology platforms (Art. 29(2)) - **Sub-outsourcing governance** with notification, right-to-object, and chain monitoring requirements (RTS 2025/0532) - **Governance and oversight** including management body reporting, three lines of defense, and record keeping ## Example Conversation > **You:** We are a mid-sized payment institution regulated by the Dutch central bank. We use three cloud providers for core payment processing, fraud detection, and customer authentication. Draft our ICT third-party risk policy for DORA compliance ahead of supervisory review. > > **Agent:** I'll start by collecting your entity context. Can you confirm: (1) your current ICT third-party landscape -- which providers support which critical functions? (2) Do you have an existing vendor management framework we can build on? (3) Are any of your providers likely designated as critical ICT TPPs under Art. 31? > > **You:** Provider A runs our core payment gateway (critical). Provider B handles fraud detection (critical). Provider C does customer identity verification (important). We have a basic vendor register in a spreadsheet but no formal policy. Provider A may be designated critical given its market share. > > **Agent:** I've built the initial policy JSON with your entity profile, mapped the three providers to critical/important functions, and drafted the TPP strategy section including risk appetite and management body approval requirements. I'm now working on the due diligence framework. Since Provider A may be designated critical, I'm adding specific provisions for Lead Overseer cooperation under Arts. 31-44. Let me also draft the concentration risk section -- having core payments on a single provider is a key risk area. > > **You:** Good. Make sure exit strategies are robust -- our regulator specifically asked about exit readiness for the payment gateway. > > **Agent:** I've drafted the exit strategy for Provider A with two alternative providers pre-assessed, a 6-month maximum transition period, data portability requirements (ISO 20022 message formats), and interim degraded-mode operations. I'll now run `dora_tpp_policy_checker` to validate completeness before we review the full document. > > **Agent:** The checker found 0 errors and 2 warnings: (1) missing third-country provider policy -- recommended since Provider C operates from the UK post-Brexit, and (2) missing group-level concentration assessment. I'll add a third-country policy section addressing UK adequacy and update the concentration assessment. After that, the policy will be complete for supervisory review. ## Sample Output Excerpt Excerpt from a DORA ICT third-party risk policy for a mid-sized payment institution. --- ### 1. Policy Scope and Objectives This ICT Third-Party Risk Policy applies to all contractual arrangements for the use of ICT services provided by third-party service providers to [Entity Name], a payment institution authorized under Directive (EU) 2015/2366 (PSD2) and supervised by De Nederlandsche Bank (DNB). **Regulatory basis:** Regulation (EU) 2022/2554 (DORA) Art. 28, Art. 29, Art. 30; Commission Delegated Regulation (EU) 2024/1773; Draft RTS on sub-outsourcing (RTS 2025/0532). **Objectives:** - Ensure that ICT third-party risk is managed as an integral component of the entity's digital operational resilience strategy - Maintain full regulatory compliance regardless of outsourcing arrangements - Protect critical payment processing functions from third-party disruptions ### 4. Art. 30 Contractual Provisions Checklist | Provision | Article | Required for all | Additional for critical | Status | |-----------|---------|:---:|:---:|--------| | Service description and SLAs | Art. 30(2)(a) | Yes | Full SLAs with remedies | Review pending | | Data processing locations | Art. 30(2)(b) | Yes | -- | NL, DE, IE confirmed | | Data protection (DAIA) | Art. 30(2)(c) | Yes | -- | GDPR DPA in place | | Audit rights | Art. 30(3)(e) | -- | Yes | Annual on-site scheduled | | Termination rights | Art. 30(2)(f) | Yes | -- | 90-day notice, material breach | | Exit assistance | Art. 30(3)(f) | -- | Yes | 6-month transition, data migration | | Sub-outsourcing conditions | Art. 30(2)(g) | Yes | Right to object | Notification clause added | | Incident notification | Art. 30(2)(h) | Yes | -- | 4-hour initial report | | Data return and deletion | Art. 30(3)(g) | -- | Yes | ISO 20022 export, certified deletion | ### 7. Exit Strategy -- Provider A (Core Payment Gateway) **Trigger events:** Material breach of SLAs (>3 incidents in 12 months), provider insolvency filing, regulatory direction from DNB, critical TPP designation with adverse findings from Lead Overseer. **Alternative providers:** Provider X (pre-assessed, pilot environment available) and Provider Y (assessed, reference checks complete). Both support ISO 20022 message formats and real-time settlement. **Maximum transition period:** 6 months from activation to full cutover, with a 3-month parallel-run phase. **Interim measures:** Degraded-mode operation with reduced transaction throughput (batch processing instead of real-time for non-critical payment types), manual reconciliation procedures, daily status reporting to DNB. ## Built-in Validation Tools The skill includes an extension tool that validates the completeness of the ICT third-party risk policy against DORA requirements. ### What the tool checks | Check | `dora_tpp_policy_checker` | |-------|:-------------------------:| | **Entity profile** | Entity type, size/complexity, group structure, competent authority | | **TPP strategy (Art. 28(2))** | Risk appetite, strategic objectives, critical function policy, resilience strategy integration, management body approval | | **Due diligence** | Financial stability, security capabilities, BCDR, geographic assessment, data protection, substitutability | | **Contractual provisions (Art. 30)** | All 10 mandatory provision categories: SLAs, data locations, data protection, audit rights, authority cooperation, termination, exit assistance, sub-outsourcing, incident notification, data return/deletion | | **Ongoing monitoring** | Performance review, security posture, KPI/KRI framework, audit plan, incident tracking, escalation procedures | | **Exit strategies (Art. 28(8))** | Transition plans, data portability, maximum transition period, exit plan testing | | **Concentration risk (Art. 29(2))** | Provider dependency map, critical failure scenarios, geographic concentration, mitigation strategies | | **Sub-outsourcing (RTS 2025/0532)** | Notification requirements, right to object, chain monitoring, sub-contractor assessment, register maintenance | | **Governance** | Approval authority, oversight responsibility, management body reporting, record keeping | Errors are raised for missing mandatory elements. Warnings flag recommended but non-mandatory items such as third-country provider policy, financial viability monitoring, three lines of defense alignment, and Information Register update processes. ### Example validation output ``` ======================================================================== DORA ICT Third-Party Risk Policy — Completeness Check (Art. 28, Art. 29, Art. 30 / RTS 2024/1773 / RTS 2025/0532) ======================================================================== --- Errors (must fix) --- [ERROR] Exit strategies: missing — Exit plan testing. [ERROR] Concentration risk: missing — Geographic concentration assessment. --- Warnings (recommended) --- [WARNING] TPP strategy: missing third-country provider policy — recommended for entities using non-EU providers. [WARNING] Governance: missing three lines of defense alignment — recommended for supervisory expectations. ======================================================================== ``` Run the checker after building the policy structure to identify gaps before finalizing the document for supervisory review. ## Getting Started Activate the *ICT Third-Party Risk Policy (DORA)* skill and provide your entity context. The agent will walk you through each section of the policy. Have this information ready: - Your entity type and regulatory classification (credit institution, payment institution, investment firm, insurance undertaking, crypto-asset service provider, etc.) - Your competent authority and any national transposition measures that apply - A list of ICT third-party providers and the services they deliver (cloud infrastructure, core processing, communication, cybersecurity, data analytics) - Which functions are classified as critical or important under DORA Art. 3(63) - Any existing vendor management documentation, due diligence records, or contractual templates - Your group structure, if applicable (parent entity, subsidiaries, shared service arrangements) - Known concentration risk concerns (single-provider dependencies, geographic clustering) If the **DORA Information Register** skill has been completed, the agent will reference it for provider inventory and contractual arrangement data -- you will not need to re-enter that information. The skill produces a complete ICT third-party risk policy with appendices: Art. 30 contractual provisions checklist, due diligence questionnaire template, KPI/KRI definitions, and exit plan template. --- Back to [Skill Library](https://rakenne.app/skills/index.md)