How Will DORA Change the Approach to Vendor Management and Outsourcing in Regulated Institutions? | Poland

Information and communication technologies (ICT) risk management is the first area to be regulated by DORA. Creation of a framework for managing ICT risk that governs and directs all activities related to ICT risk management is one of the most crucial points of the whole regulation. Many practical provisions will rely on the European Supervisory Authorities producing Regulatory Technical Standards.

The second pillar of DORA is ICT-related incident management, which consists of setting up an ICT-related incident management process and developing the necessary abilities to supervise, manage and track such incidents. Within that pillar we can also find the requirements for creating scenarios of ICT risks along with a list of threats and an opportunity to update the relevant documents.

The third pillar requires financial services entities to regularly test their operational resilience. The programme should include various tests, including open-source analyses, vulnerability assessments and scans, gap analyses, as well as network security assessments.

The fourth pillar focuses on the risk associated with the use of third-party providers. Such use results in the obligation to put in place and regularly update policies and the risks associated with them, so as to ensure the highest level of digital security. The regulation requires obliged entities to ensure that the contracts with ICT third-party providers contain all the necessary requirements, including in particular monitoring and accessibility details, such as a full service-level description and indication of locations where data is being processed. Even stricter rules will apply to critical and important functions.

The last pillar consists of guidelines that encourage collaboration among trusted communities of other financial entities.

Aspects of digital security issues have not been strictly regulated within the hard law. Up until now, such issues were either subject to soft law regulations provided by local authorities (eg, Polish Financial Supervisory Authority issuing soft law on cloud computing and ICT) or based on ICT industry standards, introduced by IT departments of financial institutions. Thus, there is still no uniform practice or approach on how this should be reflected in relations with third parties. Since financial institutions are becoming more and more dependent on IT service providers, this is particularly important.

As of 2025, DORA will provide uniform and comprehensive rules on how co-operation with third-party IT providers should be structured. In practice, financial institutions will be obliged to reflect this in their internal processes and procedures regarding vendor management and outsourcing.

Moreover, the approach to contracting with such providers will also have to change (eg, new contracting internal standards will be implemented). The upcoming changes will additionally affect the current IT outsourcing agreement portfolio since it will most likely also need to be amended.

It seems that DORA’s impact on outsourcing relations and vendor management will be considered as one of the key practical implications of DORA for the EU market. Also, from the IT providers’ perspective, it may change how co-operation with financial institutions is structured and managed.

With the many new rules and regulations, as well as requirements that firms will need to adhere to in the near future, we see a lot of room for legal teams to assist financial services entities with the implementation of the rules immediately. In order to fulfil the requirements of all DORA pillars, it is necessary to analyse the gaps in the existing ICT risk management, as well as any changes or even the creation of new procedures in the firm.

With the introduction of the list of minimum contractual provisions that should be included in outsourcing contracts, the pressure on financial entities is incredibly high. Legal teams will be needed to provide support in both negotiating outsourcing contracts and making sure that the contracts are up to the DORA standards. Although certain provisions will be specified later in the implementing regulations, there is no doubt in which direction the changes will go.