ICT Third-Party Service Provider

Definition

An undertaking providing ICT services to financial entities. Under DORA, financial entities must manage ICT third-party risk through contractual arrangements that include specific provisions on data access, audit rights, exit strategies, and subcontracting. Critical ICT TPPs are subject to the EU oversight framework.

What is an ICT Third-Party Service Provider?

An ICT Third-Party Service Provider (ICT TPP) is an undertaking that provides digital and data services through ICT systems to one or more users on an ongoing basis. In the context of DORA, the term specifically covers providers of cloud computing, software, data analytics, and data centre services to financial entities.

Contractual Requirements

Under Articles 28–30 of DORA, financial entities must include specific provisions in their contractual arrangements with ICT TPPs covering: service level descriptions, data location and processing, audit rights and access, exit strategies, incident notification, and subcontracting chains. Key contractual provisions for critical or important functions are set out in Article 30.

Critical ICT TPPs and the Oversight Framework

DORA establishes an EU-level oversight framework (Articles 31–44) for critical ICT third-party providers designated by the European Supervisory Authorities. Designated critical ICT TPPs are subject to a Lead Overseer (one of EBA, ESMA, or EIOPA) who conducts assessments, issues recommendations, and can impose periodic penalty payments for non-compliance.