Question ID: 2673
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: N/A
Status: Rejected
Date of submission: 06 Jun 2023
Question
If a firm is referring its staff to an online third-party ID verification provider and the third-party immediately passes its ratings to the firm via an API, but only stores the data for 30 days, could this be viewed as an outsourcing arrangement or not?
Background of the question
Thinking of accepting a TPRM role.
EIOPA answer
This question has been rejected because it is an institution-specific question requiring bespoke advice.