A financial entity subject to Regulation (EU) 2022/2554 (DORA) is procuring ICT services from a third-party provider. The provider is an electronic communications provider and mobile network operator that, in addition to connectivity services, offers a broad portfolio of business ICT services, including managed cyber security capabilities (such as SOC monitoring and incident handling), SME-focused cyber security solutions (including DNS-based protection), and IT support services (remote and onsite support, system management and backups). The provider also offers IoT connectivity and data platform services and delivers private 5G network solutions for industrial and critical infrastructure use cases. In the contracting and due diligence context, the provider indicates that it is subject to NIS2 as a critical or essential entity and therefore questions the applicability of DORA-driven ICT third-party risk management provisions (including contractual annexes and information or assurance requests).

Recital 16 establishes DORA as lex specialis to NIS2 for financial entities. Article 28(1)(a) requires financial entities to remain fully responsible for all DORA obligations, which cannot be delegated. Article 30(3)(e)(i) explicitly states that audit and access rights shall not be “impeded or limited by other contractual arrangements or implementation policies”.  However, the NIS2 status of the ICT service providers is not a condition framing the application of DORA articles 28 to 30. Therefore, financial entities must ensure contracts with NIS2 regulated providers comply with these requirements.