Question ID: DORA 215 - 3300
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: Article 28
Status: Final
Date of submission: 24 Mar 2025
Question
I would appreciate a clear answer regarding how financial entities should handle situations involving reselling. According to point 107 of the Q&A: "If the reseller is not providing the ICT service on an ongoing basis, it should not be considered an ICT TPP." Given this statement, how should we treat the effective service provider? For example, if a reseller provides a Microsoft license without any additional services, should financial entities list Microsoft in the register of information ? If yes, aside from general terms and conditions, financial entities do not possess a contract with Microsoft in their contractual data base. How should the Service Level Agreement (SLA) be treated in this case—should accountability rest with the reseller or with the effective provider (Microsoft)? Additionally, based on the clarification provided in the Q&A, does this imply that in case of reselling without new services from the reseller : all the remediation process should end ? Thank you very much for your time and assistance.
EIOPA answer
In line with Article 28(3) of Regulation (EU) 2022/2554 (DORA), the Register of Information is part of the ICT risk management framework of financial entities and should be therefore considered as the financial entity’s risk management tool to identify ICT service providers. If a reseller only supplies licenses without providing ICT services on an ongoing basis, it does not qualify as an ICT third-party service provider according to the definition of ICT services provided in Article 3(21) DORA). However, in case the services provided qualify as ICT services, for the purpose of the proper completion of the Register of Information the following two scenarios need to be addressed individually: 1) Existence of direct contract between the financial entity and the ICT third-party service provider. In this case, the effective ICT service provider should be recorded by the financial entity in the Register of Information. 2) Where no direct contract exists with the effective ICT third-party service provider, the financial entity should record the agreement with the reseller and complement it with any available information on the effective ICT third-party service provider as subcontractor (to this extent, template B_05.02 of the Register of Information as specified in COMMISSION IMPLEMENTING REGULATION (EU) 2024/2956 requires to indicate the ICT service supply chain, while template B_05.01 requires for indicate all subcontractors included in template B-05.02).