Question ID: DORA188 - 3200
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: 28(5)
Status: Final
Date of submission: 06 Dec 2024
Question
What are the standards Article 28(5) is referring to?
Article 28(5)
Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third- party service providers, of the most up-to-date and highest quality information security standards.
EIOPA answer
Appropriate information security standards refer to the industry best practices and standards. Due to the evolving nature (up to date) of the standards, the L1 text cannot refer to a specific set of standards.