Exploring Digital resilience third-party registers
Summarize
Summary of Exploring Digital Resilience Third-Party Registers
The Digital resilience third-party registers application enables financial entities to maintain detailed registers of contractual arrangements with ICT third-party service providers, ensuring compliance with the EU's Digital Operational Resilience Act (DORA). This application supports ICT Third-party Risk Management by allowing entities to manage, assess, and report on their third-party ICT risks at various organizational levels.
Show less
DORA, effective from January 17, 2025, mandates financial entities supervised by European Supervisory Authorities to strengthen ICT security and operational resilience against digital disruptions. The regulation requires comprehensive risk strategies, assessments, and governance policies related to ICT third-party providers.
Key Features
- Application Support: Starting with Release 19.1.x, ServiceNow supports DORA compliance through the Digital Operational Resilience Management and Digital Resilience Third-party Information Register applications.
- Data Management: Users can create, edit, and manage third-party contracts, functions, branches, and supply chains either individually or in bulk via Microsoft Excel uploads/downloads or through the graphical user interface (GUI).
- Access and Licensing: IRM Professional license holders can access the registers via the Operational Resilience Workspace, while TPRM license holders use the TPRM Workspace.
- Regulatory Compliance: The application helps track ICT third-party risks, supports oversight by EU competent authorities, and assists European Supervisory Authorities in identifying critical ICT third-party providers for supervision.
- Register of Information (RoI): The application supports generation and validation of RoI regulatory reporting packages required under DORA, ensuring data meets regulatory standards.
Practical Implications for ServiceNow Customers
- Financial entities can ensure they meet DORA’s regulatory requirements by maintaining an up-to-date, comprehensive register of all relevant ICT third-party service providers, including direct providers, intra-group providers, subcontractors, and ultimate parents.
- Customers can automate and streamline data collection and reporting processes, reducing manual effort and enhancing accuracy in third-party risk management.
- The ability to manage records via Excel templates or GUI offers flexibility to fit existing workflows and facilitates bulk data handling for large volumes of third-party information.
- By leveraging this application, financial entities can strengthen their ICT risk management frameworks, improve operational resilience, and support regulatory audits and supervisory reviews.
The Digital resilience third-party registers application empowers the financial entities to maintain registers of contractual arrangements with Information and Communication Technology (ICT) third-party service providers and comply with Digital Operational Resilience Act (DORA) regulation.
Applications for DORA compliance
- Digital Operational Resilience Management: This application is used for uploading and downloading of all individual DORA tables.
- Digital Resilience Third-party Information Register: This application is used to download the Digital resilience third-party registers. The application contains the Microsoft Excel template that includes all tabs for reporting purposes. It helps the financial entities to maintain a comprehensive register of their contractual
arrangements with ICT
Third-party service providers at the individual entity, sub-consolidated, and consolidated levels.
Customers use Digital resilience third-party registers to create or edit the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Microsoft Excel upload and download feature.
Note:The IRM Professional license users can access Digital resilience third-party registers in the Operational Resilience Workspace. The TPRM license users can access Digital resilience third-party registers in the TPRM Workspace.The Digital resilience third-party registers application fulfills multiple functions for the entities:- Assists the entities in tracking their ICT third-party risks.
- Empowers the competent authorities in European Union to oversee ICT and third-party risk management within financial entities.
- Aids European Supervisory Authorities (ESA) in identifying Critical ICT third-party service providers (CTPP) for EU level supervision.
Digital Operational Resilience
Digital Operational Resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability. It ensures that the entity has the full range of ICT related capabilities that are needed to secure its network and information systems. These systems support the continuous provision of financial services and maintain their quality, even during disruptions. The continuity can be achieved directly or indirectly with the services provided by the ICT third-party service providers.
Digital Operational Resilience Act (DORA)
Digital Operational Resilience aligns with the Digital Operational Resilience Act (DORA). It is a European Union (EU) regulation that came into effect on 16 January 2023 and it will be applicable from January 17, 2025. It enhances the ICT security of financial entities supervised by the European Supervisory Authorities (ESA)s and protects Europe's financial sector from major digital disruptions.
Regulatory Technical Standards
DORA Regulation mandates that financial entities incorporate and periodically review a strategy for managing ICT third-party risk within their ICT risk management framework. This strategy must include a policy governing the use of ICT services that support critical or important functions, as provided by third-party ICT service providers.
A financial institution's policy on using third-party ICT service providers plays a crucial role in defining key aspects of its governance, risk management, and internal control frameworks for these services. Financial entities must perform risk assessments and due diligence before signing contracts with third-party ICT service providers. They must also ensure they can terminate these arrangements if needed and maintain business continuity for critical or important functions. For instance, an action could be necessary where the service is not optimal, external ICT systems malfunction, or the service is disrupted due to sanctions.
Pillars for DORA
- ICT Risk Management
- ICT Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-party Risk Management
- Information and Intelligence Sharing
Processing the records using GUI or Microsoft Excel
Customers can manage the contractual arrangements by processing the records by using the graphical user interface (GUI) or by importing or exporting Microsoft Excel files in the Digital resilience third-party registers application.
For information on processing the records through the graphical user interface (GUI) or by importing or exporting Microsoft Excel files, see Using Digital resilience third-party registers.
Accessing the Digital resilience third-party registers application
- Beginning with Release 19.1.x, customers who already have the Operational Resilience or the TPRM applications can access the Digital resilience third-party registers.
- These customers can download, install, and start using the Digital resilience third-party registers application.
Digital resilience third-party registers in Operational Resilience Workspace
Upon opening the Operational Resilience Workspace, the menu featuring Digital resilience third-party registers is displayed.
Digital resilience third-party registers in the TPRM Workspace
For information on Digital resilience third-party registers in the TPRM Workspace, see Third-party Risk Management.