Using digital resilience third-party registers

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 10 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Digital Resilience Third-party Registers

    The Digital Resilience Third-party Information Register application, part of the Vendor Management Workspace, allows you to create, update, and track assessments, branches, legal entities, and contractual arrangements with ICT third-party service providers. This application supports compliance with the Digital Operational Resilience Act (DORA) and is essential for maintaining a comprehensive register of these arrangements across various levels of financial entities.

    Show full answer Show less

    Key Features

    • Record Management: Create and manage records for legal entities, branches, functions, third parties, engagements, contracts, supply chains, and assessments using Excel upload and download functionalities.
    • Compliance Support: Assists in meeting DORA regulations and enables tracking of ICT third-party risks.
    • User Access: Different roles can access the application, including IRM Professional and TPRM license users, with specific permissions for creating, updating, and deleting records.
    • Reporting Capabilities: Includes a Microsoft Excel template for efficient reporting of contractual arrangements and digital resilience information.

    Key Outcomes

    Utilizing the Digital Resilience Third-party Information Register helps financial entities ensure compliance with DORA, enhance operational resilience, and maintain oversight of third-party risks. This results in improved security for ICT-related capabilities, enabling continuous provision of financial services even amid disruptions. By systematically updating and managing third-party records, organizations can effectively document engagements and contractual obligations, aligning with regulatory requirements.

    Use the Digital Resilience Third-party Information Register application in the Vendor Management Workspace to create, update, and track assessments, branches, legal entities, and so on, and maintain registers of contractual arrangements with ICT third-party service providers.

    Digital resilience third-party registers

    Beginning with Release 19.1.x, the Digital Resilience Third-party Information Register application is supported for DORA compliance in the Vendor Management Workspace.

    The Digital Resilience Third-party Information Register application is used to download the Digital resilience third-party registers. The application contains the Microsoft Excel template that includes all tabs for reporting purposes. It helps the financial entities to maintain a comprehensive register of their contractual arrangements with ICT Third-party service providers at the individual entity, sub-consolidated, and consolidated levels.

    You can use Digital resilience third-party registers to create or edit the records in bulk or individually for assessments, branches, contracts, functions, legal entities, supply chains, third parties, or third-party engagements using the Microsoft Excel upload and download feature.

    Note:
    The IRM Professional license users can access Digital resilience third-party registers in the Operational Resilience Workspace. The TPRM license users can access Digital resilience third-party registers in the TPRM Workspace.
    The Digital resilience third-party registers application fulfills multiple functions for the entities:
    • Assists the entities in tracking their ICT third-party risks.
    • Empowers the competent authorities in European Union to oversee ICT and third-party risk management within financial entities.
    • Aids European Supervisory Authorities (ESA) in identifying Critical ICT third-party service providers (CTPP) for EU level supervision.
    For more information on configuring Digital resilience third-party registers and its possible use cases, see Configuring Digital resilience third-party registers and Use cases for updating the information registers.

    Digital Operational Resilience

    Digital Operational Resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability. It ensures that the entity has the full range of ICT related capabilities that are needed to secure its network and information systems. These systems support the continuous provision of financial services and maintain their quality, even during disruptions. The continuity can be achieved directly or indirectly with the services provided by the ICT third-party service providers.

    Digital Operational Resilience Act

    Digital Operational Resilience aligns with the Digital Operational Resilience Act (DORA). It’s a European Union (EU) regulation that came into effect on 16 January 2023 and it will be applicable from January 17, 2025. It enhances the ICT security of financial entities supervised by the European Supervisory Authorities (ESA)s and protects Europe's financial sector from major digital disruptions.

    For more information on DORA and the Digital Resilience Third-party Information Register application, see https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act and Exploring Digital resilience third-party registers.

    Creating records for Digital resilience third-party registers

    Third-party risk (TPR) assessors [sn_vdr_risk_asmt.vendor_assessor] and TPR managers [sn_vdr_risk_asmt.vendor_manager] can create and update these records by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. You must create or update these records in a specific sequence. For more information on this sequence, see Creating and reviewing the records.
    Note:
    TPR assessors and TPR managers can delete Third party, Third-party engagement, and Contract records. TPR administrators [sn_vdr_risk_asmt.vendor_risk_admin] can delete all record types by navigating to each individual record and selecting Delete.

    The following example shows how records appear in the Digital resilience third-party registers in the Vendor Management Workspace.


    Example that shows how records are shown in the Digital resilience third-party registers.
    The following records can be manually created and updated.
    Legal entities

    You can create a legal entity record, by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can view existing legal entities and enhance their digital resilience information to comply with DORA regulations. After installing the Digital Resilience Third-party Information Register application, a Legal Entities tab is added for existing companies that aren’t already defined as a third party, enabling you to add their details. The Legal Entity record includes essential fields for regulatory reporting, such as the Legal Entity Identifier (LEI), name, country of registration, and entity type. These fields are offered as choice lists within the system. The system acknowledges the entity hierarchy, with no additional details required for ultimate parents, while subsidiaries must specify their parent entity. The date of registration for each legal entity is also noted. Additionally, specific details like the last update, integration date, removal status, deletion date, currency used, and total asset value are documented for each entity, as required by regulators for entities engaging with external third parties for outsourced technical services. Regulators mandate these specific details for legal entities engaging with external third parties for outsourced technical services.

    Note:
    Existing third parties aren’t shown in the Legal entities list. Company records can only be defined as a Third party or Legal entity. For companies and legal entities, the Vendor option is set to False. (The check box isn’t selected.)

    For more information see, Create a legal entity and enhance digital resilience data, Create New Company form, and Create New Legal entity form.

    Branches

    You can create a branch record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. This enables you to enhance the branch's digital resilience information to help ensure compliance with DORA regulations. A legal entity can operate multiple branches across different cities or countries, and all these branches can be documented. When a new branch is established, its information must be included for regulatory reporting. Some common details captured include the branch name and description, owner's details, business units and departments for reporting purposes, whether the branch is a head office or another type, the branch ID, and its originating country. The branch number is auto-generated, and once all details are complete, the information is ready to be captured in the information register.

    For more information see, Create a branch and enhance digital resilience data and Create New Branch form.

    Function

    You can create a function record, by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can add details such as the function identifier, license activity, function name, and criticality or importance assessment. Each function represents a specific service or group of services as defined by the Digital Operational Resilience Act (DORA). The functions record is used to capture detailed information about each function, including descriptive text. Once the function record is created, you can enhance its digital resilience information to help ensure compliance with DORA regulations, effectively documenting the third-party provided ICT service usage.

    For more information see, Create a function and enhance digital resilience data and Create New Function form.

    Third parties

    You can access and view existing third-party records by selecting the Third parties list within the Digital resilience third-party registers in the Vendor Management Workspace. After installing the Digital resilience third-party registers, a Digital Resilience Information tab is added on the third-parties page, enabling you to set up the digital resilience information details.

    Here, you can view the legal entity ID of the third party, which can be captured by the Value Added Tax (VAT) number or Company Registration Number (CRN). You can specify the country of registration and its code, which the system uses to generate the ID. Additionally, you can indicate if the third party is an ultimate or a subsidiary, include the name of the ICT third party and the type of service they provide (for example, Software as a Service), and optionally note if an individual acts on behalf of the organization. You can also select the reporting currency and input the total annual expense for this engagement.

    For more information see, Create a third party and enhance digital resilience data, Create New Company form, and Create New ICT third-party service provider form.

    Engagements

    You can access and view existing third-party engagement records by selecting the Third-party engagements list within the Digital resilience third-party registers in the Vendor Management Workspace. After you install the Digital resilience third-party registers, the Digital Resilience Information tab is added on the third-party engagements page, enabling you to set up the digital resilience information details.

    Here you can view the third party's name, its type, annual spend, engagement tier, and other relevant information. You can enhance the record's digital resilience information by creating ICT third-party service provider records. Add ICT third-party service provider details such as the name of the service provider, its identification code, type of ICT services, currency, and so on. This enhances the digital resilience information of its associated third-party engagement for compliance with DORA regulation.

    For more information see, Create a third-party engagement and enhance digital resilience data, Create New Third-party engagement form, and Add Digital resilience information to third-party engagements.

    Contracts
    You can create a contract record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can add details such as the vendor name, start and end dates, state, substate, and other relevant information. Once the contract record is established, you can enhance its digital resilience information to help ensure compliance with the DORA regulations.

    The Digital resilience third-party registers provide details about who within your organization is using externally outsourced ICT services, which functions and branches are using them, and who the third-party providers and their engagements are. Contracts serve as the link between these aspects, binding legal entities, branches, and functions to third parties and their engagements.

    You can access these contracts through the Contracts list in the Digital resilience third-party registers. Alternatively, navigate to a specific legal entity's record, open the Legal Entities tab, and access all associated contract information. To view contracts for a legal entity, go to the legal entity's record, open the Legal Entities tab, and navigate to the different Contracts-related tabs. Select the contract that you want and navigate to the Digital Resilience Information tab. Then, proceed to the Contract Details tab to view the necessary information. The form specifies who uses the ICT service. If the entity signing the contract differs from the one using it, that detail is included in the record, along with the service provider. Details captured in these records can include data storage and processing locations, data sensitivity and service provider reliance, contract and termination details, annual assessments, and contractual reference numbers.

    For more information see, Create a contract and enhance digital resilience data, Create New Contract form, and Create New Contractual arrangement form.

    Supply chains
    You can create a supply chain record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here you can capture details of the supply chain such as the type of the ICT services, Legal Entity Identifier (LEI) of the entity that provides the ICT services, and so on.

    For more information see, Create a supply chain and enhance digital resilience data and Create New ICT service supply chain form.

    Assessments

    You can create an assessment of the ICT service record by navigating to the Digital resilience third-party registers in the Vendor Management Workspace. Here, you can add details such as the contractual arrangement reference number, identification code, and type of code for the ICT third-party service provider. Once the assessment is created, you can enhance its digital resilience information to help ensure compliance with the DORA regulation. It’s required to review your contracts and third parties annually.

    Add details such as the contractual arrangement reference number, identification code, and type of code for the ICT third-party service provider. You can then enhance its digital resilience information for compliance with DORA regulation.

    For more information see, Create an assessment and enhance digital resilience data and Create New Assessment of the ICT service.

    For more information on the roles related to using Digital resilience third-party registers, see Roles in Third-party Risk Management.

    Uploading and downloading records

    In addition to creating individual records, TPR assessors and TPR managers can request the download of records using the Excel download/upload requests feature. For more information see, Create a Microsoft Excel download request, and Create New Excel download/upload request form.
    Note:
    You need the TPR administrator role to edit and delete Excel download/upload requests.

    TPR administrators can create and update records in bulk using the Excel download/upload requests feature. For more information, see Create records in bulk and Update existing records in bulk.

    The following example shows where you can view and create Excel download/upload requests.


    Example that shows where you can view and create Excel download/upload requests.
    Note:
    If you have the Third-party assessment reviewer [sn_vdr_risk_asmt.vendor_assessment_reviewer] role, you can export a list of each record type by navigating to the list of records you want in the Digital resilience third-party registers in the Vendor Management Workspace.