Question ID: DORA050 - 3021
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT third-party risk management (DORA)
Article: Security and Data Protection Objectives Directly Applicable to CTPP
Status: Rejected
Date of submission: 29 Feb 2024
Question
1. What are the DORA Objectives directly applicable to CTPP.
2. Which type of CTPP are impacted by DORA.
3. How the audit process would look like.
4. What are the steps in the audit for CTPP.
5. Who would be the auditors assessing the requirements for CTPP.
6. What kind of evidence are required to prove conformance with the CTPP requirements.
7. How scoping will be performed for CTPP, what could be the boundaries.
Background of the question
What is the requirement which need to be followed by the CTPP for a Financial institution to be compliant with the DORA requirement.
EIOPA answer
This question has been rejected because some of the issues it deals with are already explained or addressed in DORA (Regulation (EU) 2022/2554) which became applicable on 17 January 2025, as well as associated delegated and implementing acts, and guidelines and recommendations, adopted under these legislative acts. The provisions are sufficient clear and unambiguous. For the rest of the questions, these are either: questions that seek to reinterpret the regulation; questions which do not identify an issue of practical implementation and questions seeking confirmation of a requirement already clearly set out in the regulation.