DORA and third-party ICT risk management: What MICA authorised CASPs and financial institutions in Poland need to know

The Digital Operational Resilience Act (DORA) introduces strict third-party ICT risk management requirements for financial institutions. From 17 January 2025, all CASPs and financial entities in Poland must ensure outsourced ICT services meet stringent resilience and security standards.

🔹 Key DORA Requirements for Third-Party ICT Risk

✅ Governance & Accountability – Entites must integrate third-party ICT risks into their overall risk management framework, with oversight proportionate to the criticality of each outsourced service. Importantly, outsourcing does not transfer responsibility – the institution remains accountable for compliance and risk management even when ICT services are outsourced.

✅ Due Diligence & Risk Assessment – Before engaging any ICT service provider, institutions should conduct thorough due diligence to ensure the provider can meet required security and resilience standards. This includes assessing potential concentration risk (e.g. if many critical operations rely on a single vendor) and preparing contingencies to mitigate such risk.

✅ Robust Contractual Terms – Contracts with ICT providers should include strong provisions to manage risk. DORA mandates that agreements clearly define security and service level requirements, grant the institution audit and access rights, require incident reporting, and include termination clauses allowing the firm to exit the arrangement if the provider breaches obligations or falls short on resilience. 

✅ Continuous Monitoring – Once a third-party service is in use, entity must continuously monitor the provider’s performance and security, and periodically test its operational resilience.

✅ Register & Regulatory Oversight – DORA requires entities to maintain an up-to-date register of all ICT third-party service providers and contracts, including details on the services’ criticality and associated risks.

🔹 Local Implementation in Poland

DORA applies automatically from January 2025, with a national implementation law in progress. The Polish Financial Supervision Authority (KNF) has confirmed that institutions must comply immediately, even before full local transposition.