EU Digital Operational Resilience Act (DORA) & Third-Party Risk Management

With compliance mandated by January 2025, now is the time for organizations to examine their third-party risk management processes.
By:
Scott Lang
,
VP, Product Marketing
September 03, 2024
Share:
Blog dora 0922

In response to increasing numbers of cyber-attacks testing the resilience of the European financial system, the European Union (EU) Parliament passed legislation in 2022 to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms. The Digital Operational Resilience Act (DORA) is designed to ensure that the European financial sector is able to maintain resilience during severe operational disruptions.

DORA creates a regulatory framework for digital operational resilience in the financial sector whereby all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats. The Act sets uniform requirements for the security of network and information systems. It spells out requirements in Chapter V for critical third parties that provide information communication technologies (ICT) services, such as cloud platforms or data analytics services, to the financial services industry.

This post examines key DORA articles related to third parties and identifies best practice capabilities that can be used to address DORA Chapter V requirements.

The DORA Third-Party Compliance Checklist

This comprehensive checklist examines key articles in DORA Chapter V: Managing of ICT Third-Party Risk and provides guidance for meeting the requirements.

Read Now
Feature dora compliance checklist

DORA Chapter V: Managing of ICT Third-Party Risk

DORA Chapter V reviews the required controls and processes in Section I and the oversight mechanisms for a regulatory regime in Section II.

Section I: Key Principles for a Sound Management of ICT Third-Party Risk

Section I: Key Principles for a Sound Management of ICT Third-Party Risk aims to ensure that financial entities appropriately manage and mitigate risks stemming from their use of ICT services provided by third parties. A summary of these requirements is included below.

Risk Management Framework

Financial entities are required to assess risks related to ICT third-party providers. This includes evaluating potential operational risks, concentration risks, and systemic risks. Organizations must take into account the criticality of the services provided. The degree of risk management and oversight is expected to be proportional to the criticality and potential impact of the third-party ICT service on the financial entity. This is known as the Proportionality Principle.

Due Diligence

Financial entities must conduct comprehensive due diligence before entering into contracts with third-party ICT service providers. This assessment should include the provider’s ability to deliver services reliably, securely, and in line with regulatory expectations. After the contract is signed, continuous monitoring is required to ensure that third-party providers maintain the expected level of operational resilience, including their compliance with security standards.

Contractual Requirements

Contracts between financial entities and third-party ICT service providers must include detailed provisions on risk management, ensuring the provider’s accountability in mitigating risks and providing operational continuity. Contracts should also include clauses on termination rights, allowing the financial entity to exit the relationship if the third party fails to comply with regulatory or operational resilience requirements. Financial entities must have documented and rehearsed exit strategies for critical ICT services, enabling them to maintain operational resilience if a key service provider is no longer available.

Concentration Risk and Dependency Management

Financial entities must monitor concentration risks related to ICT third-party providers, especially when only a few providers dominate the market. Organizations must develop contingency plans to address potential disruptions caused by such concentration. To mitigate concentration risks, entities are encouraged to diversify their ICT service providers wherever possible.

ICT Third-Party Risk Register

Financial entities must maintain a register of all ICT third-party providers and services, which includes details about the contracts, criticality of the services, and risk assessments. This register must be regularly updated and made available for regulatory reviews.

Resilience Testing

DORA requires financial entities to test their ICT third-party providers’ operational resilience capabilities. This involves conducting simulations or stress tests to assess how well the third party would handle a major disruption or cyberattack.

Sub-Outsourcing

If a third-party ICT provider subcontracts parts of the service, the financial entity must ensure that the subcontractor is also subject to the same standards of due diligence, monitoring, and risk management.

Third-Party Risk Scenarios

Financial entities are encouraged to analyze different third-party risk scenarios, such as cyberattacks or large-scale outages, and develop recovery and contingency plans for such events.

Section II: Oversight Framework of Critical ICT Third-Party Service Providers

Section II: Oversight Framework of Critical ICT Third-Party Service Providers establishes rules and requirements regarding the supervision and regulatory oversight of critical ICT third-party service providers (CTPPs). It includes the appointment of a Lead Overseer to supervise the provider’s risk management and resilience practices, authority to conduct inspections and resilience testing, and requirements for reporting incidents and corrective measures.

DORA introduces direct oversight mechanisms for critical ICT third-party providers, requiring them to comply with additional reporting and operational resilience standards. The goal is to ensure that these critical ICT providers uphold high standards of operational resilience and contribute to the overall stability of the financial system.

eBook: 25 KPIs and KRIs for Third-Party Risk Management

The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.

Download Now
The 25 Most Important KP Is and KR Is for Third Party Risk Management GRC Thumbnail

How Prevalent Can Help Simplify DORA Third-Party Risk Management Compliance

Chapter V, Section I, Articles 28-30 of the Digital Operational Resilience Act (DORA) establishes several requirements aimed at ensuring that financial entities appropriately manage and mitigate risks stemming from their use of information and communication technology (ICT) services provided by third parties. These are the practices that TPRM professionals would need to implement to meet the regulatory oversight requirements in Section II.

However, it is impossible to adequately assess, continuously monitor, and manage third-party adherence to DORA requirements using manual, spreadsheet-based risk assessment methods. Prevalent can help.

The Prevalent Third-Party Risk Management (TPRM) Platform is a central, automated solution for assessing, monitoring, and managing third-party service provider risk in concert with your broader cybersecurity and enterprise risk management program. With Prevalent, your team can:

  • Centralize the distribution, discussion, retention, and review of third-party service provider contracts to ensure that key requirements are included, agreed upon, and enforced with key performance indicators (KPIs) and key risk indicators (KRIs). Prevalent Contract Essentials features workflow that automatically moves contracted vendors into formal due diligence.
  • Build a comprehensive inventory of all third-party service providers and fourth and Nth party dependencies and concentrations as a single third-party register of truth for enterprise stakeholders.
  • Gauge inherent risk to inform service provider profiling, tiering, and categorization – and to determine the appropriate scope and frequency of ongoing due diligence activities.
  • Automate the resilience risk assessment and remediation process across every stage of the third-party lifecycle using an extensive library of more than 750 questionnaire templates tuned to multiple best practices frameworks and built-in remediation guidance.
  • Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities and incorporating those insights to validate third-party service provider controls.
  • Automate third-party incident response with programmatic monitoring, assessments, and response management.
  • Automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

For more on how Prevalent can simplify DORA third-party risk management compliance, download our complete DORA Third-Party Risk Management checklist or request a demonstration today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo