Meeting EU Digital Operational Resilience Act (DORA) Third-Party Risk Requirements

The EU has introduced legislation to improve the resilience of financial entities, and includes provisions for third-party business resilience. Here's an overview of DORA guidelines pertaining to third-party risk and how Prevalent can help.
Scott Lang
VP, Product Marketing
September 23, 2022
Blog dora 0922

In response to increasing numbers of cyber-attacks, the European Union (EU) Parliament introduced legislation to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The Digital Operational Resilience Act (DORA) is designed to ensure that the European financial sector is able to maintain resilience during severe operational disruptions.

DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector. It also applies to critical third parties that provide ICT (Information Communication Technologies) services to the financial services industry, such as cloud platforms or data analytics services. DORA creates a regulatory framework for digital operational resilience whereby all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats.

This post examines key DORA articles related to third parties and identifies capabilities in the Prevalent Third-Party Risk Management Platform that can be used to address DORA requirements.

DORA Third-Party Business Resilience Requirements

Broadly speaking, there are nine article identified in Chapter V of the Digital Operational Resilience Act (DORA) that address third-party business resilience. We examine those articles below, and identify key Prevalent capabilities that address the requirements.

Article 25: General Principles

Article 25 states that, “Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in accordance with the following principles …” To summarize, the principles address areas including contract management, third-party criticality, reporting, pre-contract due diligence, auditing, and exit strategies.

The Prevalent Third-Party Risk Management Platform is a SaaS solution that automates workflows required to identify, assess, manage, continuously monitor, report on, and remediate third-party IT security, privacy, compliance, operational, and procurement/supply chain-related risks throughout the vendor lifecycle.

Key solution capabilities that address Article 25 requirements include:

  • Contract lifecycle management to ensure that key performance indicators (KPIs) are established and tracked from the beginning of the relationship
  • Automated profiling and tiering of all third parties to ensure that vendors are managed according to service criticality and other factors
  • A central vendor profile that includes demographic information, fourth-party dependencies, financial information, data breach history, and any adverse business news that may impact the business relationship
  • Comprehensive and automated due diligence assessments to ensure that third parties have essential IT security controls in place
  • Built-in remediation recommendations to mitigate the risk of third-party IT security weaknesses
  • Dozens of compliance reporting templates to streamline the auditing process
  • Programmatic third-party offboarding to reduce the organization’s risk of post-contract exposure

Article 26: Preliminary Assessment of ICT Concentration Risk and Further Sub-Outsourcing Arrangements

Article 26 includes provisions to guide entities in assessing concentration risk and the risk associated with fourth and Nth parties, including recommendations for risk monitoring and contractual requirements.

Prevalent mitigates concentration risks by identifying fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment.

Suppliers are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as to uncover sanctions and politically exposed persons (PEP) tied to each organization.

Together, these capabilities help to identify third-party concentration risk and fourth parties in the extended vendor ecosystem.

Article 27: Key Contractual Provisions

Article 27 includes guidance for ensuring that third-party vendor contracts include rights and obligations that can be continuously assessed.

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. The Prevalent platform also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:

  • Central tracking of all contracts and contract attributes such as type, start and end dates, value, reminders, and status – with customized, role-based views
  • Workflows based on user or contract type to automate the progression of contract lifecycles
  • Automated reminders and overdue notices to keep reviews on track
  • Centralized contract discussions and comments, plus the ability to limit discussions to internal participants only
  • Contract and document storage with role-based permissions and audit trail tracking
  • Version control tracking capabilities that enable document changes to be reviewed offline
  • Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

By simplifying the process of managing and chasing vendor contracts, redlines, dates, and other key attributes, Prevalent ensures that key contract provisions are tracked to successful outcomes.

The DORA Third-Party Compliance Checklist

This comprehensive checklist examines key articles in DORA Chapter V: Managing of ICT Third-Party Risk and provides guidance for meeting the requirements.

Read Now
Feature dora compliance checklist

Article 28: Designation of Critical ICT Third-Party Service Providers

Article 28 identifies key criteria for entities to consider for designating their third-party service providers as critical.

The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and to determine the criticality and scope of ongoing assessments.

Prevalent enables organizations to classify third parties based on multiple criteria, including:

  • Type of content required to validate controls
  • Criticality to business performance
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and implications
  • Reputation

The Prevalent platform’s tiering and categorization capabilities enable organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts.

Article 29: Structure of the Oversight Framework

Article 29 describes how to establish and govern a third-party risk management program, including identifying key roles.

Prevalent partners with our customers to build comprehensive third-party risk management (TPRM) programs that are based on proven best practices and extensive real-world experience. Our professional services experts collaborate with customers on everything from defining TPRM processes and selecting assessment questionnaires and regulatory frameworks, to continually evaluating and optimizing the TPRM program to address the entire third-party risk lifecycle.

As part of this process Prevalent helps to define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds to identify risks based on appetite
  • Assessment and monitoring methodologies based on business criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

eBook: 25 KPIs and KRIs for Third-Party Risk Management

The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.

Download Now
Feature kri kpi ebook

Article 32: Request for Information and Article 33: General Investigations

Articles 32 and 33 explain how to conduct audits and other related investigations, including identifying the types of data to collect.

Prevalent provides the foundation for a mature third-party risk management program by helping security and risk management teams address risks across every stage of the vendor lifecycle. The Platform delivers:

  • Automated vendor onboarding and offboarding
  • Automated profiling, tiering, and inherent and residual risk scoring
  • Automated fourth-party mapping and vendor demographics
  • A vast library of standardized and custom risk assessments with automated risk creation, workflow, tasks, and supporting evidence management
  • Native continuous cyber, business, reputational, screening, and financial risk monitoring to correlate risks against assessment results and validate findings
  • Executive, program and operator-level reporting that is backed by machine learning analytics to normalize and correlate findings from multiple sources
  • Automated compliance and risk reporting by framework or regulation
  • Remediation management with built-in guidance
  • Contract and RFX management to facilitate more complete risk management prior to onboarding

Prevalent includes more than 750 questionnaire templates in its platform’s survey library, plus tens of thousands of completed assessments in its network exchanges. This enables organizations to assess third parties against multiple risk domains, from cybersecurity and data privacy to business and operational resilience.

Article 34: Onsite Inspections

Article 34 describes processes for onsite controls reviews and audits.

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses and then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. We also work with customers to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help organizations reduce risk with their existing resources.

Article 35: Ongoing Oversight

Article 35 describes processes for ongoing management of a third-party risk management program, including continuous monitoring and obligations for regular reporting to relevant authorities.

To simplify ongoing oversight of third-party risk management programs, Prevalent delivers continuous risk monitoring, remediation guidance, and compliance reporting.

Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks.

Built-in remediation recommendations accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.

The Platform includes dozens of pre-built compliance and risk reporting templates by framework or regulation to simplify ongoing audits.

Next Steps for DORA Compliance

Prevalent helps financial organizations ensure their digital operational resilience by:

  • Building a comprehensive, agile and mature third-party risk management program based on proven financial industry best practices
  • Enforcing key ICT security contract provisions throughout the third-party relationship lifecycle
  • Automating the identification and assessment of critical third parties based on their criticality to the organization
  • Continuously monitoring for cybersecurity, business, financial and reputational risks – and correlating findings with assessment results
  • Delivering remediation recommendations to reduce third-party residual risk
  • Including templates to simplify regulatory and security framework audit reporting to multiple internal and external stakeholders

For more on how Prevalent can help address the requirements set forth in Chapter V of the Digital Operational Resilience Act (DORA), download the guide or request a demo today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo