The deadline for achieving complaince with the Digital Operational Resilience Act (DORA) will be here before you know it, with enforcement beginning in January 2025. With Third-Party Risk Management being the central focus of the EU regulation, it’s imperative to cater your TPRM program to the DORA regulation to achieve sustainable compliance.
In this post, we outline the DORA requirements related to third-party risk management and explain how to comply with them.
Download your free DORA assessment workbook >
Third-Party Risk Management Requirements of DORA
The Digital Operational Resilience Act (DORA) has two primary objectives:
- To streamline the integration of ICT risk management processes across all EU regulations, including the GDPR.
- To mitigate the cybersecurity risks of outsourcing operations to ICT third-party providers
The aspects of DORA specifically related to Third-Party Risk Management are found in Articles 28-44 under the Management of ICT Third-Party Risks section. For simplicity, the major TPRM requirements of this article set are summarized in a single list below.
Learn more about the Digital Operations Resilience Act >
ICT risks include any information security vulnerabilities that could compromise information system security if exploited.
- Responsibility for Compliance: Financial entities must track and manage the impact of third-party ICT service relationships on regulatory and legal compliance obligations.
- Strategy and Policy Development: The financial sector should establish a strategy for managing risks related to ICT third-party relationships, especially for critical business operations.
- Risk Assessment and Due Diligence: Before engaging with ICT third-party service providers, financial entities should perform thorough due diligence to assess each prospective provider's alignment with the entity's information security standards.
Learn more about vendor due diligence > - Information Security Standards: Financial entities should only contract and board ICT third-party service providers that meet defined information security standards.
- Contractual Arrangements: Financial institutions should clearly distinguish between contractual arrangements with third-party ICT service providers supporting critical functions. This information should be kept up-to-date in a register.
- Audit and Inspection Rights: Financial entities should pre-determine the frequency with which each ICT third-party service provider will be audited and which specific areas will be audited. This decision should be made with a risk-based approach in line with accepted audit standards. Financial entities should ensure auditors possess the technical skills to perform highly complex audits effectively.
- Termination Conditions: Financial entities should ensure contractual arrangements with third-party ICT service providers can be quickly terminated in any of the following circumstances:some text
- The ICT third-party service provider has breached any applicable laws, regulations, or contractual terms.
- It has been discovered through monitoring efforts that the ICT third-party service provider is unable to effectively meet the service level agreements outlined in contractual arrangements.
- The risk management efforts of the ICT third-party service provider demonstrate weaknesses that could negatively impact the availability, authenticity, integrity, and confidentiality of data - regardless of sensitivity.
- Exit Strategies: Financial entities should establish exit strategies for ICT third-party service relationships involving critical functions. These exit strategies should ensure efficient relationship termination with minimal business disruption and without limiting compliance with regulatory requirements.
- Transition Plans and Contingency Measures: To minimize business disruptions or the quality of services the Financial Entity provides its clients, the transitional plan should be in place for moving data to new third-party services in the event of contract termination.
- Regulatory and Technical Standards Development: The European Supervisory Authority (ESA) is tasked with developing, implementing, and regulatory technical standards to further detail the policies related to third-party ICT service use, considering the financial entity's risk profile and service complexity.
6-Step Guide: Implementing a TPRM program that complies with DORA
To adjust your existing Third-Party Risk Management program to meet the requirements of DORA, follow this 6-step framework of best practices.
If you haven’t yet implemented a TPRM program, add this TPRM implementation guide to your reading list.
1. Get familiar with the ESA rules
The European Supervisory Authorities (EBA, EIOPA, and ESMA) have published a series of Regulatory Technical Standards (RTS) that should be met to comply with DORA. These standards cover:
- Standards for ICT risk management frameworks.
- Standards for the classification of ICT-related incidents.
- Standards for specifying policies for ICT third-party service providers supporting critical functions.
- Guidelines for templates collecting ICT third-party supplier information and contractual arrangements.
Familiarize yourself with these risk management standards and compare them with the standards of your current TPRM program. Then, draft a high-level gap analysis and alignment roadmap between your current and idealistic ICT risk management states.
2. Map all of your ICT systems and assets
To understand the risk profile of your internal and third-party ICT architecture, you must first map all your ICT assets. This effort should help you understand how your ICT assets are networked into your current digital environment, the types of data flowing in and out of them, and the specific security vulnerabilities of each ICT asset.
Your mapping efforts should identify ICT systems processing critical information and your critical business functions.
Mapping the attack surface of your ICT infrastructure may require implementing an Attack Surface Management (ASM) program. For an overview of how to map your attack surface with ASM, watch this video.
3. Perform regular disaster recovery tests
An essential requirement of DORA is to ensure minimal impact on critical functions in the event of an ICT-related operational disruption. Financial entities should incorporate regular realistic disruption tests on their ICT infrastructure. These incident response tests should involve ICT disruptions caused by popular cyber attack events such as ransomware attacks and data breaches.
Learn how to defend against ransomware with this ultimate guide >
Your incident recovery simulations should account for reporting major ICT-related incidents to regulators within 72 hours.
4. Establish a culture of operational resilience
DORA compliance can’t be established with a set-once-and-forget approach. To achieve the operational resilience expectations set by DORA, financial entities must implement a broader sense of resilience that ties together all departments into a single resilience objective. This will require deeper cross-department collaboration and a reshuffling of conventional risk management structures.
Some suggestions include:
- Establishing operational resilience accountability at the senior management level.
- Regularly communicate ICT risk management performance with senior management through clear and concise reporting. This will support senior management’s accountability expectations.
- Educating staff on identifying and responding to digital risks internally and across ICT third-party vendors (cyber threats, supply chain stability threats, and threats to personal data safety).
- Giving risk management teams more active roles during onboarding and procurement stages to evaluate potential risks before initiating contracts. For greater efficiency, external scans should be augmented into due diligence processes.
- Assigning procurement teams more active roles in tracking how each ICT third-party service provider's performance aligns with their contractual obligations, ideally, throughout the entire lifecycle of each third-party vendor relationship.
5. Establish a single source of truth for DORA compliance
To further encourage a company-wide cultural shift towards greater operational resilience, create a single reference delineating the primary duties your staff may be required to complete to support corporate DORA compliance.
This guide should be easily accessible by all staff and cover the following details:
- Communication guidelines with stakeholders and national competent authorities in the event of a major ICT-related incident.
- Data protection best practices in line with European Union and European Commission standards.
- Incident reporting guidelines for cyber threats.
- Incident management guidelines, including remediation guidelines for critical threats.
- Guidelines for operational resilience testing (including penetration testing) and appropriate action for fully addressing all vulnerabilities discovered during these tests.
- Information sharing guidelines between all risk management teams - TPRM, business continuity, procurement, and risk management teams.
6. Tier third-party vendors based on level of criticality
Critical ICT Third Party Providers should be grouped separately from your list of third-party providers and subject to greater monitoring levels. Monitoring efforts should aim to discover security vulnerabilities that could disrupt supply chain operations and general operational resilience.
Besides processing sensitive customer information, a critical third-party provider is also identified by a risk profile closely aligned with your defined risk appetite.
Learn how to calculate your risk appetite for TPRM >
Vendor Risk Management platforms, like UpGuard, include a vendor tiering feature for conveniently segregating vendor lists based on a defined criticality criteria.
Separating Critical Third Party Providers (CTPPs) into a single tier will support the new oversight power of the European Supervisory Authority to assess CTPPs and even ask them to change their security practices.
How UpGuard Can Help
UpGuard offers an end-to-end Vendor Risk Management platform that can identify your most critical third-party vendors and help you manage the complete lifecycle of their cyber risks. UpGuard’s Vendor Risk platform also provides automatic compliance mapping and reporting against DORA through NIST CSF and ISO 27001 for you and your vendors.
