What is DORA?
Applying as of 17 January 2025, the main objective of DORA is to ensure that financial entities can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) risks and threats. It aims to create a unified approach to digital resilience across the EU, addressing vulnerabilities and reinforcing the stability of the financial system.
Who Does DORA Apply To?
DORA applies to a wide range of financial entities within the European Union, including but not limited to:
• Credit institutions
• Insurance and reinsurance companies
• Investment firms
• Payment service providers
• Electronic money institutions
• Trading venues
• Central counterparties
• Central securities depositories
Additionally, DORA extends its scope to critical third-party service providers that supply ICT-related services to these financial entities, ensuring that the entire supply chain meets stringent resilience standards.
Key Requirements of DORA
- ICT Risk Management
Entities must implement robust ICT risk management frameworks to identify, assess, and mitigate risks.
- ICT Incident Reporting
Firms are required to report significant ICT-related incidents to competent authorities in a timely manner.
- Digital Operational Resilience Testing Regular testing of ICT systems, controls, and processes must be conducted to ensure resilience.
- ICT Third-Party Risk Management
Entities must manage and mitigate risks stemming from third-party ICT service providers.
- Information Sharing
Firms should participate in information-sharing arrangements to enhance collective cyber defense capabilities.
ICT Third-Party Risk Management Deep Dive
This is one of the core pillars of DORA, emphasizing the need for financial entities to manage and mitigate risks associated with ICT third-party service providers. Effective due diligence processes ensure that vendors comply with security and resilience standards, making it a significant part of this requirement.
ICT Risk Management: While ICT risk management encompasses a broader range of activities, managing third-party risks is a critical component. Due diligence helps identify potential vulnerabilities in third-party services, contributing to the overall ICT risk management framework.
Incident Reporting: Third-party service providers are often involved in ICT incidents. A well-managed vendor oversight process ensures that incidents involving third-party services are reported promptly and accurately, aligning with DORA’s incident reporting requirements.
Digital Operational Resilience Testing: Part of the resilience testing includes evaluating the security measures and resilience of third-party services. A robust due diligence process can ensure that vendors are subject to regular testing and assessments, thereby fulfilling part of this requirement.
Vendor Oversight and Management
The vendor oversight and management process is crucial for several reasons:
Risk Mitigation: Third-party service providers can introduce significant ICT risks. Effective due diligence processes identify and mitigate these risks, protecting the financial entity from potential disruptions or breaches.
Compliance: Ensuring that third-party providers comply with DORA’s standards is essential for the financial entity’s own compliance. Non-compliance by vendors can lead to regulatory penalties and damage to the financial entity’s reputation.
Operational Continuity: Reliable third-party services are critical for maintaining operational continuity. Robust vendor management ensures that third-party services are resilient and capable of supporting the financial entity during disruptions.
Trust and Transparency: Establishing a transparent relationship with third-party providers builds trust and facilitates better collaboration. This is essential for effective incident management and resilience testing.
Cost Efficiency: Identifying potential risks and weaknesses early through due diligence can prevent costly incidents and disruptions. This proactive approach is more cost-efficient compared to addressing issues after they have occurred.
Dasseti Helps Firms Meet DORA Requirements
Dasseti offers a suite of tools that can assist financial entities in meeting a big part of DORA requirements more effectively.
With Dasseti COLLECT, firms can manage their relationships with ICT third-party service providers effectively. The importance of a vendor oversight and management tool cannot be overstated, as it not only ensures compliance but also enhances the overall operational resilience and security of financial entities. Implementing robust due diligence processes is a strategic move for any firm aiming to meet DORA’s standards and safeguard its operations against ICT risks.
For more information on how Dasseti can help your firm comply with DORA’s supply chain oversight requirements get in touch