Events like the recent CrowdStrike outage, which affected organisations worldwide, grounded flights in almost every city, and shut down some of the largest companies, underscored the importance of building digital resilience. Digital resilience is an organisation’s ability to react to, respond, and recover from incidents that disrupt operations. Digital resilience is comprised of data privacy, cybersecurity, compliance, and enterprise risk management initiatives.
As incidents like outages, ransomware, and cyber-attacks rise, the need for formal governance and guidance becomes more pressing. To meet this, the EU has introduced The Digital Operational Resilience Act (DORA) to help financial organisations become more resilient, secure, and proactive in managing risks.
DORA goes into effect 17 January, 2025, and creates a single financial services cybersecurity regulation for all of Europe. The goal of DORA is to define and strengthen cybersecurity protections, standards, and frameworks to ensure the security and resiliency of networks and information systems at these organisations and their relevant third parties.
It requires financial services businesses to build, test, and validate that they can withstand, respond to, and recover from information security threats and potential services disruptions within specific criteria.
A key point in DORA is ensuring minimal disruption to consumer access to financial services. It is intended to lower consumer and investor costs by decreasing the number and costs of incidents and recovery efforts.
DORA applies to financial services entities and their information and communications technology (ICT) third parties operating within the EU, as well as ICT infrastructure providers (i.e., cloud services, software providers, data centers, internet and email hosting companies) that are outside the EU.
Approximately 22,000 financial services companies, including banks, credit ratings and payment institutions, investment firms, insurance companies (as well as crypto-asset providers, and crowdfunding services) and their third parties are under DORA’s jurisdiction.
DORA overseers can levy fines on businesses (including third parties) of up to 1% of the average daily worldwide turnover in the previous business year, and fines may accumulate every day for up to six months, until the business achieves compliance.
Third parties, and third-party risk management (TPRM), are central to the DORA regulation. Financial services companies must ensure that their critical third parties comply with the requirements of DORA, which are covered in chapter V which covers specific third-party businesses, obligations, and resiliency strategies.
The scale, interdependencies, criticality of the service, processes, functions, and impact on service continuity and quality affect whether and how a third party is included in DORA requirements. Financial services businesses must define whether and how an ICT third party is considered critical to the business.
Some of the guidance around ICT third-party providers within DORA include:
Organisations must also be focusing on their indirect suppliers, as well. Requirements within DORA include fourth-party mapping, continuous monitoring, compliance and risk reporting by framework or regulation, and requirements for built-in guidance.
Any third parties (or 4th parties) outside of the EU must provide assurances of data protection, enforcement, bankruptcy and other laws within those countries that can ensure urgent recovery of data and services should there be a disruption or exit.
DORA requires establishment and governance of a TPRM programmes with clear roles, responsibilities, and processes, including risk assessments, scoring, tiering, workflows, reporting, mitigation, monitoring, and remediation strategies.
A critical component of effectively managing third parties is contract management. DORA authorities require a central third-party register and report of all ICT vendors an organisation engages with at least annually, including:
All of a third party’s services must be managed under a single contract that is in writing, centrally accessible (with role-based permissions, version control), and downloadable.
The contracts must include clear and complete descriptions of all services (including where fourth parties are involved). Information that must be included are a criticality assessment, dates, fees, types of services, any quantitative and qualitative performance targets and tracking, and any locations where services will be provided and where data will be processed or stored.
Contract provisions must include accessibility, availability, integrity, security, and protection of personal data, as well as assurances for recovery and return of data in case of discontinuation of business.
Assurances of security measures, tools, and compliance with information security standards and policies at third parties are required, as well as active implementation, testing, and reporting of contingency and mitigation plans.
Once the third party is contracted and onboarded, full lifecycle management must be implemented and monitored throughout the relationship. However, incidents do occur, and at times, it is necessary to terminate a third-party relationship.
DORA defines notice periods and reporting obligations are for any material impact at the third party, as well as corrective actions and obligations to cooperate with investigations at the financial firm and/or DORA authorities in case of an incident.
Termination rights for ICT third-party providers are also defined within DORA, within minimum notice periods based on changes in risk, deterioration of services, failures, along with defined exit strategies that require continuation of services, compliance with regulations, and enough time to allow for moving to another service provider.
There is a lot to consider and manage when it comes to DORA. Aravo experts are on hand to assist you in maturing your TPRM programmes, centralising your risk management software, and ensuring you are prepared to meet the requirements of DORA.
Keep in mind that DORA is extremely comprehensive. Aravo does not offer legal advice, and organisations should have their legal counsel review DORA requirements and applications to their own businesses.
Share with Your Friends:
