FAQs: The Digital Operational Resilience Act (DORA) and How it Affects TPRM
September 4th, 2024 •Adelani Adesida• Reading Time: 4minutes
Events like the recent CrowdStrike outage, which affected organisations worldwide, grounded flights in almost every city, and shut down some of the largest companies, underscored the importance of building digital resilience. Digital resilience is an organisation’s ability to react to, respond, and recover from incidents that disrupt operations. Digital resilience is comprised of data privacy, cybersecurity, compliance, and enterprise risk management initiatives.
What is DORA for TPRM?
As incidents like outages, ransomware, and cyber-attacks rise, the need for formal governance and guidance becomes more pressing. To meet this, the EU has introduced The Digital Operational Resilience Act (DORA) to help financial organisations become more resilient, secure, and proactive in managing risks.
DORA goes into effect 17 January, 2025, and creates a single financial services cybersecurity regulation for all of Europe. The goal of DORA is to define and strengthen cybersecurity protections, standards, and frameworks to ensure the security and resiliency of networks and information systems at these organisations and their relevant third parties.
It requires financial services businesses to build, test, and validate that they can withstand, respond to, and recover from information security threats and potential services disruptions within specific criteria.
A key point in DORA is ensuring minimal disruption to consumer access to financial services. It is intended to lower consumer and investor costs by decreasing the number and costs of incidents and recovery efforts.
Who is Affected by DORA?
DORA applies to financial services entities and their information and communications technology (ICT) third parties operating within the EU, as well as ICT infrastructure providers (i.e., cloud services, software providers, data centers, internet and email hosting companies) that are outside the EU.
Approximately 22,000 financial services companies, including banks, credit ratings and payment institutions, investment firms, insurance companies (as well as crypto-asset providers, and crowdfunding services) and their third parties are under DORA’s jurisdiction.
DORA overseers can levy fines on businesses (including third parties) of up to 1% of the average daily worldwide turnover in the previous business year, and fines may accumulate every day for up to six months, until the business achieves compliance.
How Will DORA Affect TPRM Programmes?
Third parties, and third-party risk management (TPRM), are central to the DORA regulation. Financial services companies must ensure that their critical third parties comply with the requirements of DORA, which are covered in chapter V which covers specific third-party businesses, obligations, and resiliency strategies.
The scale, interdependencies, criticality of the service, processes, functions, and impact on service continuity and quality affect whether and how a third party is included in DORA requirements. Financial services businesses must define whether and how an ICT third party is considered critical to the business.
Some of the guidance around ICT third-party providers within DORA include:
DORA requires risk-based prioritisation and automated onboarding, offboarding, and due diligence workflows for third parties
Financial services businesses much ensure critical third parties have information security controls in place
DORA is concerned about concentration risk and “complex chains of subcontractors”, noting that all third parties should be substitutable (and if not, provide justification as to why)
Financial services firms must regularly review critical third-party ICT provider risk strategies and have clear, written, accessible, auditable policies and processes concerning the services and functions of the third party
Continuous monitoring is required to identify financial, ESG, cyber, and data breach risks, adverse media, PEPs, and other relevant risks. The frequency and depth of monitoring should be based on a risk-based assessment
What About My Fourth and Nth Parties?
Organisations must also be focusing on their indirect suppliers, as well. Requirements within DORA include fourth-party mapping, continuous monitoring, compliance and risk reporting by framework or regulation, and requirements for built-in guidance.
Any third parties (or 4th parties) outside of the EU must provide assurances of data protection, enforcement, bankruptcy and other laws within those countries that can ensure urgent recovery of data and services should there be a disruption or exit.
DORA requires establishment and governance of a TPRM programmes with clear roles, responsibilities, and processes, including risk assessments, scoring, tiering, workflows, reporting, mitigation, monitoring, and remediation strategies.
How Does DORA Address Third Parties and Contract Management?
A critical component of effectively managing third parties is contract management. DORA authorities require a central third-party register and report of all ICT vendors an organisation engages with at least annually, including:
Profiles
Firmographic information
Services and contractual agreements
Financial data
Data breach histories
Adverse media records
Fourth-party dependencies
Notifications of any important changes in those relationships
All of a third party’s services must be managed under a single contract that is in writing, centrally accessible (with role-based permissions, version control), and downloadable.
The contracts must include clear and complete descriptions of all services (including where fourth parties are involved). Information that must be included are a criticality assessment, dates, fees, types of services, any quantitative and qualitative performance targets and tracking, and any locations where services will be provided and where data will be processed or stored.
Contract provisions must include accessibility, availability, integrity, security, and protection of personal data, as well as assurances for recovery and return of data in case of discontinuation of business.
Assurances of security measures, tools, and compliance with information security standards and policies at third parties are required, as well as active implementation, testing, and reporting of contingency and mitigation plans.
What is Covered in Case of Incident or Contract Termination?
Once the third party is contracted and onboarded, full lifecycle management must be implemented and monitored throughout the relationship. However, incidents do occur, and at times, it is necessary to terminate a third-party relationship.
DORA defines notice periods and reporting obligations are for any material impact at the third party, as well as corrective actions and obligations to cooperate with investigations at the financial firm and/or DORA authorities in case of an incident.
Termination rights for ICT third-party providers are also defined within DORA, within minimum notice periods based on changes in risk, deterioration of services, failures, along with defined exit strategies that require continuation of services, compliance with regulations, and enough time to allow for moving to another service provider.
What are my next steps for DORA for TPRM?
There is a lot to consider and manage when it comes to DORA. Aravo experts are on hand to assist you in maturing your TPRM programmes, centralising your risk management software, and ensuring you are prepared to meet the requirements of DORA.
Keep in mind that DORA is extremely comprehensive. Aravo does not offer legal advice, and organisations should have their legal counsel review DORA requirements and applications to their own businesses.
Adelani Adesida
Adelani is Aravo Solution’s Senior Sales Director coving EMEA.
Having invested a decade within the Integrated Risk Management industry, Adelani brings a wealth of experience with a strong track-record of sales, account management and project delivery across numerous risk domains.
Adelani has been a key member in numerous award-winning implementation projects and, in part part due to being an avid gamer, has a close interest in Information Security and CyberSecurity programs.
Charitable works including participation in the Aleto Foundation’s Future Leaders mentorship program and a Board Member of Dream Nation.
Adelani is Aravo Solution’s Senior Sales Director covering EMEA. Having invested a decade within the Integrated Risk Management industry, Adelani brings a wealth of experience with a strong track-record of sales, account management and project delivery across numerous risk domains.