Date: 12 September 2024
The Digital Operational Resilience Act (DORA) is a significant regulatory framework designed to ensure the operational resilience of financial services in the EU. One of the primary goals of DORA is to also harmonise security requirements in the European Union. A very critical component of this harmonisation is uniformity in the cybersecurity standards of third-party ICT (Information and Communications Technology) providers which the financial sector engages with.
The EU DORA places heavy emphasis on the cyber competence of ICT Providers. These include providers of services such as cloud computing, data analytics, data centres and software. DORA has several stipulations which are meant to ensure that third-party providers have watertight cybersecurity measures in place. Players in the financial industry are also mandated to ensure their contracts with ICT providers are foolproof and keep them protected against any digital disasters on account of their supply chain.
In this blog, we quickly go over the expectations from ICT service providers to financial players in the EU. It is worth noting that any ICT provider, based within or outside of the EU, falls under the ambit of the EU DORA if they do business with European entities. It is therefore imperative that you get ready for DORA compliance by January 2025 if you wish to continue your business relationship with EU partners.
ICT service providers face intricate demands, especially those classified as 'critical ICT third-party providers' under the Act. Critical third-parties will be directly monitored by European Supervisory Authorities, as per DORA.
Chapter V of the Final Text of the EU DORA regulation is specifically dedicated to ‘Managing of ICT Third-Party Risk’. It has specific prescriptions on how financial entities must choose their ICT third-party service providers and what the contractual agreements should look like. It also delves into the demonstration of cyber resilience that ICT third-party service providers must be capable of delivering.
Top EU DORA Requirements for Third-Party ICT Providers:
1. High Information Security Standards
2. Being Open to Audits & Assessments
3. Watertight Contractual Agreements
4. Regular Training
5. Digital Operational Resilience Testing
6. Exit Strategies 
Here’s a detailed look at what the EU DORA mandates are for the providers of ICT services to EU-based financial entities.
1. High Information Security Standards: Article 28 of Chapter V clearly states that financial entities can only enter into contracts with third party ICT service providers which comply with DORA’s security standards.
DORA also corroborates termination of services, and contractual arrangements, where there is a significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms.
2. Audits: ICT third-party service providers have to accept the fact that they will be open to regular security audits and assessments. Article 28 states, “Financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited.”
As per Article 30, those ICT third-parties that support ‘Critical’ functions must provide unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority. “The ICT third-party is obligated to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party.”
- Clear and complete description of all services the ICT Service Provider will deliver.
- Clarity on whether subcontracting an ICT service is permitted and if yes, in what cases.
- Locations where the contracted and/or subcontracted services will be provided, including locations for data storage and where the data will be processed.
- Provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.
- In case of ‘Critical’ ICT service providers, there is a requirement to implement and test business contingency plans and to have in place ICT security measures, tools and policies.
4. Training Programmes: Article 13, in Chapter II (ICT Risk Management), talks about Learning and Evolving for enhanced digital operational resilience. This Article states that financial entities should include their ICT third parties in their training programmes where appropriate.
The idea is to elevate commitment to constantly improving cyber resilience for the entire ecosystem and not just financial players alone.
Given that Incident Management and Response is a critical component in DORA compliance, many global ICT Service Providers are already opting for our NCSC Assured Training in Cyber Incident Planning and Response.
5. Digital Operational Resilience Testing: Article 26, in Chapter IV on Digital Operational Resilience Testing deals with Advanced Testing with Threat Led Penetration Testing (TLPT). This Article prescribes that ICT third-party providers may be included in the scope of the TLPT.
In case the Penetration Test might create disruptions to the operations of the ICT provider or impact confidentiality of customers that are beyond the purview of DORA, the third-party is expected to enter into contractual agreements with external penetration testers.
DORA also advises scenario-based testing of digital operational resilience. At Cyber Management Alliance, we have recently conducted several Cyber Tabletop Exercises for financial institutions and ICT providers who are looking to fast track their way to DORA compliance.
6. Exit Strategies: Defining watertight exit strategies is a key requirement for DORA compliance. Financial institutions are mandated to put in place sound exit strategies for ending a contract with a critical ICT service provider.
The regulation mandates that the exit strategy take into account risks that may emerge on the termination of contractual arrangements with ICT third-party service providers.
Exit plans need to be documented and also tested and reviewed periodically. This is required to ensure seamless business continuity even in the event of contract termination.
Final Word
DORA compliance for third-party ICT providers can seem overwhelming but it doesn’t have to be that complicated. By aligning with cybersecurity best practices, ICT service providers can ensure compliance and safeguard their operations against the ever-evolving landscape of cyber threats.
Yes, it’s imperative to focus on demonstrating strong cyber resilience and a commitment to continuous improvement in cybersecurity practices. But this doesn’t have to be DORA specific. As the EU DORA regulation is quite comprehensive, working towards being compliant with it will also serve you in staying compliant with other regulatory frameworks across the globe.
It's important to just implement robust security measures, regularly test systems, and stay up-to-date with the latest threats and vulnerabilities. Moreover, maintaining transparent communication with stakeholders and conducting frequent risk assessments will showcase your dedication to safeguarding critical digital operations.
This in turn ensures that you not only meet the stringent requirements set out by DORA but also foster trust and confidence in your business partners across geographies.
