Ensuring Compliance with DORA: ICT Third-Party Management and Supplier Monitoring
On January 17 2025, the DORA regulation entered into force, tightening the requirements for how financial firms manage and monitor their ICT third party service providers (“ICT suppliers”). Ensuring digital operational resilience requires structured third-party management – from risk assessment to contract review and continuous monitoring.
DORA covers the vast majority of financial firms, and these firms in turn need to manage their ICT suppliers. The requirements for suppliers are more extensive if they are considered critical or important suppliers. Financial firms must be able to demonstrate that they have controls, transparency and exit strategies in place for their ICT suppliers.
Below, we outline key strategies to ensure continuous management of DORA’s requirements.
Requirements for Managing ICT Third-Party Risks
To fulfill DORA’s obligations, financial institutions must develop a risk-based strategy for managing ICT third-party risks. This involves identifying critical service providers, assessing dependencies, and ensuring that contracts include provisions for transparency, monitoring, and control. Additionally, organizations should implement clear exit strategies, allowing them to terminate critical partnerships without disrupting business operations. Key steps to achieve this include:
- Defining a structured approach to evaluating ICT third-party risks based on service criticality.
- Establishing contractual agreements that ensure transparency and accountability.
- Implementing an exit plan to seamlessly transition away from critical providers if needed.
Register of information: Summary of ICT suppliers
DORA mandates that financial institutions establish and maintain a register of information detailing all ICT suppliers. This register serves as a comprehensive reference, outlining essential details such as the type of service provided, its criticality to the business, and the specific systems affected. To maintain an effective register, organizations should:
- Document all ICT suppliers, including their role and level of criticality.
- Maintain up-to-date records of contract terms, contact details, and service agreements.
- Track the history of audits, compliance checks, and monitoring activities.
Monitoring and Control of ICT Suppliers
A key component of DORA compliance is ensuring that financial institutions have structured processes in place to monitor and control ICT suppliers. This includes evaluating reliability and availability to guarantee that providers can meet operational demands. Additionally, institutions must verify compliance with security regulations and ensure that ICT suppliers have robust incident reporting mechanisms. To achieve effective supplier oversight:
- Establish performance metrics to assess service reliability and compliance.
- Conduct periodic security assessments to ensure alignment with industry standards.
- Implement an incident response framework to handle disruptions efficiently.
- Perform regular audits and resilience testing to validate system robustness.
Are Your Operations Aligned with DORA?
To ensure full compliance with DORA, financial institutions must take a proactive approach in assessing and aligning their operations. This begins with the comprehensive identification of all ICT suppliers and the evaluation of their criticality and associated risk levels. Organizations should also implement a structured model for ongoing supplier monitoring to address potential vulnerabilities before they escalate into major risks. To align operations effectively:
- Identify and categorize all ICT suppliers based on their risk profile.
- Develop a continuous monitoring framework to track performance and security adherence.
- Keep the information register updated to reflect the latest regulatory and operational changes.
Conclusion
DORA’s requirements for managing ICT third-party risks emphasise the need for a structured, ongoing approach to digital resilience. Financial institutions that integrate these measures into their operational framework will not only meet regulatory expectations but also enhance their overall security posture and risk management capabilities. By proactively embedding DORA principles, firms can safeguard their operations against evolving cyber threats while ensuring long-term compliance.
We help you fulfil DORA requirements
Consultancy and planning
- Mapping of ICT services and suppliers
- Risk classification and criticality assessment
- Establishment of registers of information
- Support in developing exit strategies, contractual terms and conditions and participation in contract negotiations
Operational support and follow-up
- Contract review and scrutiny
- Audit and supplier follow-up support and implementation
- Incident reporting and follow-up procedures
- Compliance and continuous improvement framework
