How To Navigate DORA Requirements as a Critical Third-Party Provider

The list of organizations pulled into the scope of the EU's comprehensive ICT risk management framework, the Digital Operational Resilience Act (DORA), is set to extend far beyond the financial sectors. That's due to the provision outlining that critical third-party providers (CTPPs) have several key responsibilities to ensure they contribute to the industry's overall resilience. As a result, many suppliers to financial institutions are now confronting new cyber resiliency questions amidst a pressing DORA compliance deadline.

In an interconnected digital landscape where financial institutions increasingly rely upon external service providers to varying degrees, regulations such as DORA aim to bring operational resilience into focus and thus create new compliance obligations for many 'critical' suppliers to the sector. 

Organizations ranging from data centers and telecommunications providers to software providers are already being informed that they fall into the 'critical third-party provider' criteria of financial institutions operating within the EU. However, many CISOs and security leaders across sectors are still uncertain as to their organization's CTPP status, but they must now begin to prepare for DORA ahead of the January 17 compliance deadline in 2025.

Key requirements:

DORA outlines that CTPPs have several key responsibilities. These responsibilities are designed to minimize risks associated with third-party dependencies and include:

• Risk Management: Implementing robust risk management frameworks to identify, assess, and mitigate operational risks associated with their services.

• Incident Reporting: Notify relevant authorities and affected financial institutions promptly about cyber incidents that could impact their services.

• Business Continuity: Establish and maintain effective business continuity plans to ensure the continuity of services, even in adverse situations.

• Resilience Testing: Conduct regular testing of their operational resilience, including simulations and stress tests, to validate their preparedness for potential disruptions. 

• Collaboration: Engage in effective communication and collaboration with financial institutions and regulators to ensure transparency and a coordinated response to incidents.

• Third-Party Oversight: Monitor and manage risks associated with any third parties or subcontractors, ensuring they also meet necessary resilience standards.

Where potential CTPPs are still awaiting clarity, replicating financial institutions' likely methods to determine their critical third parties is a valuable exercise to put your business on the front foot for DORA. Assess how your organization is expected to be viewed against key factors, replicating the structured approach most financial institutions will take:

Criticality: Evaluate the potential impact of losing your organization's service on the financial institution's operations – in terms of finance, service disruption, and customer impact. Determine if your services are essential for the financial institution's ability to deliver its critical functions.

Criteria Evaluation: Apply DORA's criteria for criticality, such as your size and importance, market share, and substitutability. How easily could the organization find alternatives if you (the supplier) failed?

Continuous Monitoring: Could shifts in your business operations or market conditions affect your future criticality? This may be picked up as financial institutions continuously review and reassess third-party relationships.

Even if your organization is uncertain about its DORA scope, taking steps to prepare now will help to ensure that the organization is ready to comply with DORA if it falls within the scope in the future, anticipating changes to regulatory requirements and minimizing the risk of non-compliance. 

By demonstrating a commitment to operational resilience, third-party providers can also align with market expectations and make themselves more attractive partners for financial institutions. They can also foster trust with clients and manage their reputation in the industry. It is crucial for all organizations that resilience is not simply a regulatory objective.

Utilizing DORA as a framework for best practice also sets organizations up to manage risk better and handle potential disruptions. Implementing resilience measures reduces the risk of incidents that could impact clients and partners and improves overall operational efficiency, regardless of regulatory requirements.