The Digital Operational Resilience Act (DORA) is an important regulatory framework aimed at ensuring the operational resilience of financial services within the EU. One of DORA’s main objectives is to standardize security requirements across the European Union. A key aspect of this standardization is the alignment of cybersecurity protocols among third-party ICT (Information and Communications Technology) providers that the financial sector relies on.
DORA places significant emphasis on the cybersecurity capabilities of ICT providers, including those offering services like cloud computing, data analytics, data centers, and software. The regulations include several requirements to ensure that these third-party providers have robust cybersecurity measures in place. Financial institutions are also required to ensure that their contracts with ICT providers are comprehensive, protecting them from potential digital risks associated with their supply chain.
In this blog, we will outline what is expected from ICT service providers working with financial entities in the EU. It’s important to note that any ICT provider, whether located within or outside the EU, must comply with DORA if they engage with European clients. Therefore, it’s crucial to prepare for DORA compliance by January 2025 if you want to maintain your business relationships with EU partners.
ICT service providers face complex requirements, especially those designated as ‘critical ICT third-party providers’ under the Act. These critical providers will be directly overseen by European Supervisory Authorities, according to DORA.
Chapter V of the final version of the EU DORA regulation focuses on ‘Managing ICT Third-Party Risk.’ It outlines specific guidelines on how financial entities should select their ICT third-party service providers and what their contractual agreements should include. It also addresses the need for ICT third-party providers to demonstrate their ability to ensure cyber resilience.
Key EU DORA Requirements for Third-Party ICT Providers.
- Robust Information Security Standards 2. Transparency in Audits and Evaluations 3.Strong Contractual Agreements 4.Ongoing Training 5.Digital Operational Resilience Testing 6.Exit Plans
Here’s an in-depth overview of the requirements set by EU DORA for ICT service providers working with financial entities based in the EU.
1. High Information Security Standards:
Article 28 of Chapter V specifies that financial entities are permitted to engage only with third-party ICT service providers that adhere to DORA’s security standards.
DORA also supports the termination of services and contractual agreements in cases where there is a substantial violation by the ICT third-party provider of relevant laws, regulations, or contract terms.
2. Audits:
ICT third-party service providers must acknowledge that they will be subject to regular security audits and assessments. Article 28 specifies, “Financial entities shall determine, based on a risk-based approach, the frequency of audits and inspections, as well as the specific areas to be reviewed.”
According to Article 30, ICT third-party providers supporting ‘Critical’ functions are required to grant unrestricted access for inspection and audit by the financial entity, an appointed third party, or the relevant authority. “The ICT third-party must fully cooperate during onsite inspections and audits conducted by the competent authorities, the Lead Overseer, the financial entity, or an appointed third party.”
3. Contractual Agreements:
Article 30 of Chapter V delves into the contractual obligations between financial institutions and their ICT third-party service providers, outlining specific requirements that contracts must include. Some of the essential elements are:
- A clear and comprehensive description of all services that the ICT service provider will offer.
- Explicit details on whether subcontracting of ICT services is allowed, and under what conditions.
- The locations where the contracted and/or subcontracted services will be delivered, including where data will be stored and processed.
- Provisions addressing the availability, authenticity, integrity, and confidentiality of data protection, including personal data.
- For ‘Critical’ ICT service providers, there is a mandate to establish and test business contingency plans and to implement necessary ICT security measures, tools, and policies.
4. Training Programes:
Article 13 of Chapter II (ICT Risk Management) addresses the importance of continuous learning and adaptation to enhance digital operational resilience. This article emphasizes that financial entities should incorporate their ICT third parties into their training programs where suitable.
The goal is to foster a collective commitment to improving cyber resilience across the entire ecosystem, rather than focusing solely on financial institutions.
Since Incident Management and Response is a vital aspect of DORA compliance, many global ICT service providers are choosing our NCSC Assured Training in Cyber Incident Planning and Response.
5. Digital Operational Resilience Testing:
Article 26 of Chapter IV, which focuses on Digital Operational Resilience Testing, addresses Advanced Testing through Threat Led Penetration Testing (TLPT). This article states that ICT third-party providers may be included in the TLPT scope.
If the Penetration Test could disrupt the operations of the ICT provider or compromise customer confidentiality beyond DORA’s scope, the third party is expected to establish contractual agreements with external penetration testers.
DORA also recommends scenario-based testing for digital operational resilience. At Cyber Management Alliance, we have recently facilitated several Cyber Tabletop Exercises for financial institutions and ICT providers aiming to expedite their DORA compliance efforts.
