DORA and management of ICT Third-party risks in the financial sector

With the introduction of the Digital Operational Resilience Act (DORA), the EU financial sector is facing a new regulatory challenge to ensure the digital resilience of information and communication technologies (ICT). From January 2025, financial companies in the EU must introduce comprehensive ICT Third -Party Risk Management (TPRM) to systematically identify, assess and monitor risks arising from external ICT service providers.

In our latest paper on "DORA and management of ICT third-party risks in the financial sector. Requirements, challenges and solutions".

As part of the DORA regulation, financial companies must develop a strategy that systematically assesses and continuously monitors the risks associated with their third-party providers. From banks to insurance companies and payment service providers, the regulation affects a large number of players and requires that risks arising from external ICT service providers are managed in a structured manner. The focus is on critical or important functions where a failure or security breach can have a massive impact on operational resilience.

DORA therefore requires banks, insurance companies, payment service providers and other financial companies to develop comprehensive governance for ICT third-party risks. The aim is to strengthen resilience against cyberattacks and technical failures that can have an impact on financial companies via service providers.

Well-structured ICT third-party risk management is complex to set up and requires new, resource-efficient approaches. In addition to the requirements for risk analysis and continuous monitoring, companies must determine how to effectively integrate subcontractors and third-party providers into the risk assessment - a challenge as not all providers may be willing to adapt their contracts to DORA. Establishing an effective information register and communicating with regulators are also part of this comprehensive approach.

DORA encourages financial organizations to further develop their strategies around digital resilience. Carefully planned ICT third-party risk management helps to overcome the challenges while strengthening the long-term security of the company.

Would you like to find out how you can efficiently implement the requirements of DORA? Our paper gives you deeper insights into practical solutions and best practices for the financial sector.