Meeting EU Digital Operational Resilience Act (DORA) Third-Party Risk Requirements

Cyberattacks, natural disasters, and technology outages are just a few events that can create significant operational disruptions for your organization and your vendors. While these events aren’t a new concern, regulators across the world have been developing more guidelines and frameworks to help organizations strengthen their operational resilience.

These guidelines are often inclusive of third parties, such in the case of the European Union’s Digital Operational Resilience Act (DORA), which goes into effect January 17, 2025.  

One of the main goals of DORA is to establish a unified approach for managing information and communication technology (ICT) third-party risk in the financial sector. However, organizations across all industries can strengthen their operational resilience by following the regulation’s principles and best practices. The proposed regulation is just over 100 pages, but this blog will focus on a few key requirements that are specific to third-party risk management (TPRM). 

Note: Regulatory text is noted in italics.

DORA’s Third-Party Risk Management Requirements 

The majority of DORA’s third-party risk management principles are found in chapter five, titled “Managing of ICT Third-Party Risk,” which is further divided into two sections. The first section covers key principles, while the second section provides an oversight framework specific to critical ICT providers.

Here’s a look at each section in greater detail: 

Key Principles for a Sound Management of ICT Third Party Risk  

The first section in chapter five covers several best practices that may be familiar to those who already have a mature third-party risk management program. Organizations are expected to manage third-party risk by following a list of general principles, which include:

• Performing pre-contract activities – Regulators expect organizations to perform certain activities before signing and executing a third-party contract.  
  
  • First, an organization must assess whether the contractual arrangement covers a critical or important function. Keep in mind that every organization must determine its own criticality classification, though the regulation provides some criteria and parameters for consideration, which we discuss later in this blog . 
  • Organizations must identify and assess all risks involved in the third-party relationship, including concentration risk, which is also detailed further below.
  • Pre-contract due diligence is another requirement, which confirms the third party is suitable and complies with information security standards and best practices.
• Ensuring contract termination – One notable requirement pertains to contract termination, which is more prescriptive than other third-party risk management regulations. Organizations will be required to ensure third-party contracts are terminated in the following situations:
  
  • The third party has breached laws, regulations, or contract terms.
  • The organization monitors and identifies a circumstance that could alter the third party’s performance, which includes material changes.
  • The third party has shown evidence of weakness in its overall risk management, especially in its security and integrity of confidential, personal or otherwise sensitive data or non-personal information.
  • The organization can no longer be effectively supervised by the EU’s banking regulators because of the third-party arrangement.
• Developing an exit strategy – Organizations must develop exit strategies to ensure they can safely terminate third-party contracts without disrupting business activities, limiting regulatory compliance, or negatively impacting the continuity and quality of their own services. The regulation also states that exit plans shall be comprehensive, documented and, where appropriate, sufficiently tested.
• Assessing concentration risk and subcontractors – DORA describes third-party concentration risk in two different conditions. The first refers to a third party that cannot be easily replaced. The second refers to relying on a single third party to provide multiple services. To comply with this requirement, organizations must: 
  
  • Identify and assess a third party’s concentration risk and weigh the benefits and costs of alternative solutions.
  • Determine whether the third party further sub-contracts a critical or important function to other ICT third-party service providers.
  • Assess third parties in outside countries for factors like how well they protect data and the effective enforcement of the law.
• Implementing contract provisions – Article 27 lists several provisions that should be included in third-party contracts. These provisions should address topics such as: 
  
  • The accessibility, availability, integrity, security and protection of personal data, which should include how the data will be handled if the third-party relationship is terminated. 
  • Incident reporting requirements, including the third party’s roles and responsibilities in the case of an incident. 
  • A right to monitor the third party’s performance on an ongoing basis. The contract should address the organization’s right to take documentation and audit the third party. 
  • A requirement for third parties to implement and test business contingency plans.
  • The organization’s termination rights and exit strategies, specifically addressing the minimum notices for termination and mandatory transition periods to reduce the risk of disruption during the termination process. 

Oversight Framework of Critical ICT Third-Party Service Providers

Section II provides prescriptive guidance on how the European Supervisory Authorities (ESAs) will identify and oversee critical third parties. While this oversight framework will be used by ESAs, covered entities can apply the same standards to their own third-party risk management programs, which include:  

• Establishing criteria for criticality – In general, organizations must determine how they define a critical third-party vendor. One vendor might be considered critical for one organization, but non-critical for another. However, the regulation states that an ICT third-party provider will be considered critical under certain conditions, such as:
  
  • The third party’s operational failure would create a systemic impact on the stability, continuity or quality on the financial institution.
  • The third party’s service lacks an alternative in the market because of the technical complexity or sophistication that’s involved.
  • The financial institution would face difficulties in cost, time, or increased operational risk if it transferred the outsourced service to a new provider.
• Developing an oversight framework – Regulators will structure their oversight framework with activities such as regularly discussing third-party risks and vulnerabilities and promoting a consistent approach for monitoring these critical third parties. Regulators will review and assess their findings on a yearly basis and promote coordination measures to increase the digital operational resilience of financial entities. 
• Performing audits and investigations – Many third parties are accustomed to due diligence reviews, where they submit documents on a regular basis. However, the language in Articles 32-33 makes it clear that regulators will take a more impromptu approach in these requests for information. Critical third parties will be obligated to provide information upon request, which can include contracts, policies, security audit reports, and incident reports.  
• Conducting on-site inspections – Critical third parties will be subject to on-site inspections, where regulators will evaluate their systems, networks, devices, information and data. These sites may include head offices, operation centres, secondary premises, and offline inspections. Third parties that oppose on-site inspections may be subject to contract termination.
• Ensuring ongoing oversight – Article 35 refers to the need for ongoing oversight activities to ensure the critical third party is following certain standards and has implemented recommendations. In general, ongoing monitoring of risk and performance, risk re-assessments, and periodic due diligence are all activities that would fall under the oversight category. 

4 Tips For DORA Compliance in Your Third-Party Risk Management Program 

As third-party risk management regulations continue to evolve, DORA compliance can seem like an additional burden. However, many of the expectations outlined in DORA have already been established as third-party risk management best practices. 

Here are some tips that will help your third-party risk management program stay compliant with DORA:  

1. Identify your critical vendors. This is perhaps one of the most essential activities for DORA compliance, as the regulation is heavily focused on critical third parties. It’s important to have a consistent approach to classifying your critical vendors and formally documenting the criteria within your TPRM program document. 
2. Review your contract management strategy. Take time to review your processes for contract management and identify any gaps that need to be addressed. Consider whether your strategy includes certain elements like pre-contract due diligence and contract provisions for termination, right to audit, and breach notifications. Identifying these gaps will allow you to better prepare for contract renewals or renegotiations.
3. Evaluate your ongoing monitoring activities. Consider whether your ongoing activities like performance monitoring or periodic due diligence are sufficiently designed to manage risks and support operational resilience. If your third-party risk management program doesn’t manage issues like declining performance or unmet service level agreements (SLAs), your vendors may be exposing you to unmanaged risk that can disrupt operations.
4. Commit to continuous improvement. Maintaining regulatory compliance is an ongoing process and there will always be room to improve your third-party risk management program. Regulators are likely to take positive notice when your organization makes a commitment to continuous improvement by staying educated on current regulations and following best practices. 

Although DORA is an EU regulation, it’s beneficial to understand these expectations, which are designed to enhance operational resilience. Any organization can be impacted by a third-party incident, but the activities outlined in DORA and other third-party risk management guidelines can help ensure your organization is prepared to respond and recover.