EU Digital Operational Resilience Act (DORA) & third-party risk management (TPRM) 2025

The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to make sure that financial organizations can survive and bounce back from ICT-related (information and communication technology) disruptions. It focuses on protecting the financial sector by managing risks caused by third-party ICT service providers. Simply put, DORA ensures that businesses stay strong and secure, even if the systems or vendors they rely on face a problem.

One of the biggest parts of DORA is third-party risk management (TPRM). If a company relies on outside ICT vendors, DORA says they need to manage the risks carefully. This way, businesses don’t just trust their suppliers blindly but instead prepare for any challenges these vendors might cause.

For a deeper dive into supplier risk management best practices, you can check out this guide on supplier risk management best practices from Supplier Shield.

DORA chapter V: Managing ICT third-party risk

DORA Chapter V focuses on rules for managing ICT risks that come from third-party service providers. Imagine you’re using software or cloud services provided by another company. If something goes wrong with their systems, your business might suffer too. That’s why DORA wants financial companies to monitor and reduce these risks.

In Chapter V, businesses are expected to:

• Understand and manage the risks of working with ICT vendors.
• Build strong contracts with these vendors.
• Regularly test the resilience of ICT systems provided by third-party services.

To simplify, DORA Chapter V says: Know your suppliers, plan for disruptions, and make sure your ICT systems are resilient.

For insights into third-party vulnerabilities and protecting against data breaches, you might find how Supplier Shield protects against third-party vulnerabilities helpful.

Key principles for sound management of ICT third-party risk

The first part of Chapter V highlights key principles for managing ICT risks. Think of it as a checklist of best practices that businesses must follow when working with external vendors. These principles include:

1. ‍Understanding all risks: Companies must identify the risks related to their ICT vendors. For example, if a cloud provider suddenly goes offline, how will it affect the company’s operations?
2. ‍Building strong controls: Companies should set up processes to monitor and manage vendor risks. This includes having a plan in place to respond quickly if something goes wrong.
3. ‍Regular checks and updates: Risks changeover time, so businesses need to review and update their third-party risk management plans regularly.

The goal is simple: Be proactive, not reactive. Don’t wait for something to go wrong; prepare for potential risks before they happen.

For a broader overview of the third-party risk landscape, you can check this comprehensive guide.

Risk management framework

To meet DORA’s requirements, businesses need to build a risk management framework. This is like a roadmap that helps organizations identify, assess, and manage ICT risks coming from third-party providers.

Here’s how businesses can create a risk management framework:

1. Identify the risks

Start by listing all the ICT vendors your company relies on. Ask questions like:

• What services do they provide?
• How critical are these services to my business?
• What could happen if these services fail?

For example, if you use cloud storage to store customer data, losing access to the cloud could cause delays or data loss.

2. Assess the risks

Once you know the risks, the next step is to assess their impact. Rank each vendor based on:

• How likely it is that something will go wrong.
• How big the impact would be if it happens.

This step helps businesses focus their efforts on the most critical risks first.

3. Manage and mitigate the risks

After identifying and assessing risks, companies need to create action plans to reduce them. This might include:

• Creating backup systems for critical services.
• Setting up monitoring tools to check vendor performance.
• Working with vendors to fix weak points or issues.

For example, if a vendor’s system is vulnerable to cyberattacks, businesses can ask the vendor to improve security controls. Organizations can also look into frameworks and training programs, like those offered by Abilene Academy, to ensure their vendors meet high cybersecurity standards and mitigate such risks effectively.

4. Integrate with operational resilience strategy

The risk management framework shouldn’t stand alone. It needs to be part of the company’s larger operational resilience strategy. This means ensuring that all departments work together to stay prepared for ICT disruptions.

To sum it up, a risk management framework helps businesses:

• Spot risks early.
• Focus on the most important vendors.
• Take action to prevent problems.

For additional strategies, you can explore supplier risk management best practices.

Due diligence

When working with ICT vendors, businesses can’t just take their word that everything is secure. Due diligence is about digging deeper to make sure vendors are reliable and meet DORA’s standards. This process helps companies:

1. ‍Evaluate vendor reliability: Before partnering with a vendor, businesses should check their track record, security practices, and ability to handle disruptions.
2. ‍Assess vendor controls: Companies need to look at how vendors protect data, maintain systems, and respond to cyberthreats.
3. ‍Ongoing reviews: Due diligence doesn’t stop after signing a contract. Businesses need to regularly monitor their vendors to ensure they’re still meeting requirements.

For example, using a trusted advisor like Abilene Advisors can streamline this process by offering insights and assessments to ensure vendors align with DORA’s compliance rules.

Why due diligence matters

Without proper due diligence, businesses risk working with unreliable vendors. This can lead to:

• Service disruptions
• Data breaches
• Fines for non-compliance with DORA

By taking the time to thoroughly vet ICT vendors, businesses build a stronger, more resilient foundation for managing third-party risks.

Contractual requirements

Contracts are a key part of third-party risk management under DORA. Businesses need to make sure their contracts with ICT vendors clearly outline responsibilities, expectations, and risk controls. A strong contract helps protect the company if something goes wrong.

What to include in vendor contracts

To meet DORA’s standards, contracts should include:

1. Service level agreements (SLAs): These define what level of service the vendor must provide, like uptime guarantees or response times for issues.
2. Security obligations: Contracts must outline how vendors will keep systems secure, protect data, and respond to incidents.
3. Audit rights: Businesses need the ability to audit their vendors’ systems to ensure they’re following the rules.
4. Exit strategies: If a vendor fails to meet requirements, the contract should include a plan for switching providers without major disruptions.

For instance, many organizations find that tools from suppliers like those offered by Supplier Shield can help track and manage vendor contracts to ensure they align with DORA.

Benefits of strong contracts

When contracts are clear and thorough, businesses can:

• Hold vendors accountable for failures.
• Reduce risks from unclear expectations.
• Quickly respond if issues arise.

By creating solid contracts, businesses set clear expectations with their vendors and ensure compliance with DORA.

Concentration risk and dependency management

One of the biggest challenges for businesses under DORA is concentration risk. This happens when a company relies too heavily on one or a few ICT vendors. If something happens to that vendor, the entire business could face major disruptions.

Identifying concentration risks

To spot concentration risks, businesses should:

• Map out all their ICT vendors and the services they provide.
• Analyze dependencies to see where the company relies too much on a single vendor.
• Use tools and frameworks to evaluate the risks of losing a critical service provider.

For example, imagine your company relies on one cloud provider for 90% of its operations. If that provider faces an outage, your business could be paralyzed.

Managing concentration risks

Once risks are identified, businesses need to reduce their dependencies. Steps to manage concentration risks include:

• ‍Diversify ICT providers: Work with multiple vendors instead of relying on one.
• ‍Build backup systems: Create redundant systems that can keep operations running if a vendor fails.
• ‍Test alternatives: Regularly test backup solutions to ensure they work smoothly during disruptions.

By managing concentration risks, businesses build stronger, more resilient systems that can withstand ICT failures or vendor outages.

For more guidance, consider exploring resources like how to manage supplier risks effectively.

CT third-party risk register

An ICT third-party risk register is a critical tool for businesses under DORA. It acts as a detailed record of all third-party ICT vendors, their associated risks, and the measures in place to manage those risks.

Why you need a risk register

A risk register helps organizations:

• Keep track of all ICT vendors in one place.
• Identify and document potential risks associated with each vendor.
• Monitor risk levels over time and update mitigation plans when needed.

Think of it like a logbook for your ICT suppliers. By maintaining a clear and updated risk register, businesses can:

• Respond to disruptions faster.
• Ensure they meet DORA’s regulatory requirements.
• Prioritize critical risks that need immediate attention.

Steps to create an ICT risk register

1. List all ICT vendors: Include every vendor your organization works with, no matter how big or small their role is.
2. Assess the risks: For each vendor, note down potential risks (e.g., downtime, cyberattacks, data breaches).
3. Document mitigation measures: Record what steps your business has taken to reduce these risks.
4. Assign ownership: Make sure someone in your organization is responsible for keeping the risk register updated.
5. Regular updates: Review and update the register regularly, especially after significant changes in vendor performance or risk levels.

A well-maintained risk register is a foundational piece of third-party risk management and will help businesses stay compliant with DORA’s requirements.

For a comprehensive guide on managing supplier risks, check out this resource on supplier risk management.

ICT Third-party risk register example

Resilience testing

Under DORA, resilience testing is a vital requirement for ensuring that ICT systems, especially those provided by third-party vendors, are strong enough to withstand disruptions or cyber threats. These tests help businesses identify weaknesses in their systems before they become real problems.

Types of resilience testing

1. Penetration testing: This test mimics cyberattacks to see how well systems can defend against breaches.
2. Stress testing: Businesses simulate heavy workloads or disruptions to test system capacity and recovery.
3. Scenario-based testing: Companies prepare for specific scenarios, like a vendor’s cloud service outage, to ensure they have backup plans in place.

Why resilience testing matters

Resilience testing allows businesses to:

• Proactively identify vulnerabilities in ICT systems.
• Ensure third-party vendors can handle unexpected disruptions.
• Meet DORA’s regulatory requirements for ICT resilience.

By running regular tests, businesses can reduce the risks of system failures, data breaches, or prolonged downtimes caused by their ICT vendors.

For companies looking to enhance their resilience strategies, tools and services like those provided by Supplier Shield can simplify and streamline the testing process.

Managing sub-outsourcing risks

Sub-outsourcing occurs when your third-party ICT vendor outsources part of their services to another provider (fourth-party vendors). While this expands the vendor ecosystem, it introduces additional layers of risk that businesses must manage carefully under DORA.

Interestingly, while nearly 90 percent of companies track risks during the sourcing and selection phases, fewer than 80 percent continue to monitor service-level agreements (SLAs) and offboarding risks later in the relationship lifecycle. This highlights the need for better oversight of not just third-party vendors but also their subcontractors.

Key risks of sub-outsourcing

1. Lack of visibility: You may not know how or where your vendor’s subcontractors operate.
2. Chain dependencies: If a fourth-party vendor fails, the impact cascades back to your operations.
3. Compliance issues: Sub-outsourcing can introduce risks that might violate DORA standards.

How to manage sub-outsourcing risks effectively

To effectively handle sub-outsourcing risks, businesses should:

1. Include sub-outsourcing clauses in contracts: Require vendors to disclose any sub-outsourcing relationships and ensure they monitor their own providers.
2. Perform due diligence on fourth parties: Vendors should share details of their subcontractors’ security practices, including risk assessments and compliance status.
3. Expand monitoring and audits: Regularly review the performance and resilience of fourth-party providers as part of your ongoing risk management.
4. Assess concentration risk: Ensure that no critical operations depend too heavily on a single chain of third- and fourth-party providers.
5. Enforce accountability: Make sure contracts hold vendors responsible for any issues caused by their subcontractors.

By managing sub-outsourcing risks proactively, businesses can strengthen their resilience and ensure they comply fully with DORA’s requirements.

Contractual Controls Based on Vendor Leverage

The controls you can enforce in contracts depend heavily on the bargaining power between your organization and the vendor. For example:

• Large Vendors (e.g., Microsoft): Negotiations may focus on ensuring alignment with industry-standard compliance and setting realistic service-level agreements (SLAs). Custom clauses may be harder to implement due to the vendor’s leverage.
• Small Vendors (e.g., SMEs or Startups): Businesses can negotiate more specific controls, such as frequent audits, customized resilience requirements, or shorter contracts to evaluate performance.

Additional Contractual Controls

To strengthen vendor agreements, consider these additional controls:

1. Escrow Agreements:
   • Ensure access to critical software or data in the event of vendor failure or non-compliance.
2. Short-Term Contracts:
   • Implement annual or bi-annual contracts to regularly review vendor performance and compliance with DORA requirements.
   • This allows flexibility to renegotiate terms or transition to new providers if necessary.

Third-party risk scenarios

When managing third-party risks, businesses should prepare for specific risk scenarios that could disrupt operations. Here are some common scenarios and how to address them:

1. Vendor cyberattack

• Scenario: A vendor’s systems are compromised by a ransomware attack, affecting your operations.
• Mitigation: Conduct regular vendor audits, enforce strong cybersecurity requirements, and ensure you have data backups in place.

2. Vendor system outage

• Scenario: A vendor’s cloud or software system goes down unexpectedly.
• Mitigation: Diversify providers, create backup systems, and test alternative solutions regularly

.3. Vendor data breach

• Scenario: Sensitive customer data is exposed due to a vendor’s weak security controls.
• Mitigation: Conduct thorough due diligence, enforce data security measures in contracts, and monitor vendor compliance.

Preparing for these scenarios ensures businesses can respond quickly and effectively to minimize the impact of third-party risks.

Oversight framework of critical ICT third-party service providers

DORA also introduces strict oversight requirements for critical ICT third-party service providers. These providers are essential because disruptions in their services can have a widespread impact on financial stability.

Identifying critical ICT providers

Critical ICT providers are third-party vendors whose services are crucial for maintaining operations. To determine whether a vendor is critical, businesses should consider:

• How significant the vendor’s role is in delivering essential services.
• The potential impact of vendor failure on operations and customers.
• Whether alternative providers are available for the same service.

Key oversight measures under DORA

For critical ICT providers, businesses are required to:

1. Conduct enhanced monitoring: Regular audits and risk assessments must be performed to ensure compliance.
2. Ensure transparency: Critical ICT providers need to disclose their own third-party risks and security measures.
3. Regular resilience testing: Businesses must test the resilience of systems provided by critical ICT vendors to ensure they can withstand disruptions.

By implementing a robust oversight framework, businesses can ensure that critical ICT providers meet DORA’s standards and contribute to overall operational resilience.

How Supplier Shield can help simplify DORA third-party risk management compliance

Managing third-party risks and staying compliant with DORA can feel overwhelming, but tools like Supplier Shield simplify the process.

It all starts here

Supplier Shield offers comprehensive solutions to help businesses:

• Track and manage vendors effectively.
• Automate due diligence processes for ICT third-party providers.
• Conduct resilience testing to ensure systems meet regulatory standards.
• Maintain ICT risk registers to stay organized and compliant.

With Supplier Shield, businesses can streamline their TPRM processes, minimize risks, and ensure full compliance with DORA. Let's talk!

NIS2 and third-party risk management

The Network and Information Security Directive 2 (NIS2) is another regulation that aligns closely with DORA. NIS2 focuses on improving cybersecurity across critical sectors in the EU, including third-party risk management.

Key similarities between NIS2 and DORA

1. Vendor risk management: Both NIS2 and DORA require businesses to assess and mitigate risks associated with third-party ICT vendors.
2. Incident reporting: Businesses must report significant cybersecurity incidents quickly under both frameworks.
3. Resilience testing: NIS2, like DORA, emphasizes the importance of testing ICT systems to ensure they can withstand disruptions.

Why NIS2 matters for DORA compliance

NIS2 strengthens overall cybersecurity, which directly supports compliance with DORA. By addressing third-party risks under NIS2, businesses can enhance their resilience and ensure alignment with DORA’s requirements.

To learn more about building cybersecurity resilience, explore Supplier Shield’s insights on third-party risk management.

SEC cybersecurity disclosure rules: 9 key questions to ask third parties

The U.S. Securities and Exchange Commission (SEC) has introduced rules requiring businesses to disclose cybersecurity risks and incidents. This aligns with DORA’s emphasis on third-party risk management.

9 key questions to ask third-party vendors

To meet both DORA and SEC requirements, businesses should ask their vendors:

By asking these questions, businesses can gain clarity on vendor risks and ensure compliance with both DORA and SEC cybersecurity rules.

Conclusion

The Digital Operational Resilience Act (DORA) is a comprehensive framework that ensures businesses in the financial sector remain strong and secure, even when facing ICT disruptions. By focusing on third-party risk management, resilience testing, and clear oversight of critical ICT providers, organizations can mitigate risks and maintain operational resilience.

Tools like Supplier Shield simplify DORA compliance through automated vendor risk assessments, resilience testing, and risk register management. Meanwhile, training programs from Abilene Academy equip teams with the knowledge and skills to strengthen vendor security frameworks.

By proactively addressing risks, businesses not only comply with DORA but also build trust, protect customer data, and ensure long-term resilience in an increasingly digital world.

FAQs

1. What is DORA, and why is it important? DORA is the Digital Operational Resilience Act, a regulation in the EU that focuses on ensuring financial institutions can withstand ICT disruptions and manage third-party risks effectively.

2. What are the key requirements for managing third-party risks under DORA? Businesses must perform due diligence, maintain ICT risk registers, conduct resilience testing, and manage sub-outsourcing risks to comply with DORA.

3. What is resilience testing, and how does it help? Resilience testing involves assessing ICT systems to identify weaknesses and ensure they can withstand disruptions, such as cyberattacks or outages.

4. How does DORA handle critical ICT third-party providers? DORA requires enhanced monitoring, regular audits, and resilience testing for critical third-party ICT providers whose failures could severely impact operations.

5. How can tools like Supplier Shield help with DORA compliance? Supplier Shield automates vendor assessments, resilience testing, and risk register management, making it easier for businesses to meet DORA’s regulatory requirements.

‍