Key points

• Understanding DORA is critical for maintaining compliance and resilience in the financial sector.
• Third-party suppliers pose significant risks to DORA compliance, especially when they lack comprehensive security measures.
• Strong risk management strategies help reduce compliance gaps and improve oversight over third-party suppliers.
• Metomic’s data security tool supports DORA compliance by helping you manage data classification, third-party risk assessment, and incident response with ease.

Within the financial sector,  third-party suppliers introduce significant risks. DORA highlights the need for organisations to implement robust compliance strategies to mitigate these risks by January 2025.

As financial services increasingly embrace digital transformation, they face growing challenges from cyber threats and operational disruptions. The shift to online platforms and services brings convenience but also exposes organisations to risks that can undermine their day-to-day running. 

To tackle these issues head-on, the Digital Operational Resilience Act (DORA) has been passed, mandating that financial entities bolster their resilience in the face of such threats.

With compliance expected by January 2025, organisations must understand the critical role of third-party suppliers in reducing risks to their business.

These suppliers can enhance capabilities but also introduce vulnerabilities. DORA emphasises the need to manage these external relationships effectively to maintain compliance and protect overall resilience.

What is DORA and how does it impact third-party suppliers?

The Digital Operational Resilience Act (DORA) is a piece of legislation aimed at bolstering the IT security of the European financial sector. Its primary objective is to ensure that financial entities can withstand, respond to, and recover from various operational disruptions, particularly those stemming from cyber threats. 

As the financial landscape becomes increasingly interconnected, the role of third-party suppliers has never been more critical, and DORA explicitly addresses the risks they pose. 

According to PwC, DORA applies to over 22,000 EU financial entities and ICT providers, plus supporting ICT infrastructure outside the EU. This broad scope means that organisations must now closely evaluate the third parties they engage with, as these suppliers can introduce significant vulnerabilities. 

Key requirements within DORA that are particularly relevant to third-party risk management include:

• Risk Management Framework: Financial entities must establish a robust framework for assessing the risks posed by their third-party suppliers, including operational and concentration risks.
• Due Diligence: Comprehensive due diligence must be conducted before entering into contracts with third-party ICT providers, along with continuous monitoring post-contract.
• Contractual Requirements: Contracts must specify risk management responsibilities and include provisions for termination rights in case of non-compliance.
• ICT Third-Party Risk Register: Organisations are required to maintain a register of all ICT third-party providers, detailing their services and associated risks.

🎥DORA explained in 1 minute

In this short video, we explore financial Institutions vs DORA: Why it matters to you and how you can prepare:

What are the implications of third-party suppliers on DORA compliance?

When it comes to compliance with DORA, third-party suppliers can be a double-edged sword. On one hand, they offer essential services that can help your organisation thrive; on the other, they introduce a set of risks that can complicate compliance and operational resilience.

So, what kind of risks should you be on the lookout for?

• Data Breaches: Since third-party suppliers often handle sensitive information, they can become prime targets for cyberattacks. A breach on their end can expose your organisation to significant data loss or customer privacy issues.
• Service Disruptions: Depending on external providers for critical functions means that any hiccup—whether it’s a technical glitch, a cyber incident, or even a natural disaster—can throw your operations off course.
• Compliance Failures: If a third-party supplier doesn’t meet their own regulatory obligations, your organisation could face the repercussions. It’s a ripple effect that could jeopardise your own compliance under DORA.

The impact of these risks can be quite serious —and with studies showing that 61% of companies reported a data breach or security incident in the last 12 months related to 3rd parties, it’s a sobering reminder of why you need to take these risks seriously.

How can organisations ensure DORA compliance and mitigate risks when dealing with third parties?

Ensuring DORA compliance in the cloud while managing third-party risks may feel like navigating a minefield, but with the right approach, you can do it effectively. Here are some best practices to help you assess third-party risks and keep your organisation on the right side of compliance.

Best Practices for Assessing Third-Party Risks

1. Conduct Thorough Due Diligence: Before partnering with any third-party supplier, it’s vital to perform a comprehensive assessment. This includes checking their security measures, compliance history, and financial stability. Yet, it’s concerning to note that 43% of third parties aren’t subject to due diligence checks. Don’t fall into this trap—make sure you thoroughly vet all potential partners.
2. Implement Continuous Monitoring: Your responsibility doesn’t end once a contract is signed. Continuous monitoring of your third-party suppliers is crucial for identifying new risks as they arise. However, studies reveal that 60% of organisations lack full monitoring for ongoing risks. To avoid this oversight, establish a regular review process to keep track of your suppliers’ compliance and security practices.
3. Maintain Strong Contractual Compliance: Your contracts should outline clear expectations regarding compliance and security standards. Ensure that your agreements include specific clauses about data handling, incident reporting, and compliance with DORA regulations. This not only protects your organisation but also fosters a culture of accountability among your third-party suppliers.

By integrating these strategies into your risk management framework, you’ll be better equipped to navigate the complexities of DORA compliance and safeguard your organisation against the potential pitfalls associated with third-party relationships. Remember, a proactive approach is key to ensuring that your third-party suppliers contribute positively to your compliance efforts rather than undermine them.

🔒How can Metomic help?

Metomic offers a comprehensive data security tool that aligns with DORA’s objectives and can make managing third-party risks simpler and much more effective.

Here's how:

• Data classification: Metomic’s robust data classification tool help you locate, organise and redact sensitive information across cloud platforms like Google Workspace. This visibility is key to managing risks tied to critical data.
• Risk assessment tools: With analytics and reporting designed for compliance, Metomic supports you in implementing data loss prevention strategies, helping you reduce potential data exposure.
• Third-party risk management: Metomic gives you control over how data is shared with third parties. You’ll know when sensitive data is shared externally, allowing you to manage and restrict unauthorised access, all while staying aware of data-sharing practices.
• Compliance support: While Metomic primarily supports regulations like GDPR and HIPAA, its compliance features can also help in managing DORA’s requirements around data protection and third-party oversight.

Metomic’s tools give you a straightforward way to handle third-party data security risks, making it easier to stay in control and better positioned for compliance.

To see how Metomic can streamline your path to DORA compliance in more detail, get in touch with our team directly or download our complete guide to DORA compliance.