DORA: A New Framework for Third-Party Risk in the European Union (EU)

In an increasingly interconnected and digital world, reliance on third-party services and partnerships has become ubiquitous in modern business operations. While these collaborations offer a plethora of opportunities and efficiencies, they also expose organizations to potential risks that can disrupt operations, tarnish reputations, and compromise data security. As the European Union’s regulatory landscape evolves to keep pace with the fast-changing dynamics of the global economy, a pressing need arises for a comprehensive and unified framework to address third-party risks effectively.

DORA (Data Oversight and Risk Assessment) is a pioneering framework designed to revolutionize the way businesses in the European Union manage and mitigate third-party risks. Developed collaboratively by regulatory authorities, industry experts, and technology leaders, DORA aims to bolster the EU’s data protection measures while promoting innovation and trust in cross-border business relationships.

Source: CyberReady

By exploring the genesis of DORA, its key principles, and its anticipated implications for various sectors, we aim to shed light on how this groundbreaking framework is set to shape the future of data security and privacy in the European Union.

DORA’s emergence comes at a critical time when businesses are grappling with the complexities of third-party risks in the European Union. As organizations increasingly rely on external partners to enhance their operations, the need for a robust framework to navigate these risks becomes paramount. DORA aims to fill this void and provide a comprehensive solution that addresses the challenges faced by businesses today.

One of the key principles of DORA is its emphasis on data protection and privacy. With the ever-growing threat landscape and the increasing value of data, safeguarding sensitive information has become a top priority for organizations across all sectors. DORA recognizes this and seeks to establish stringent guidelines and best practices that will ensure the secure handling of data in third-party relationships. By doing so, it fosters a culture of trust and integrity, strengthening the foundation of cross-border business collaborations.

Moreover, DORA promotes collaboration and cooperation between regulatory authorities, industry experts, and technology leaders. This collaborative approach ensures that the framework remains agile and adaptable to the rapidly evolving business landscape. By involving all stakeholders, DORA aims to instill a sense of shared responsibility in managing third-party risks and encourage the exchange of knowledge and best practices.

The implications of DORA extend to various sectors, including finance, healthcare, and technology. In the financial sector, for instance, DORA introduces stringent risk assessment mechanisms and transparency requirements. This will enable financial institutions to better understand the risks associated with their third-party relationships, enabling them to make informed decisions and mitigate potential vulnerabilities. Similarly, in the healthcare sector, DORA’s focus on data protection will enhance patient privacy and confidentiality, ensuring that sensitive medical information remains secure when shared with external partners.

What Is DORA and Why Was It Proposed?

So what exactly is DORA? It stands for the Digital Operational Resilience Act, proposed legislation in the EU aimed at improving cybersecurity and operational resilience for financial institutions. DORA builds on existing laws like the NIS Directive and GDPR to close gaps in digital risk management.

The goal of DORA is twofold: first, to harmonize rules for ICT risk across the EU. Right now, different countries have different requirements, which can be confusing and lead to conflicts. DORA would establish a single framework that all countries would follow.

Second, DORA aims to address third-party risk. As financial firms increasingly outsource services to third parties like cloud providers, it’s critical to manage the cyber risks of these relationships. DORA would require firms to continuously monitor third parties and verify that they meet security standards.

Key Requirements of DORA

DORA sets specific requirements in four areas:

• Cyber risk management: Financial firms must identify, protect against, detect, respond to, and recover from cyber threats. They need documented cyber-risk policies and response plans.
• Incident reporting: Firms must report cyber incidents to regulators within 24 hours and notify customers promptly. Reporting helps identify systemic risks.
• Testing: Firms must conduct “red team” tests to assess cyber resilience. Tests should mimic real-life attack scenarios to evaluate response effectiveness.
• Third-party outsourcing: Before using a third-party service, firms must assess cyber risks and ensure the provider can meet security and reporting obligations. Ongoing monitoring is required.

DORA would be a milestone for cyber risk regulation globally. By focusing on resilience and transparency, DORA aims to make the EU financial system safer and better prepared to weather the digital storms of the 21st century. Overall, DORA represents a significant step forward in managing third-party cyber risks.

Key Provisions of the DORA Legislation

This new framework focuses on improving operational resilience for anything tech-related, from cyberattacks to system outages.

Key Provisions

To strengthen digital resilience, DORA will:

• Require firms to map all their ICT systems and assets so they understand how they interconnect and any vulnerabilities. This also includes mapping third-party service providers and their systems.
• Mandate that firms test how well they can withstand, respond to and recover from ICT-related disruptions through simulations of realistic attack scenarios and system failures. Firms will have to report the results to regulators.
• Demand that firms establish risk management frameworks and appoint executives responsible for operational resilience. This aims to embed a risk culture throughout organizations.
• Insist that firms report major ICT-related incidents to regulators within 72 hours. This will improve transparency and allow regulators to spot wider trends.
• Force firms to set specific requirements for outsourcing ICT systems and services to third parties. This helps address risks from vendors and ensures accountability remains with the financial firm.
• Oblige critical third-party providers to comply with the same rules as financial institutions. This levels the playing field and reduces weak links in the supply chain.

With oversight from regulators, these provisions will make EU finance more robust and secure. While firms may incur short-term costs by implementing DORA, the long-term benefits of enhanced operational resilience and reduced cyber risk seem well worth it. Overall, DORA is poised to strengthen the digital operational resilience of the financial system across Europe.

How DORA Complements Existing EU Cyber Regulations

DORA aims to strengthen the EU’s existing data protection and cybersecurity regulations for finance. Rather than replace laws like the GDPR or NIS Directive, DORA complements them by focusing specifically on operational resilience — the ability to prevent, adapt to, and recover from disruptions.

How does DORA build on Existing Regulations?

The GDPR establishes guidelines for handling individuals’ personal data, including requirements for data security and breach notification. DORA expands on the GDPR by setting specific operational resilience standards for financial institutions like banks, insurance companies, and investment firms. Similarly, the NIS Directive compels operators of essential services like finance to boost their cyber defenses. DORA reinforces the NIS Directive through more granular rules on threat monitoring, incident response, and business continuity planning.

DORA also complements other EU digital regulations by:

• Requiring financial firms to identify their critical operations, IT systems, and third-party service providers. This supports the European Banking Authority’s guidelines on outsourcing.
• Mandating comprehensive risk assessments and scenario-based testing. This aligns with the European Insurance and Occupational Pensions Authority’s recommendations on governance and risk management.
• Promoting transparency through the public disclosure of operational resilience information. This builds on the European Securities and Markets Authority’s rules on periodic reporting.
• Encouraging financial institutions to share cyber threat intelligence. This amplifies the objectives of the EU Cybersecurity Act by improving coordinated responses to cyber risks.

By weaving together these related strands of regulation, DORA aims to facilitate a cohesive and optimized framework for operational resilience across Europe’s financial sector. The legislation may face challenges in reconciling different countries’ approaches, but if successful, DORA can galvanize the EU’s leadership in managing digital risks. Overall, DORA signifies the EU’s commitment to safeguarding its financial system in an increasingly connected world.

Third-Party Risk Management Under DORA

Under DORA, financial entities must implement robust third-party risk management (TPRM) programs to ensure the cyber resilience and security of their ICT services. This means evaluating the risks of using third-party technology providers and taking steps to mitigate them.

Proportionality Principle

The management of third-party risks under DORA must follow the principle of proportionality. In other words, the level of diligence in TPRM should correspond to the level of risk. Higher-risk services like cloud computing would require more rigorous oversight than lower-risk services.

Key TPRM Principles

Financial entities must manage ICT third-party risks according to several principles:

• Oversight and accountability: Assign roles and responsibilities for TPRM to specific personnel.
• Due diligence: Evaluate third parties’ cybersecurity risk profiles before contracting with them and on an ongoing basis. Review factors like their technical capabilities, security controls, and incident response plans.
• Contractual requirements: Include provisions in contracts that obligate third parties to meet certain security standards and practices.
• Monitoring and review: Continuously monitor third parties and review their performance to verify compliance and address new risks.
• Termination rights: Retain the right to terminate contracts with non-compliant third parties.
• Incident planning: Work with third parties on response and recovery plans in the event of ICT security incidents.

By adhering to the principle of proportionality and these key principles, financial entities can implement TPRM programs under DORA that adequately address digital risks from third-party relationships. Continuous risk-based monitoring, in particular, is critical for managing the dynamic threat landscape in today’s digital economy. With cyber threats constantly evolving, TPRM must be an ongoing process.

DORA’s focus on TPRM signifies the EU’s leadership in operational resilience. By mandating transparency and verification of third-party cyber risks, DORA aims to strengthen the security of financial systems across Europe.

Implementing a Comprehensive Third-Party Risk Program

Implementing a successful third-party risk management (TPRM) program requires time, resources, and commitment from leadership and stakeholders across your organization. But the benefits of minimizing digital risk and preventing data breaches make it well worth the effort.

To get started, hold a meeting with leadership and key department heads like IT, compliance, procurement, and legal to determine your risk tolerance and priorities. Some questions to consider:

• What data and systems do we share with third parties?
• How would a breach impact our operations or reputation?
• What level of risk are we willing to accept?

Next, identify your critical vendors and third-party relationships. These could be cloud providers, payment processors, or companies with access to sensitive data. Rank them by risk level to focus your efforts.

Conduct risk assessments of your most critical vendors. This includes:

• Questionnaires about their security controls and processes
• Reviewing their compliance certifications and audit reports
• Scanning their systems for vulnerabilities

Based on the results, determine if any remediation is needed and set deadlines for vendors to fix issues. You may need to provide guidance or consider switching vendors if risks remain high.

Monitor your vendors continuously using a risk-based approach. Tools can automatically scan for new vulnerabilities, login alerts, and other indicators of compromise. Review updated compliance reports and reassess vendors regularly based on their risk ranking.

To implement TPRM effectively:

1. Gain leadership buy-in and determine risk tolerance
2. Identify critical third-party relationships
3. Conduct risk assessments of high-risk vendors
4. Remediate issues and monitor vendors continuously
5. Review and update the program regularly

A comprehensive TPRM program, backed by the appropriate resources and tools, allows you to manage digital risk across your supply chain and meet regulatory requirements. While the process requires effort, safeguarding your data and operations from third-party breaches is well worth the investment.

In a nutshell, regulators have clearly been paying attention to the rising threats in our increasingly digital world.DORA is their attempt to get ahead of the curve and avoid major disruptions. As technology becomes more integrated into how we bank and invest, the risks are real. But with strong frameworks like DORA in place, you can have more confidence that your money and information are protected. The financial industry still has work to do to achieve DORA compliance, but these new rules are a step in the right direction. Stay tuned to see how DORA continues to strengthen operational resilience and maybe even expand to other sectors. The future is digital, but it doesn’t have to be dangerous. DORA helps ensure it’s secure.