Third Party DORA Due Diligence Explained
Nov 20, 2024
The Digital Operational Resilience Act (DORA) came into force on 16 January 2023 and will apply as of 17 January 2025.
What DORA aims to achieve DORA specifies numerous requirements to help organizations build and maintain digital operational resilience. These requirements are centered around five pillars:
ICT risk management
Incident management, classification, and reporting
Digital operational resilience testing
Managing of ICT third-party risks
Information-sharing arrangements
Today we are going to be looking at Third-Party Risk Management Due Diligence requirements.
We have already gone through the contract management so you can check that out we have a reference to that in the description.
In the “Final report on Draft Regulatory Technical Standards to specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as mandated by Regulation (EU) 2022/2554” the following section covers the Due Diligence requirements.
Article 6 (1)
(a) has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure, risk management and internal controls and, if applicable, the required authorisation(s) or registration(s) to provide the ICT services supporting the critical or important function in a reliable and professional manner, the ability to monitor relevant technological developments and identify ICT security leading practices and implement them where appropriate to have an effective and sound digital operational resilience framework;
(b) uses or intends to use ICT sub-contractors to perform ICT services supporting critical or important functions or material parts thereof;
(c) is located, or processes or stores the data in a third country and if this is the case, if this practice elevates the level of operational risks, reputational risks or the risk of being affected by restrictive measures, including embargos and sanctions, that may impact the ability of the ICT third-party service provider to provide the ICT services or the financial entity to receive those ICT services;
(d) consents to arrangements that ensure that it is effectively possible to conduct audits, including onsite, by the financial entity itself, appointed third parties, and competent authorities at the ICT service provider,
(e) acts in an ethical and socially responsible manner and adheres to human and children’s rights, applicable principles on environmental protection, and ensures appropriate working conditions including the prohibition of child labour.
(2) The policy referred to in paragraph 1 shall specify the required level of assurance concerning the effectiveness of ICT third-party service providers’ risk management framework for the ICT services to be provided by ICT third-party providers to support critical or important functions. This policy shall require that the due diligence process shall include the assessment of the existence of risk mitigation and business continuity measures and how their functioning within the ICT third-party service provider is ensured
(3) The policy referred to in paragraph 1 shall:
(a) determine the due diligence process for selecting and assessing the prospective ICT third-party service providers, including which of the following elements shall be used for the required level of assurance:
i. audits or independent assessments performed by the financial entity itself or on its behalf;
ii. the use by the financial entity of independent audit reports made on behalf of the ICT third-party service provider;
iii. the use by the financial entity of audit reports of the internal audit function of the ICT third-party service provider;
iv. the use by the financial entity of relevant appropriate third-party certifications; v. the use by the financial entity of other relevant available information or other information provided by the ICT third-party service provider.
(b) Financial entities shall consider the scope and limitations of the elements listed in paragraph 3(a) and where appropriate, more than one element shall be used.
What does all that mean in plain English?
Purpose
This article explains how financial entities should carefully choose and evaluate ICT (Information and Communication Technology) third-party service providers.
Key Points
Selection Process: The financial entity must have a policy that ensures a fair and suitable method for selecting ICT service providers.
Assessment Criteria: Before making a contract, the financial entity must check if the ICT provider:
Has a good reputation and the necessary skills, resources, and security standards.
Uses subcontractors for critical functions.
Operates or stores data in a third country, which might increase risks.
Agrees to allow audits by the financial entity or authorities.
Acts ethically, respects human rights, and ensures good working conditions.
Detailed Breakdown
Reputation and Resources: Ensure the provider has a solid reputation, enough resources, and proper security measures.
Subcontractors: Check if they use other companies to perform key services.
Location and Risks: Consider if their location or data storage practices increase risks.
Audit Consent: Make sure they agree to audits.
Ethical Conduct: Verify they act ethically and respect human rights and environmental standards.
Policy Requirements
Due Diligence Process: The policy must outline how to select and assess ICT third-party service providers. This includes using the following elements for assurance:
Audits or Independent Assessments: Conducted by the financial entity or on its behalf.
Independent Audit Reports: Provided by the ICT third-party service provider.
Internal Audit Reports: From the ICT third-party service provider's own internal audits.
Third-Party Certifications: Relevant certifications from independent third parties.
Other Information: Any other relevant information provided by the ICT third-party service provider.
Consideration of Scope and Limitations: Financial entities must consider the scope and limitations of these elements and, where appropriate, use more than one element for assurance.
I hope this helps you in identifying what you need to complete to get your third party due diligence started and feel free to check out the references and other insights we have on the site.
References
