Preparing for DORA Compliance: A Guide for Organisations

The Digital Operational Resilience Act (DORA) is set to revolutionise how financial entities manage Information and Communication Technology (ICT) risks, emphasising the importance of resilience in today's digital age. As we delve deeper into DORA, understanding the nuances and implications of this regulation is essential for all stakeholders involved.

Challenges with Third-Party ICT Management and DORA Implementation

Integration with and dependency on third-party ICT services have become a backbone for many financial institutions, yet this comes with increased risks and vulnerabilities. DORA aims to fortify these institutions' operational resilience by ensuring that they, and their ICT providers, can withstand, respond to, and recover from ICT-related disruptions. Compliance requires a deep understanding of the associated risks and an effective management strategy.

Implementing DORA is no small feat. The regulation is complex, requiring firms and local regulators to adapt quickly within a short timeframe. DORA requirements are set out on over 600 pages, and some firms are reporting expenditures of more than $100m to comply. This complexity brings multiple challenges—from integrating piecemeal requirements and navigating overlapping regulations focused specifically on ICT services to aligning with the authoritarian nature of DORA while managing potential implementation variances. Moreover, the divergence of EU requirements under DORA from UK regulations adds another layer of complexity. Effective collaboration across various domains, such as contracts, information provision, reporting, penetration testing, resilience testing, and audits, is crucial. Firms must also ensure risk-proportionate coverage without overwhelming their resources and manage a significant shift in oversight for service providers.

Guidance for Compliance

To navigate these waters successfully, organisations must adopt a proactive approach. This involves conducting thorough risk assessments and mapping out all digital dependencies and vulnerabilities. Regular audits and updates to resilience strategies will be crucial to stay compliant. Additionally, training and development programs for staff on DORA requirements will play a vital role in seamless compliance.

A Third-Party Risk Management (TPRM) programme grounded in good practice goes a long way to meeting the spirit of the DORA requirements. Getting to that point is imperative for organisations that are not starting from this baseline. While good TPRM practice aligns with the spirit, there are many nuances to address, and organisations will need to adjust their programmes appropriately.

To effectively prepare for DORA compliance, firms must undertake several critical steps.

1. Identify and Assess ICT Services: Identify ICT services provided by third parties that support in-scope EU entities. These services must be assessed to understand the impact on Critical and Important Functions and identify applicable risks. This involves a thorough evaluation of potential risks and the development of mitigation strategies. Understanding the dependencies and vulnerabilities in a ICT supply chain is crucial for resilience.

2. Conduct Risk-Based Due Diligence: Perform due diligence on third-party ICT providers across various relevant risk domains, primarily focusing on data and resilience and considering areas such as environmental, social, and governance (ESG) and concentration risk. Develop a programme of ongoing due diligence and audits or inspections to assess third parties against expected standards and controls. This should focus on more intensive third parties supporting critical functions and covering material subcontractors.

3. Develop Exit Strategies: Have clear, actionable plans for disengaging with third-party services that fail to meet compliance standards or become untenable. These strategies should ensure the continuity of critical functions without disruption and be tested to that effect.

4. Strengthen Contractual Agreements: Incorporate mandatory provisions in ICT contracts that align with DORA requirements. Furthermore, standard mechanisms should be developed to ensure that these requirements are incorporated in in-scope agreements.

5. Implement Continuous Monitoring: Utilise Key Performance Indicators (KPIs) and Key Control Indicators (KCIs) to monitor third-party services' risk performance and resilience. Regular penetration and resilience testing under different scenarios should be conducted to ensure that third-party services and systems can withstand and recover from potential threats.

6. Establish Robust Governance: Define clear roles and responsibilities within the organisation for managing ICT third-party providers. Ensure that governance policies are in place to oversee the adherence to DORA regulations and to facilitate effective decision-making. Demonstrate DORA compliance as a Board-level priority.

7. Prepare the Register of Information: Develop procedures to capture and report in-scope ICT services in the Register of Information for each EU entity. Ensure that the extensive information required for each provider, contract, and service can be collated and populated quickly in the required template. Consider conducting a dry run to test that capability.

Firms can comply with DORA regulations and enhance their operational resilience by taking these steps. Integrating systematic risk management practices with innovative technological solutions, like those offered by S&P Global’s KY3P, will be instrumental in navigating the complexities of digital resilience.

TPRM Tools and the DORA Accelerator 

Robust TPRM tooling is required to achieve, demonstrate, and sustain DORA compliance. Consider utilising advanced third-party risk solutions, such as S&P Global’s DORA Accelerator, to streamline the compliance process. Tools like this offer comprehensive support for risk-based workflow, data-driven monitoring, efficient due diligence, and detailed reporting. They also enforce and provide an audit trail of key required activities in the end-to-end third-party lifecycle, which is fundamental for compliance.

The DORA Accelerator emerges as a pivotal tool in this landscape. Designed to facilitate the seamless implementation and ongoing adherence to the DORA third-party management requirements alongside industry best practices, the Accelerator provides:

• An integrated platform that simplifies the management of third-party risks in line with DORA requirements.
• Tools for real-time monitoring and reporting essential for maintaining transparency and accountability, including regulatory reporting.
• Automated workflows that enforce and enhance the efficiency of compliance activities, reducing the burden on internal resources and setting organisations up for sustained success.

Third-Party Assessments

The S&P Global Third-Party Assessments service facilitates the efficient exchange of due diligence data between third-party service providers and their customers. The Assessments solution provides direct access to Due Diligence Data, a holistic data utility aligned with DORA’s critical risk domains with available data on the significant critical providers active in the financial services industry. The Assessments service provides an efficient way to meet expectations in DORA by performing risk-proportionate due diligence, assurance, and audits and inspections of third-party providers, easing the burden on financial institutions and their providers.

Getting Ready 

As DORA’s adoption date of January 17, 2025, draws near, the importance of being thoroughly prepared cannot be overstated. Organisations should be assessing their readiness and recognize that there is much to do to fully comply. Organisations can meet DORA requirements and strengthen their overall operational resilience by understanding the challenges, adhering to expert guidance, and leveraging advanced solutions like the DORA Accelerator. This proactive stance will be crucial in navigating the evolving digital landscape and safeguarding against emerging risks.

Learn more about S&P Global’s suite of services to address DORA here.