DORA compliance Part 4: ICT third-party risk management

The Digital Operational Resilience Act (DORA) came into force on January 17, 2025. The EU regulation aims at boosting the digital resilience of financial entities and systematically govern their dependence on ICT third-party providers. ICT third-party risk management is the fourth central field of action for financial services companies. 

Challenges when dealing with ICT third-party providers

In the world of finance, much like in many other industries, companies rely on external providers for information and communication technologies (ICT) —whether it be for cloud services, software solutions, or IT security infrastructures. DORA picks up on the fact that these dependencies come with inherent risks: third-party providers falling victim to cyberattacks, service disruptions, or other issues can have far-reaching consequences for the stability of the financial sector.

In Chapter V, Section I, Article 28 to 30, DORA tackles this vulnerability by establishing uniform requirements for managing and monitoring ICT third-party risks. At its core, the regulation mandates that companies critically assess their reliance on external providers to ensure their compliance. This includes identifying, monitoring, and mitigating risks associated with third-party IT service providers.

Essential requirements for ICT third-party risk management

Companies must assess their providers to determine which should be classified as “critical” based on their significance to business operations. Contracts with these providers must explicitly outline risk monitoring, security requirements, emergency plans, and clear responsibilities for both parties.

Additionally, the services, security measures, and potential risks of ICT third parties must be regularly reviewed, assessed, and documented in the mandatory DORA register of information, which takes effect on April 30, 2025, and must be submitted annually. To mitigate dependencies, financial entities must also develop strategies to reduce reliance on third parties and establish regularly updated emergency plans to address potential outages or disruptions.

Security and integrity in data management

Third-party risk management places a strong emphasis on safeguarding data, with DORA setting exceptionally high standards to ensure integrity and confidentiality. Failing to meet these requirements can lead to legal repercussions and long-term damage to customer trust. Companies must guarantee that sensitive information —whether customer-related or tied to internal processes —is properly protected by third-party providers. This includes:

• Encryption and access controls: Data must be encrypted in transit and at rest to prevent unauthorized access. Access rights should be granted according to the principle of least privilege.
• Data residency and sovereignty: Companies must pay attention to legal requirements in terms of data localization. Critical data can only be stored in countries guaranteeing an appropriate level of data protection.
• Data deletion and repatriation: When a third-party contract comes to an end, clear processes are required to make sure all data is either securely deleted or returned to the financial entity.
• Monitoring data access: Companies must implement systems that continuously monitor and log third-party access to sensitive data.

Strong partnerships ensure security

DORA strengthens the stability and security of the EU financial system, enhancing the global competitiveness of European financial entities. This is built on robust internal structures, effective processes, and strong partnerships based on transparent and reliable agreements.

DORA compliance: ICT third-party risk management checklist

• Have you identified all external service providers and evaluated their criticality?
• Are all of your contracts with third-party providers DORA-compliant?
• Have you established processes for systematic risk assessment?
• Do you have tools and processes in place which reliably monitor third-party providers?
• Are your emergency plans documented, tested, and up to date?

Learn more about how Tresorit can help financial organizations manage their data in a safe and compliant manner.