Countdown to DORA: A spotlight on Third Party Risk Management

The Digital Operational Resilience Act (DORA) represents a significant shift in how financial entities across the European Union must approach operational resilience. With the final deadline for compliance fast approaching in January 2025, the urgency for institutions to align their processes with the regulation is intensifying. DORA’s scope is broad, encompassing everything from ICT risk management and incident reporting to third-party risk management and digital operational resilience testing.

Third Party Risk Management (TPRM) is a critical pillar of DORA, focusing on the management of risks that arise from dependencies on external ICT service providers. Compliance with DORA's TPRM requirements presents several challenges for businesses:

  • Comprehensive Vendor Assessment and Due Diligence - DORA requires financial entities to conduct thorough assessments and ongoing monitoring of third-party ICT providers. Many businesses struggle with the complexity and resource intensity of conducting these comprehensive assessments, especially if they rely on a large number of third-party vendors.
 
  • Increased Regulatory Reporting and Documentation Requirements - DORA mandates detailed documentation and reporting concerning third-party risk management practices, including formal contracts, risk assessments, audit rights, and exit strategies. Complying with these requirements can be burdensome, especially for smaller organisations with limited resources.
 
  • Enhanced Monitoring and Ongoing Supervision of Third Parties - Continuous monitoring of third-party ICT providers is a core requirement under DORA. Businesses must ensure that third-party services remain secure and resilient over time, not just at the point of onboarding. Implementing effective monitoring mechanisms requires significant investments in technology, such as advanced monitoring tools or platforms.

  • Complex Contractual Negotiations and Alignment - DORA places specific requirements on contractual arrangements with third-party ICT providers, including the inclusion of clauses related to access, audit rights, and termination conditions. Ensuring contracts meet these requirements can lead to complex negotiations.

  • Risk of Concentration and Systemic Risk - DORA requires businesses to address risks related to over-reliance on a single third-party ICT provider or concentration of critical services among a few providers to prevent systemic risk in the financial system. Businesses may face difficulties in finding alternative providers that meet DORA’s standards or might incur higher costs in managing multiple vendor relationships. 

dora latest updates
5:13
Video Player is loading.
Current Time 0:00
Loaded: 0%
Duration -:-

Playback of this video is not currently available

Compliance with DORA's TPRM requirements will require significant adjustments and resources from businesses. To effectively manage third-party risks, businesses should establish a comprehensive framework that addresses every stage of the vendor lifecycle. Conducting thorough due diligence and risk assessments on vendors is crucial, with a focus on their cybersecurity measures and operational resilience. Contracts should be robust, clearly defining terms related to data protection, audit rights, and incident response. Continuous monitoring of vendors, supported by advanced technology, is essential for maintaining real-time oversight. Additionally, developing and regularly testing incident response plans will help businesses manage potential disruptions. These practices collectively enhance risk management, resilience, and compliance.

How can we help?

For further information on how we can help your organisation navigate the complexities of Third Party Risk Management, please contact our team of experts.

Contact us

Michel Ganado

Michel Ganado

Digital Services Leader, PwC Malta

Tel: +356 2564 7091

Andrew Schembri

Andrew Schembri

Digital Services Partner, PwC Malta

Tel: +356 79211355

Kirsten  Cremona

Kirsten Cremona

Senior Manager, Digital Services, PwC Malta

Tel: +356 7975 6911

Follow us