Is Your Third-Party Provider Ready for DORA?

06/02/2024

DORA mandates proof that your third-party IT service provider is truly meeting their commitments, and Luware's established practices make it an accountable and reliable choice.

 

What is DORA?

In the dynamic landscape of the financial industry, adaptability and robust operational frameworks are paramount. The Digital Operational Resilience Act (DORA) stands as a pivotal European initiative dedicated to ensuring a steadfast and resilient approach in delivering digital capabilities to the financial sector. This comprehensive framework establishes exacting technical standards that financial entities, along with their critical third-party technology service providers, must meticulously integrate. This includes oversight on SaaS providers, Cloud service providers, and an array of outsourced IT services crucial to the industry's technological infrastructure. As of its enforcement date on January 16, 2023, DORA has set forth a two-year implementation period, with full enforceability taking effect from January 2025 onward. The ambit of DORA is vast, encompassing over 20,000 financial entities and IT service providers operating within the European Union (EU). Moreover, its jurisdiction extends to any IT infrastructure supporting these entities, even if located outside the EU. In navigating the evolving digital landscape, adherence to DORA becomes not only a regulatory necessity but a strategic imperative for entities shaping the future of finance. Key considerations of DORA:
  • ICT risk management
  • ICT-related incident management
  • Classification and reporting
  • Digital Operation resilience testing
  • ICT third-party risk management
  • Information sharing arrangements.

How does DORA impact a third-party ICT Provider?

DORA significantly raises the bar for ICT providers, subjecting them to heightened regulatory scrutiny. These third-party entities now face the imperative of not only meeting the stringent requirements outlined in the framework but also substantiating their compliance through tangible evidence. Under DORA's provisions, third-party ICT providers may find themselves engaged in a thorough review of their contractual agreements. This process becomes essential to ensure that they can fulfil specific obligations stipulated by the framework. Such obligations may encompass facilitating inspections and audits conducted by regulatory authorities, introducing a new layer of accountability and transparency in their operations.

How has Luware prepared for DORA?

Luware stands out for its commitment to robust security practices, as evidenced by the implementation and external audit for SOC II Type 2 control adherence. Luware has annual audits conducted to assess its adherence with SOC II Type 2 controls related to Security. Specifically, Luware diligently addresses critical aspects including:
  • Risk management
  • Incident management
  • Change management
  • Business Continuity Management
  • Vulnerability scans and patch management.
The external audit serves as a testament to Luware’s dedication to upholding these crucial controls. In a landscape where the reliability of third-party IT service providers is paramount, Luware's external audit report regarding adherence to SOC II security principles provides clients with confidence in the fulfilment of their obligations. As DORA emphasizes the need for substantiating the delivery of obligations, Luware's proactive approach positions it as a trustworthy partner in navigating the evolving regulatory landscape. Consider this: How assured are you that your third-party IT service provider is truly meeting their commitments? DORA mandates proof, and Luware's established practices make it an accountable and reliable choice. Discover Luware Recording

 

Joshua Wood

Director of Technical Operations Compliance Engineering

Stay Up to Date With Customer Service Trends