Key Principles to Validate Your Third-Party Provider Is Complying with DORA

As of January 17, 2025, the Digital Operations Resilience Act (DORA) becomes applicable to financial entities and ICT third-party service providers. DORA standardizes how financial entities report incidents, test operational resilience and manage ICT third-party risks across the financial services sector. 

In this article, we discuss the key principles that financial organisations need to consider when using ICT services supporting critical or important functions. We'll also give you an update on how Luware has been enabling financial services customers to comply with the applicable provisions in 2024. 

Recap: What is DORA? 

The Digital Operations Resilience Act (Regulation (EU) 2022/2554 - ‘DORA’) aims to provide a standardised approach to achieving a high level of digital operational resilience in the financial services industry within Europe, ensuring firms can withstand a wide range of threats, disruptions, and other operational risks.   

DORA sets out several key principles that the financial services sector must adhere to, reducing the impact of information and communication technology (ICT) disruptions and improving digital operational resilience. The key principles are: 

• ICT risk management 

• ICT-related incidents 

• Classification and reporting 

• Digital operation resilience testing 
• ICT third-party risk management 
• Information sharing arrangements 
  
  

Key principles for managing a critical third-party services provider

Financial entities are responsible for ensuring their critical third-party services meet their obligations with DORA. In this section, we provide a short summary on some of the principles that financial entities must validate with their third-party providers.  

ICT third-party providers register 

The financial entity must maintain a register of information in relation to all contractual arrangements on the use of ICT third-party services, including the functions of the services and indicating whether subcontracting of an ICT service plays a critical or important function. The service description must include details of service location, service levels, availability, data integrity and confidentiality, and data access provisions. This register must be regularly updated and made available for regulatory reviews.  

Risk management framework 

Financial entities must establish a comprehensive risk management framework that includes, at a minimum, strategies, policies, procedures, ICT protocols, and tools essential for safeguarding information and ICT assets. This framework should be used to assess ICT third-party services, focusing on potential operational and systemic risks. 

Evaluations should consider the criticality of the services provided and the potential impact on the business in the event of an incident, known as the proportionality principle. 

Clearly defined contractual arrangements 

Contractual arrangements for ICT services supporting critical or important functions must clearly define the roles, responsibilities, and obligations of ICT third-party providers. Key elements include service descriptions, subcontracting conditions, data processing locations, and data protection measures.  

Contracts should moreover specify performance targets, incident support obligations, cooperation with authorities, and rights to audits and inspections. They must also address notice periods, ICT security measures, resilience testing participation, and exit strategies to ensure smooth transitions and minimize disruption to financial entities. 

Operational resilience testing 

ICT third-party providers supporting critical or important functions must implement and regularly test business continuity plans and resilience measures to ensure uninterrupted service delivery. They are required to participate in Threat-Led Penetration Testing (TLPT) and cooperate with financial entities in assessing their operational readiness.  

Providers must facilitate performance monitoring and support audits, and ensure their contingency strategies are robust enough to minimize disruptions during incidents or transitions. 

How has Luware enabled customers to comply with DORA in 2024? 

2024 has been a busy year for our current and prospective customers, specifically around DORA obligations. We’ve delivered contract amendments, external audits, business continuity management test and penetration test evidence, and vast amounts of documentation to enable our financial customers to meet their obligations going into 2025. Here’s a short summary on some of the key items we’ve delivered. 

SOC 2 Type II attestation 

Luware has reaffirmed its commitment to operational excellence and security by successfully completing another year of SOC 2 Type II auditing. This rigorous external audit validates Luware’s adherence to key controls across critical areas such as: 

• Risk management 

• Incident and change management 
• Business continuity management 
• Vulnerability scanning and patch management 
  

By achieving SOC 2 Type II attestation, Luware provides clients with assurance that its services meet high standards of reliability and security. Our proactive compliance efforts align with DORA, which underscores the importance of third-party providers substantiating their delivery of obligations. This in turn not only enhances trust but also empowers customers to meet DORA requirements with confidence in 2024. 

M365 certification 

The Microsoft 365 App Certification highlights Luware's commitment to security, data privacy, and compliance—key tenets of DORA. This certification ensures our application meets rigorous standards for secure data handling, access control, and integration with Microsoft Teams.

By leveraging such certified solutions, financial entities can maintain continuity, manage ICT risks effectively, and meet regulatory requirements for monitoring and safeguarding communication records, thus fulfilling their DORA obligations. 

Resilience exercises 

Luware performed regular business continuity management exercises and delivered reports to our customers, validating and evidencing our contingency plans, processes, and recovery time objectives during major disruptions. We also performed regular penetration tests and enabled customers to perform their own penetration tests on their private tenant environments.  

Contract amendments and documentation updates 

We worked with our financial services customers to ensure their DORA contractual obligations were incorporated into contracts negotiated pre-DORA. We’ve also updated our Luware Recording Security Whitepaper to ensure key aspects documented in DORA are included for our customers.  

Is your third-party IT service provider truly meeting its commitments?  

DORA mandates financial entities undertake all due diligence on prospective ICT third party providers having a critical or important function. Luware's experience in navigating the compliance landscape, its SOC II attestation, and established practices make it a reliable partner with whom to address DORA.  

Discover Luware Recording