ICT Third-Party Risk Under DORA: What It Means for Your Supplier Relationships.

Are your Donegal financial sector clients ready for the seismic shift in how they manage ICT third-party risk?

The Digital Operational Resilience Act (DORA) is not just another piece of European legislation; it is a fundamental overhaul of how financial entities must manage their digital risks. This regulation, which comes into full effect in January 2025, specifically targets the increasing reliance of the financial sector on external Information and Communication Technology (ICT) providers. DORA acts like a new set of spectacles, bringing into sharp focus the previously blurry landscape of digital risks posed by external providers. It mandates a proactive and comprehensive approach to ensuring that critical digital services remain resilient, even when outsourced.

Historically, the responsibility for digital operational resilience often stopped at the financial entity's own perimeter. However, DORA extends this accountability to the entire supply chain, recognising that a chain is only as strong as its weakest link. This means that any ICT third-party provider, from cloud service platforms to software developers and data centres, now falls under the regulatory gaze. The goal is to prevent widespread disruption across the financial system due to a single point of failure within the supply chain, a risk highlighted by incidents such as the 2021 Kaseya ransomware attack which impacted numerous businesses globally.

New Obligations for Financial Entities Under DORA

Article 28 of DORA introduces stringent new obligations for financial entities regarding their ICT third-party risk management. These entities, which include banks, investment firms, and insurance companies, must now adopt a far more rigorous approach to their supplier relationships. The days of simply signing a contract and hoping for the best are over; active oversight and continuous monitoring are now the standard. This shift requires significant investment in internal processes and capabilities to meet the new regulatory demands.

One of the primary requirements is the comprehensive identification and registration of all ICT third-party providers. Financial entities must maintain a detailed register of all contractual arrangements for the use of ICT services, categorising them by criticality and importance. This transparency is crucial for regulators to understand the interconnectedness of the financial system and identify potential systemic risks. Furthermore, financial entities must conduct thorough risk assessments of these providers, evaluating their operational resilience, security measures, and incident management capabilities before entering into or renewing contracts.

Crucially, DORA mandates the inclusion of specific contractual clauses that ensure financial entities can effectively monitor and audit their ICT third-party providers. These clauses must cover aspects such as service level agreements, access rights for audits and inspections, and clear exit strategies. The Central Bank of Ireland has already emphasised the importance of robust outsourcing frameworks, and DORA elevates these expectations to a new, legally binding level. Financial entities must ensure their contracts reflect DORA's requirements, allowing them to enforce security standards and demand transparency from their suppliers.

What DORA Means for Donegal Suppliers

For ICT third-party providers operating in Donegal and across Ireland, DORA represents a significant change in how they will interact with their financial sector clients. If your business provides any ICT services to a financial entity, you can expect to face increased scrutiny and new demands. This is not an arbitrary burden but a necessary evolution in cybersecurity best practices, driven by the need for greater resilience across the financial ecosystem. Understanding these changes now will provide a competitive advantage.

Firstly, you will be asked to complete detailed security assessments and provide extensive documentation of your cybersecurity posture. This will likely involve questionnaires, audits, and requests for evidence of your controls, policies, and procedures. Financial entities need to demonstrate to their regulators that they have thoroughly vetted their suppliers, and your ability to provide this information efficiently and comprehensively will be vital. For instance, a software development firm in Letterkenny providing services to an Irish bank will need to clearly articulate its secure development lifecycle and incident response plans.

Secondly, expect to sign security addenda or entirely new contractual agreements that incorporate DORA's specific requirements. These addenda will likely include clauses related to data protection, incident reporting, audit rights, and operational resilience metrics. It is imperative that you review these documents carefully and ensure your internal processes can meet the stipulated obligations. Proactive engagement with your financial clients to understand their DORA compliance needs will be key to maintaining strong, ongoing relationships.

Not sure where your business stands on cyber risk? Download the Irish SME Cyber Survival Guide — a free, plain-English guide to the 10 controls every Irish business needs. No jargon, no sales pitch.

Demonstrating Controls and Building Trust

The essence of DORA for suppliers is the need to demonstrate robust controls and operational resilience. This goes beyond simply having security measures in place; it's about proving their effectiveness and being able to respond swiftly to incidents. For example, a managed IT service provider in Sligo supporting credit unions will need to show not only that they have strong firewalls and intrusion detection systems, but also that they regularly test their backup and recovery procedures and have a well-defined incident response plan.

Consider the implications of a significant cyber incident. The National Cyber Security Centre (NCSC Ireland) frequently highlights the increasing sophistication of cyber threats targeting Irish businesses. Under DORA, if an incident at an ICT third-party provider impacts a financial entity, the provider will be expected to cooperate fully with investigations and provide all necessary information to help the financial entity meet its reporting obligations. This level of transparency and collaboration is non-negotiable and underscores the importance of a strong, pre-existing security framework.

To prepare, suppliers should review their existing cybersecurity frameworks, conduct internal audits, and consider obtaining relevant certifications that demonstrate adherence to recognised security standards. This proactive approach will not only help meet DORA requirements but also enhance your overall security posture, making your business more resilient and attractive to financial sector clients. Investing in your cyber resilience now is an investment in your future business continuity and growth.

How compliant is your business? Check your compliance readiness with our free Compliance Checker.

Navigating the New Regulatory Landscape

The implementation of DORA marks a significant evolution in the regulatory landscape for both financial entities and their ICT third-party providers. It is a clear signal that regulators are serious about digital operational resilience and expect all parties in the financial supply chain to play their part. For suppliers, this means moving beyond a reactive approach to security and embracing a culture of continuous improvement and proactive risk management. The demands may seem extensive, but they are designed to protect the integrity and stability of the financial system.

The new regulatory environment demands a partnership approach, where financial entities and their suppliers collaborate closely to build a resilient digital ecosystem. This collaboration will involve sharing threat intelligence, coordinating incident response plans, and jointly working towards higher standards of operational resilience. Suppliers who can demonstrate a clear understanding of DORA and proactively adapt their services will be well-positioned to thrive in this new era. It is an opportunity to differentiate your business by showcasing your commitment to robust security and operational excellence.

For businesses in Donegal and Sligo, this is an opportunity to strengthen your offerings and become an even more trusted partner to financial institutions. By embracing DORA's requirements, you are not just complying with regulations; you are enhancing your own security and operational robustness, which benefits all your clients. The shift is underway, and preparation is paramount for continued success in the financial services supply chain. Don't wait for your clients to demand changes; be ahead of the curve.

Related Reading

• NIS2 Fines and Penalties: The Numbers That Should Keep Every Irish Director Awake.
• The 12-Month Cyber Governance Roadmap for a Donegal SME: From Zero to NIS2-Ready.
• Director Liability in the Age of NIS2 and GDPR: A Briefing for Irish Company Directors.

Book a free 20-minute strategy call with our vCISO team. Just clarity on your cyber risk — and a clear plan to address it.

[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland: https://www.dataprotection.ie

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.