How DORAedge enables compliance with DORA
Last updated
Financial entities must manage ICT third-party risk as part of their overall ICT risk management framework. They remain fully responsible for compliance with the regulation and financial laws, even when using ICT third-party services.
How DORAedge Assists:
Sets forward a standardised risk management tookit and integrates financial services own ICT third-party risk management within the broader ICT risk management framework.
Tracks compliance and obligations for each third-party provider
Entities must develop and regularly review a strategy for managing ICT third-party risk, including policies for critical ICT services provided by third-party providers.
How DORAedge Assists:
With DORAedge on the team, the financial entity can upload their strategies which will be reconciled against the DORA requirements
Entities must maintain a register of all contractual arrangements with ICT third-party service providers, documenting services that support critical or important functions. They must report annually to competent authorities on new ICT service arrangements.
How DORAedge Assists:
Manages a centralized register of all ICT third-party contracts and providers, including a full log of historic changes
Automatic LEI code resolvement
Automates annual reporting to competent authorities.
Before entering into ICT service contracts, entities must assess the risks, conduct due diligence, and evaluate potential conflicts of interest.
How DORAedge Assists:
Entities may only contract ICT third-party providers that comply with appropriate information security standards.
How DORAedge Assists:
Tracks compliance with information security standards for all third-party providers.
Ensures critical service providers meet the highest standards before contracting and continously requests updates for certifications etc.
Financial entities must establish audit rights over ICT third-party service providers, ensuring appropriate audit frequency and auditor expertise.
How DORAedge Assists:
This should be encompassed into the contracts of the ICT and financial entity.
Entities must ensure contracts can be terminated in cases of regulatory breaches, poor performance, or ICT service provider failure.
How DORAedge Assists:
This should be encompassed into the contracts of the ICT and financial entity.
Entities must have exit strategies for ICT services supporting critical functions, ensuring continuity of business operations and compliance with regulatory requirements during transition or termination of services.
How DORAedge Assists:
Provides tools for documenting exit strategies.
Entities must assess the risks of concentration when relying on a single ICT third-party provider for critical services or if multiple services are outsourced to closely connected providers.
How DORAedge Assists:
Tracks concentration risks natively diversification strategies.
Analyzes subcontracting chains for critical services and highlights risks
Contracts with ICT third-party providers must clearly define rights and obligations, service locations, data protection provisions, and contingency plans.
How DORAedge Assists:
Provides templates and structured questionaires for ICT service contracts, ensuring inclusion of all necessary provisions.
Backed up, always available repository for all information and contingency plans.
These articles detail the oversight framework for critical ICT third-party service providers, including the designation of critical providers, the Lead Overseer's responsibilities, and international cooperation. These provisions largely pertain to the ESAs and other oversight bodies rather than directly to financial entities.
The ESAs, through the Joint Committee, will designate critical ICT third-party providers and assign Lead Overseers to ensure oversight of these providers.
Note: This does not apply to financial entities, but affects their relationship with critical providers once designated.
The ESAs will establish the Oversight Forum to monitor ICT third-party risks and facilitate coordination across financial sectors.
Note: This pertains to oversight responsibilities and is not directly relevant to financial entities.
The Lead Overseer will conduct assessments, investigations, and issue recommendations to critical ICT third-party providers to manage their ICT risks effectively.
Note: Financial entities may receive instructions based on the Lead Overseer’s findings, but these tasks fall under the ESA's remit.
The Lead Overseer, in coordination with other authorities, will conduct inspections and request information from critical ICT third-party providers.
Note: This oversight function pertains to ICT service providers and is not directly applicable to financial entities.
The Lead Overseer will carry out general investigations and inspections of critical ICT third-party service providers, including premises inspections and audits.
Note: Financial entities may need to cooperate, but this is primarily focused on critical ICT providers.
The ESAs will develop technical standards to ensure consistent oversight of ICT third-party providers, including subcontracting arrangements and audit templates.
Note: This task is assigned to the ESAs and is not directly relevant to financial entities.
The Lead Overseer will issue follow-up recommendations, and critical ICT third-party service providers must pay oversight fees to cover the costs of oversight activities.
Note: Financial entities may be indirectly affected by these provisions through their ICT service providers but are not directly responsible for these tasks.
The ESAs may engage with third-country authorities to ensure consistent oversight of ICT third-party providers across jurisdictions.
Note: This is relevant for cross-border regulatory cooperation and does not directly impact financial entities.
DORAedge it self can not conduct the due dilligence nor evaluate conflicts of interest. When destilled into risks, these can be mapped on the DORAedge platform however
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.
DORAedge does not support ESAs or competent authorities as customers. We are solely focused on helping financial entities. This clause governs obligations for other parties than financial entities.