Are You DORA Compliant? 5 Essential Elements of a Strong Third-Party Risk Strategy


Posted on by Greg McDonough

In January 2025, the European Union (EU) enacted its Digital Operational Resilience Act (DORA) as a means of ensuring that the financial industry and its third-party information and communication technology (ICT) service providers are adequately defended against cyberattacks and sufficiently resilient to continue operations in the face of sustained interference. The financial sector encompasses a wide variety of businesses from insurance companies and banks to crypto service providers. This is a step in the right direction for the EU in terms of creating greater safety and security within its financial sector, but it also means that those within the EU, and foreign companies wishing to provide services to the industry, must become compliant with the regulations outlined within DORA.

Thinking Differently About Third-Party Risk

One major aspect of DORA is taking greater accountability for third-party service providers. According to RSAC Conference’s CISO Perspectives report, How Top CISOs Are Transforming Third-Party Risk Management, traditional approaches to third-party risk management don’t work. RSAC Conference surveyed 100 Fortune 1000 CISOs and found that 87% of these companies were affected by a significant cyber incident at a third party in the past 12 months. Bad actors are skilled at finding and exploiting the weakest links in cyber defenses, and this statistic is a clear indication that it is time to rethink attitudes towards third party risk management. Ensuring the security of third-party service providers enhances the strength of the industry as a whole. While surveys and training have been found to be ineffective, creating contractual obligations, delivering security services, and establishing agreed upon standards of security do positively impact third-party security protocols.

To Comply with DORA, Take These Five Steps:

In order to be DORA compliant, companies must adhere to five steps designed to increase operational resiliency.

1. Risk assessment and management: One of the first steps towards becoming DORA compliant is to perform a thorough risk assessment that identifies areas of concern, outlines comprehensive remediation strategies, and ensures that threat detection is functioning properly and providing adequate information. This is a critical step that many organizations still struggle with. As Sandip Dholakia points out, the cybersecurity industry is still struggling to ensure that risk assessments are performed and performed correctly. “Poorly conducted risk assessments can provide misleading information to the management, resulting in threats to corporate assets,” Dholakia said.

2. Develop and test incident response plans: Even the best designed security systems still fall victim to cybercriminals. This is why it is so important to conduct regular penetration testing and security audits and have a plan in place to minimize impact and restore normal operations as quickly as possible when systems are compromised. Mike Jankowski-Lorek explains that when it comes to breaches, “It is a matter of if, not when,” in Best Teacher is Last Mistake: Improving and Applying Incident Response Plan. He stresses the importance of learning from attacks and using them as a means of improving defenses. System failures can provide invaluable learning opportunities for security teams. 

3. Strengthen third-party risk management: Bad actors are constantly searching for the weakest link in any security system. Increasingly, they are finding access via smaller, less secure, third-party service providers. RSAC Conference 2023 speakers Chris Castaldo and Brian Markham noted, it is time to rethink attitudes towards how organizations manage their third-party risk management it is time to rethink attitudes towards how organizations manage their third-party risk management by abandoning ineffective questionnaires and misallocating valuable security resources and choosing to focus on more modern approaches such as formal contractual security standards and continuous monitoring and assessment. Developing agreed upon practices can help to create a level of security that is acceptable to all parties.

4. Improve data governance and security: While data security should be part of any comprehensive cybersecurity plan, DORA regulations mandate obligation between primary and third-party service providers, which requires greater transparency between organizations. However, it is also important that the information being shared does not contain any unnecessary data that could compromise the safety and security of individuals. Strong data governance policies help to establish clear protocols regulating what type of data can be shared, how it is shared, and who is responsible for ensuring its security.

5. Build a strong cybersecurity culture: An RSAC Conference 2023 panel session noted, “Cybercrime is now the third largest economy in the world, and the most prolific crime.” In order to try and match defenses at this pace, it is necessary for everyone, not just cybersecurity teams, to recognize their role in cyberattack prevention. It is necessary for companies to cultivate a culture of awareness and responsibility that instills individuals with a sense of ownership over digital security. This needs to be a top-down initiative that begins with C-suite and board members and is shared all the way to those at the ground level. Andrzej Cetnarski explained, “This is not about buying new software, new hardware, new AI… This is about the mind, and the adversary, and what they’re going to do to you, and making sure that senior leaders in your organization fully understand that.” Creating a strong cybersecurity culture ensures that everyone understands how they can help to prevent a breach as well as the importance of recognizing and reporting breaches as quickly as possible when they do occur.

The European Union’s Digital Operational Resiliency Act represents a significant step towards the standardization of cybersecurity regulations for the financial industry in the EU and third-party service providers. While much of DORA relates to agreed upon best practices within the industry, DORA formalizes the necessity for proactive approaches to assessing vulnerabilities and creating resilient systems that are quickly able to remediate and recover from a data breach. DORA compliance is required not only for institutions within the EU, but also for third-party service providers who interact with those in the EU. For more information on becoming DORA compliant or building resilient systems, take advantage of the wealth of information from industry-leading experts in the RSAC library.

Contributors
Greg McDonough

Cybersecurity Writer, Freelance

Protecting Data & the Supply Chain Ecosystem Risk Management & Governance

governance risk & compliance compliance management government regulations incident response supply chain security awareness data security infrastructure security

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs