F E A T U R E as well as other events requiring disaster recovery ( DR ). Organisations found to have been in breach face penalties of up to two percent of total worldwide revenue , with third-party providers liable for fines of up to € 5 million . Penalties can also apply to organisations if they fail to report an incident .
F E A T U R E as well as other events requiring disaster recovery ( DR ). Organisations found to have been in breach face penalties of up to two percent of total worldwide revenue , with third-party providers liable for fines of up to € 5 million . Penalties can also apply to organisations if they fail to report an incident .
DORA also has a specific category for ‘ Critical Third-Party Providers ’ ( CTPPs ), which are either of systemic importance to a high number of financial entities , support their critical functions or are difficult to replace . In each case , European Supervisory Authorities ( ESAs ) will monitor these providers , conduct inspections and impose penalties for non-compliance .
Exploring the implications for ICT suppliers
To understand the impact of DORA on their organisations and customers , financial entities and their IT suppliers should focus on a range of key activities , including :
• Risk assessment and due diligence : Before agreeing on a contract , the financial organisation should conduct due diligence to ensure that the IT vendor is suitable and meets information security standards .
• Continuity and resilience : Assess the risk management and business continuity measures of each IT vendor and ensure that they are effective in ensuring the operational resilience of the financial organisation .
• Subcontractors : The financial entity should request information on the use of subcontractors used by the IT vendor .
• Contractual requirements : DORA provides a comprehensive overview of the requirements that the provisions in an agreement between a financial entity and an IT vendor must meet .
• Information register : Financial entities are required to establish a detailed information register in which all contracts with IT suppliers must be recorded .
DORA also sets out compliance criteria for the contracts used by IT suppliers and financial institutions . To determine which contractual requirements apply , it is first important to analyse whether the IT service qualifies as a ‘ critical or important ’ function . Under DORA ,
DORA APPLIES TO ‘ MORE THAN 22,000 FINANCIAL ENTITIES AND ICT SERVICE PROVIDERS OPERATING WITHIN THE EU , AS WELL AS THE ICT INFRASTRUCTURE SUPPORTING THEM FROM OUTSIDE THE EU .
34 www . intelligentfin . tech