Introduced by the European Commission in September 2020, the Digital Operational Resilience Act (DORA) is the first regulation to oversee the security functions of financial entities across the European Union. It presents a unified framework that harmonizes the management of information and communication technology (ICT) risk across 21 distinct types of financial entities within its scope.
This brings a significant regulatory shift not only for EU-based financial entities, but any third-party service provider within an entity’s extended network. Many organizations that were previously exempt from ICT standards, such as third-party service providers for account information, crypto-assets, and data reporting, are now mandated to comply with DORA.
With the Act going into force in January 2025, OneTrust Third-Party Management and Tech Risk & Compliance is providing robust capabilities to help organizations meet the framework requirements.
Proactively manage ICT third-party risk
A game-changing aspect of DORA is its inclusion of ICT third-party risk as part of the overall risk management framework. Financial entities are now accountable for all downstream risk across third parties, fourth parties, and ultimately Nth parties in the extended network.
Typical responsibilities include implementing due diligence, risk assessments, and a register of information that distinguishes the ICT third-party services that support critical or important functions.
To meet these requirements, OneTrust Third Party Management helps build a centralized inventory of all third-party relationships that can be shared across business units and risk domains.
Any risks that arise are quickly identified through automated compliance screenings, risk assessments, integrated risk ratings, and touch point tracking throughout the third-party lifecycle. Organizations can then manage these potential risks with out-of-the-box mitigation recommendations, “if-this-then-that" workflows, risk-based contracting integrations, and data intelligence feeds that help understand changes in your extended enterprise.
Scale your ICT risk management
DORA places the responsibility for ICT risk on the shoulders of the financial entity’s management body. This includes maintaining a high level of digital operational resilience through the implementation of strategies, policies, protocols, and tools to safeguard all information and ICT assets. All efforts should be documented and reviewed at least once a year, and subject to an internal audit.
OneTrust Compliance Automation helps make these steps much easier with out-the-box DORA evidence framework and guidance. Organizations have access to pre-mapped policies, controls, and evidence tasks, and cross-framework evidence mapping to identify areas of compliance overlap and eliminate duplicate efforts.
OneTrust IT and Security Risk Management builds on compliance efforts by integrating and connecting your entire ecosystem, from data assets and controls to third parties. By operationalizing risk management, this solution effectively reduces risk across the entire IT landscape.
Additionally, OneTrust Audit Management centralizes control libraries, workpapers and audit tasks, providing visibility into an organization’s audit status through consolidated dashboards and reports.