The Digital Operations Resilience Act (DORA) is poised to become a transformative regulation for the financial sector in EU with enforcement starting January 17th, 2025. DORA is designed to bolster IT security across financial entities by mandating robust and comprehensive IT risk management frameworks. This regulation will affect banks, payment providers, other regulated financial entities, and critical ICT third-party vendors.
One of the most challenging aspects of DORA is the stringent oversight required for third-party service providers.
ABBL DORA Readiness 2024 Survey
Recently, the ABBL (l’Association des Banques et Banquiers – Luxembourg / the Luxembourg banking association) published an insightful survey on the readiness of market players in Luxembourg for the DORA regulation with a particular focus on Electronic Money Institutions and Payment Institutions, which comprised 83% of the respondents.
Key Findings
Confidence Levels: The survey revealed that nearly 80% of the credit institutions are confident in meeting the DORA compliance deadlines, despite the substantial challenges involved.
Main Challenges: Beyond ICT risk management and business continuity planning, the two most significant challenges identified were:
Oversight framework for critical ICT third-party service providers: Cited by 65% of respondents.
Management of ICT third-party risk: Highlighted by 80% of respondents.
ICT Third-Party Vendor Risk Monitoring
The groundwork begins with a comprehensive gap assessment of contractual arrangements with critical vendors, as mandated by Article 30 of DORA. It is clear why respondents are concerned about managing ICT third-party risk, given the extensive workload involved.
Existing outsourcing contracts must adhere to the following DORA requirements:
Written Documentation: Full contract documentation must be readily available in a hard copy or in another durable and accessible format.
Service Descriptions: Clear descriptions of services and related service-level agreements.
Subcontracting Conditions: Conditions under which subcontracting of ICT services is permitted.
Data Processing Locations: Specifications of data processing locations.
Data Security Provisions: Detailed data security provisions.
Incident Assistance: Obligation of the ICT service provider to assist the financial entity with ICT incidents.
Regulatory Audit Rights: Right of audit by regulatory authorities.
Termination Rights: Clearly defined termination rights.
MAQIT’s Approach to DORA Compliance
At MAQIT, we have identified this challenge and fine-tuned our approach to address it effectively.
By combining years of experience and state-of-the-art AI powered technologies top-tier regulatory expertise in outsourcing management with advanced AI capabilities, we are going to significantly reduce time, resources, and costs required to perform the initial gap assessment of our clients’ agreements with their vendors followed by adoption, monitoring and governance.
Our approach ensures a streamlined path to compliance, enabling financial entities to meet DORA requirements with confidence and efficiency, and produce the register of information for the regulator.
Contact Us: For more information on how AI can assist in ICT third-party risk management or to develop a practical and actionable plan for DORA compliance, please do not hesitate to contact us. We are here to help you navigate through regulations seamlessly.
 |  |  |
Commenti