Critical third-party providers (CTPPs) have several key responsibilities to ensure they contribute to the industry’s overall resilience.

In an interconnected digital landscape where financial institutions increasingly rely upon external service providers to varying degrees, regulation such as DORA aims to bring operational resilience into focus and creates new compliance obligations for many ‘critical’ suppliers to the sector. 

Organisations from data centres and telecommunications providers to software providers are already being informed that they fall into ‘critical third-party provider’ criteria of financial institutions operating within the EU. 

However, some Chief Information Security Officers (CISOs) and security leaders across sectors are still uncertain as to their organisation’s CTPP status – but must now begin to prepare for DORA ahead of January’s deadline for compliance.

DORA outlines that critical third-party providers have several key responsibilities. These are designed to minimise risks associated with third-party dependencies and include:

• Risk management: Implementing robust risk management frameworks to identify, assess, and mitigate operational risks associated with their services.
• Incident reporting: Notify relevant authorities and affected financial institutions promptly about cyber incidents that could impact their services.
• Business continuity: Establish and maintain effective business continuity plans to ensure the continuity of services, even in adverse situations.
• Scenario testing: Conduct regular testing of their operational resilience, including simulations and stress tests, to validate their preparedness for potential disruptions.
• Collaboration: Engage in effective communication and collaboration with financial institutions and regulators to ensure transparency and a coordinated response to incidents.
• Third-party oversight: Monitor and manage risks associated with any third parties or subcontractors, ensuring they also meet necessary resilience standards.

DORA defines critical third-party providers as those service providers whose disruption could significantly impact the financial sector's ability to deliver critical functions, establishing criteria for determining the criticality of third-party providers based on factors such as: 

• Size and Importance 
• Impact of disruption 
• Market share 
• Substitutability 
• Nature of services 
• Regulatory importance  

The Regulatory Technical Standards (RTS) under DORA provide detailed guidance on how to classify critical third-party providers (CTPPs) in comparison to non-critical third parties – CTPPs face more stringent requirements including enhanced monitoring, incident reporting and risk management expectations. 

Already, organisations – often from non-financial sectors - are being informed by financial institutions that they are critical third-party providers and must comply with DORA due to the essential nature of their services. Likely affected organisations include: 

• Cloud service providers 
• Data centre and infrastructure service providers 
• Data analytics companies 
• Payment processors 
• Software providers 
• Telecommunications providers 

Companies in these sectors should be prepared for such communications and take proactive steps to align with DORA requirements. 

As financial services increasingly rely on digital technologies and services, technology and telecommunications companies in particular are becoming integral to their operations, raising their profile in terms of regulatory oversight as a result.  

This makes it particularly important that cyber leaders and risk and compliance managers in these sectors proactively assess their role in the financial sector and prepare for potential compliance with DORA, even if they are unsure about their current classification. 

Where potential CTPPs are still awaiting clarity, replicating financial institutions’ likely methods to determine their critical third parties is a useful exercise to put your business on the front-foot for DORA. 

Assess how your organisation is likely to be viewed against key factors, replicating the structured approach most financial institutions will take:

Criticality: Evaluate the potential impact of losing your organisation’s service on the financial institution’s operations – in terms of finance, service disruption and customer impact. Determine if the services you provide are essential for the financial institution’s ability to deliver its critical functions.

Criteria evaluation: Apply DORA’s criteria for criticality, such as your size and importance, market share, and substitutability. How easily could the organisation find alternatives if you (the supplier) failed?

Continuous monitoring: Could shifts in your business operations or market conditions affect your future criticality? This may be picked up as financial institutions continuously review and reassess third-party relationships.

Even if your organisation is uncertain about its DORA scope, taking steps to prepare now could help to ensure that the organisation is ready to comply with DORA if it falls within scope in the future, anticipating changes to regulatory requirements and minimising the risk of non-compliance. 

By demonstrating commitment to operational resilience third-party providers could also align with market expectations and make themselves more attractive partners for financial institutions, as well as fostering trust with clients and managing their reputation in the industry.

It is important for all organisations that resilience is not only a regulatory objective. Utilising DORA as a framework for best practice also sets organisations up to better manage risk and handle potential disruptions. Implementing resilience measures reduces the risk of incidents that could impact clients and partners and improves overall operational efficiency, regardless of regulatory requirements.

Click the link for more insight from NCC Group

For more information on technology, media and telecoms visit our Insights page.