"Many financial companies subject to DORA have obtained ISO 27001 certification. However, is this certification enough to ensure compliance with DORA requirements?"
CEEYU BLOGPOST
DORA Compliance
Are you compliant with DORA for supply chain risks?
The Digital Operational Resilience Act (DORA) is designed to strengthen the resilience of the financial sector against ICT-related threats, ensuring that financial institutions and their service providers can withstand, respond to, and recover from cyber incidents. Given the critical role of digital infrastructure in financial operations, DORA establishes stringent requirements for ICT risk management, third-party risk monitoring, and incident reporting.
By January 2025, financial entities and their ICT service providers must comply with DORA’s regulations, ensuring that operational resilience is embedded within their risk management frameworks. This includes continuous monitoring of cyber risks, conducting resilience testing, and securing third-party digital dependencies.
But DORA is more than just regulatory compliance—it’s about ensuring the stability of financial operations, maintaining customer trust, and minimizing disruptions caused by cyber threats. Proactively managing ICT risks and supply chain vulnerabilities is not just a requirement; it's a necessity for long-term business success and resilience in an increasingly digital financial ecosystem.
The DORA Regulation
DORA, for whom?
The Digital Operational Resilience Act (DORA) has a broad scope, targeting a wide range of entities within the European Union's financial sector. This includes traditional financial institutions like banks, insurance companies, and investment firms, as well as newer players such as crypto-asset service providers and crowdfunding platforms. Critically, DORA also extends its reach to ICT third-party service providers that supply essential digital services to these financial entities. Therefore, any organization that provides ICT services to the financial sector could be within the scope of DORA.
Some of these companies are also subject to NIS2. To find out more, read this article.
How can Ceeyu help you?
"Financial entities shall manage ICT third-party risk as an integral component of ICT risk " - Article 28 DORA
The Ceeyu SaaS platform centralizes third-party risk management (TPRM) processes, enabling companies to manage and monitor supplier risks efficiently. This helps in fulfilling DORA's requirements for due diligence and ongoing monitoring of ICT third-party providers. Ceeyu offers its customers several tools to assess supplier risk:
- Automated security scans, also known as attack surface management (ASM), to identify vulnerabilities in the IT and network systems of third-party providers. This allows companies to gain a clear view of the security posture of their suppliers, a crucial aspect of DORA compliance.
- Ceeyu facilitates the use of digital questionnaires to gather information from suppliers on various aspects of their risk management practices. This complements the automated scans and provides a comprehensive view of supplier risks.
- Ceeyu customers can store all relevant data and documents in the context of supply chain risk on the supplier's page on the platform, thus centralizing all risk management information.
Ceeyu.io streamlines and automates the process of supply chain risk management, making it easier for companies to comply with DORA's requirements.
How to ensure DORA TPRM compliance?
Our SaaS platform can facilitate your risk assessment work by continuously identifying security risks in suppliers' digital services, as well as flaws in their security controls and other areas of risk.