DORA - Supply-chain reporting to the authorities

In January the European Banking Authority released the final report on Technical Standards for the register of information in relation to ICT third-party service providers under the DORA regulation.?

These standards specify what and how often a financial institution is to report on their supply-chain to the authorities.?

Having to report regularly to the authorities is nothing new to any financial institution. However the degree of detail and activity needed under the DORA-regulation is something new, which demands huge effort to provide.

DORA reporting

These technical standards are specifically related to article 28 and 29, which covers the identification and assessment of cyber security risks from third-party ICT service providers.

However, there are multiple technical standards for various parts of the DORA framework. Some are final, and others are in draft.

Here we will focus on the final technical standards for the supply-chain.

The report is a joint recommendation and guidelines for implementing these articles of DORA by the following entities: European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA),? European Securities and Markets Authority (ESMA), and European Supervisory Authorities (ESA)

The Technical Standards are publicly available, and they can be found on EBA’s website along with the drafts which give more insights into the reasoning behind the suggested text for the law.

The requirements for the Supply-Chain

The report is a rather long +100 page report, which goes through a long list of RTS (Regulatory Technical Standards).

The reporting consists in a set of data, which is to be gathered in what is called a “Register of Information”.

The requirements can be summarized in the following 9 points:

1. You are required to establish a “register of information”.
2. You need to identify all third-party suppliers providing ICT services.
3. You need to report to the regulating authority every time a change has been made to any supplier.
4. You need to specify what service it is that the supplier is providing, what are the terms of the contract, are data stored and where, what type of company, is the service critical and how critical, what will happen if the service is discontinued etc.
5. You need to name and explain alternatives to the service providers used.
6. You need to assess all these suppliers individually, and it is not enough that you write that the supplier is DORA compliant in the contract. You as a company need to assess the cyber security environment of the supplier.
7. You need to report the latest date that you did an assessment.
8. You need to report the results of assessments.
9. You need to identify the whole supply chain, i.e. not only the service providers which are your suppliers, but also the subcontractors that these companies use, in order to map the full supply-chain.

Details on the supply chain

Identifying and assessing the cyber security of your suppliers is in itself a huge task, which we have written other articles about.?

However, mapping the full supply-chain makes this even harder.?

Without a systematic interaction with your direct suppliers, it will become a cumbersome and demanding task to gather the information needed, and to keep this information up to date.

The ranking of suppliers in the supply-chain is a demanding task, which requires frequent assessments of the direct suppliers.

Using a supply-chain assessment tool like QCAs compliance assessment tool, will keep track of your suppliers, their assessments, and their sub-contractors and service providers, in one single flow.?

This will remove the administrative project management task internally as this is automated in the tool, and you can pull all the needed information directly into the reporting to the authorities.

Quantum Cyber Analytics will help you find your way in the DORA regulation and clear the path for supply-chain compliance.?

https://quantumcyberanalytics.com/