DORA and Third-Parties Cyber Risks Management : A Structured Approach for Businesses
Following the implementation of the Digital Operational Resilience Act (DORA) in January 2025, European financial players are now required to strengthen their digital resilience, in particular by controlling risks associated with their external service providers, particularly ICT and software vendors working with them as third parties.
In such a quickly evolving context, it can be difficult for large enterprises to understand their obligations clearly. And so it begs the question, what are the best practices for complying with DORA and effectively reducing third-party cyber risk?
DORA and Third-Party Management: A Supportive Regulatory Framework
The regulation is built around five pillars:
- Risk management
- Incident reporting
- Digital operational resilience
- Third-party ICT risk management
- Information and intelligence sharing
Each of these challenges play an important role in defining the security posture of any organisation. However, as highlighted recently in the Cybersecurity Outlook 2025 published by the World Economic Forum, the subject of supply chain risk represents the biggest barrier to cyber resilience for more than half of all large organisations.
CyberVadis proposes a unique approach to supply chain risk, but how can CyberVadis help operationalize a Third-Party Risk Management Program that is in compliance with the requirements of DORA?
Five Steps for Effective Third-Party Risk Management
1. Identifying Third Parties Within Scope
- Import all identified suppliers that fall within DORA's scope into the platform.
- Distinguish those that have a direct impact on critical operations based on simple criteria.
2. Establishing a Supplier Tiering System
Assessing the exposure to third-party risks is a crucial step in developing a robust risk management program. Different third parties, depending on their risk level and criticality, cannot be managed with a one-size-fits-all approach.
Additionally, to ensure scalability, due diligence must be approached with complementary methodologies. According to Article 28, paragraph 1, of the DORA regulation, financial entities must manage third-party ICT service risks based on the "nature, scale, complexity, and importance of ICT-related dependencies" as well as the "criticality or importance of the respective service, process or function."
3. Assessing Risks and Conducting Appropriate Due Diligence
Once suppliers are identified and classified, their maturity level must be assessed to ensure sufficient confidence in their compliance with regulatory expectations. This can be achieved through:
- Analysis of certifications (ISO 27001, SOC 2, etc.)
- External Attack Surface Screening
- Evidence-based evaluations
- On-site audits for the most critical third parties.
Each of these approaches provide a unique set of reliability and scalability, so they must be applied at the right level. This aligns with DORA's proportional approach, which calls for multiple assessment methods depending on the identified risk level.
4. Collaborating and Driving Improvement
A risk assessment alone is not enough. Third-Parties must be engaged in a continuous improvement process. Best practices include:
- Defining clear risk management rules and actions to be taken based on assessments results.
- Implementing corrective action plans collaboratively with suppliers.
- Conducting regular reassessments to monitor progress.
5. Ensuring Effective Governance and Feedback Loops
Third-party cyber risk management is not only the responsibility of the cybersecurity department. Other stakeholders, such as procurement teams, legal teams, and other business units, must also be involved. It is essential to:
- Share assessment results with all relevant stakeholders.
- Suggest a clear cyber recommendation on the ability to work with each vendor
- Integrate risk assessments into contractual and supplier management processes.
Towards the Automation of Third-Party Risk Management
Given the increasing complexity of the regulatory landscape, automation plays a key role. The CyberVadis solution allows businesses to:
- Centralize supplier information on a single platform.
- Automate web information collection (certifications, cybersecurity posture analyses, etc.) and assist in supplier tiering.
- Streamline due diligence strategies
- Industrialize and outsource maturity assessments based on evidence review.
- Implement continuous assessments and ensure real-time tracking of corrective actions.
By structuring third-party risk management in line with DORA’s requirements, businesses can enhance their digital resilience and better control cybersecurity risks across their supply chain. Thanks to automation, a combination of assessment approaches and evidence based assessments as a managed service, solutions like CyberVadis ensures a scalable, efficient, and continuous approach to compliance and risk mitigation.