Guide

A Guide to DORA
Compliance and
Third-Party Risk
Management
Updated March 2025
 The Digital Operational Resilience Act (DORA) is reshaping cybersecurity standards for financial institutions across
Europe and beyond. True to its name, DORA is focused on enhancing digital resilience, emphasizing the importance
of protecting critical functions from both current and emerging cyber threats.

“ One of its key directives states: “The financial entity must fully monitor the ICT
subcontracting chain and document it.” – JC 2023 67, November 2023.

With recent updates to DORA introducing additional requirements, this guide explores how to effectively ”
address DORA’s demands for third-party cyber risk management.

Fast Facts About DORA Compliance

What is DORA?
The Digital Operational Resilience Act (DORA) is a regulatory measure established by the European Union to
establish a mandatory and thorough framework for managing information and communication technology (ICT)
risks within the EU financial industry.

What is the goal?

Ensure that companies follow rules for protection, detection, containment, recovery, and repair capabilities against
information communication technology (ICT)- related incidents.

How will it be enforced?

On and off-site inspections will help enforce compliance as well as the request for specific information, such as ICT
details, incident reporting logs, and details of implemented cyber risk defenses.

What are the five pillars of DORA?

1. Risk Management. DORA’s structured risk management framework is designed to identify, assess, and
mitigate risks across financial institutions and their supply chains. While US institutions follow various
frameworks like NIST CSF, NIST SP800-53, or the FFIEC guidelines, DORA introduces more comprehensive

A Guide to DORA Compliance and Third-Party Risk Management 2

 requirements, particularly regarding the management of third- and fourth-party risks.

2. Incident Reporting. One of DORA’s most rigorous mandates is the requirement for swift and
comprehensive incident reporting. It raises the bar by imposing strict timelines and detailed reporting
protocols.

3. Operational Resilience Testing. DORA mandates regular operational resilience testing for financial
institutions. This includes threat-led penetration testing and stress testing to identify weaknesses in
ICT systems. These tests are essential for ensuring that systems can withstand real-world cyberattacks and
operational disruptions.

4. Managing Third-Party Risk. DORA places a heavy emphasis on third-party risk management, requiring
financial institutions to assess their critical third-party providers and even subcontractors. The process
DORA demands can be broken down into five steps:

1. Identification of critical or important functions (CIFs) and third-party providers.

2. Categorization of third-party service providers based on functions they support, and their criticality
to the business.

3. Risk assessment of third-party providers and their subcontractors.

4. Ongoing monitoring of these providers to ensure compliance and resilience.

5. Contingency planning to prepare for any disruptions or failures in the supply chain.

5. ICT Incident and Threat Management. DORA’s comprehensive approach to ICT incident and threat
management requires financial institutions to have frameworks in place for detecting, managing, and
reporting cyber threats with strict timelines.

A Guide to DORA Compliance and Third-Party Risk Management 3

 Who Must Comply with DORA?
While DORA primarily targets European financial institutions, its impact extends globally. Businesses worldwide,
especially those providing critical services to the EU’s financial sector, may need to comply with its regulations
regardless of their headquarters.

Financial Entities
DORA applies to a wide range of financial institutions, including banks, insurance and reinsurance companies,
payments and e-money providers, brokers, pension funds, capital market entities, and more.

ICT Third-Party Service Providers

Organizations providing critical services to financial entities, such as cloud providers, software vendors, fraud
management tools, collaborative platforms, CRM solutions, and other ICT services, are also within DORA's scope.

Global Reach of DORA

Even if your business is headquartered outside Europe, compliance may be required if you operate in one of the 22
industries outlined in DORA’s Article 2 or provide critical services to these industries. Businesses with subsidiaries or
operations in the EU must take note—DORA’s regulations extend beyond borders.

Which Industries Are Impacted by DORA?

DORA’s regulations aim to enhance digital resilience across the financial ecosystem. Industries affected include:
• Alternative funds (AIFMs)

• Clearinghouses

• Credit organizations

• Crypto services

• Digital payment companies

• Insurance firms

• Investment enterprises

• Payment service providers

• Trading platforms

• UCITS management firms

• ICT third-party service providers

• This includes cloud providers like Amazon Web Service, Microsoft Azure, and Salesforce Cloud as well as
software vendors, fraud management providers, collaborative tools, CRM solutions, etc.

A Guide to DORA Compliance and Third-Party Risk Management 4

 This broad scope means that any organization providing essential services to these industries may need to comply,
regardless of location.

DORA and Third-Party Cyber Security

DORA is transforming how organizations approach cybersecurity, with clear and specific requirements for
managing third-party risks. As external vendors become more integral to business operations, it’s easy to see why
this regulation emerged. Understanding these obligations is essential to maintaining digital resilience. This section
breaks down DORA’s third-party cybersecurity requirements, offering practical guidance to help organizations stay
compliant and secure.

Understanding DORA and Third-Party ICT Risk

Among the “5 Pillars” of DORA, three relate directly to third-party risk governance:

1. ICT Risk Management Framework. Choose a security control framework.

2. ICT-Related Incident Reporting. Monitor the technology contracting chain, identify new threats, and
prepare regulator incident reports.

3. ICT Third-Party Risk Management. Categorize vendors, assess their DORA compliance, and identify
technology subcontracting chains.

A Guide to DORA Compliance and Third-Party Risk Management 5

 a. Register of Information. Report on third-party ICT relationships and concentration risk.

b. Exit Strategy. Design and test exit strategies for supplier relationships supporting critical functions.

c. Contractual Provisions. Prepare the required documents (legal team).

DORA Enforcement Timelines

DORA enforcement started on January 17, 2025. Since its inception in 2022, the regulation has undergone
multiple reviews and refinements. As compliance requirements take effect, organizations must prepare for closer
collaboration with European Supervisory Authorities (ESAs). This includes defining policies, reporting ICT-related
incidents, and developing strong Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs).

A key deadline to note: Most of the EU regulators will expect the first Register of Information report in April,
though some are announcing target dates in March. Moving forward, organizations will be required to submit their
reports annually by March 30 to remain compliant.

To achieve compliance, you’ll need to evaluate your current third-party security risk management process, identify
any gaps, and explore effective solutions. While you can find the full requirements here, these are the practical steps
organizations can take to build a DORA-compliant third-party risk program:

• Identify your critical and important business functions (CIF) and the suppliers supporting them. You
need to profile each business function, document suppliers, contracts, and the specific usage of each ICT
service in the context of those functions. You’ll also identify subcontractors to the ICTs.

• Prepare the Register of Information report. The data about your functions, suppliers, contracts, and usage
must be compiled into an annual report which you’ll submit to the regulators. The format is a complex one,
including 18 data files in two folders, all zipped for submission.

• Create compatible questionnaires and documents. Shared Assessments, for example, have delivered the
2025 version of their SIG questionnaire content library, which directly supports and is mapped to DORA, as
well as many other standards and regulations.

• Monitor the entire ICT contracting chain for potentially disruptive or damaging events. DORA requires
companies to report incidents to the Supervisory Authority (SA). When a fourth or fifth party has a breach,
malware attack, or other incident, you must contact the related third party to learn details and plans to
mitigate the damage.

A Guide to DORA Compliance and Third-Party Risk Management 6

 How Panorays Can Help You Achieve DORA
Compliance

Panorays' integrated solution simplifies DORA compliance by embedding it into the existing TPCRM process. It
enables customers to collect the data needed for the Register of Information, assess ICT third-party compliance
with DORA requirements, and monitor their contracting chain for cyber and IT risks. This integration ensures full
compliance without the need to manage it as a separate, standalone task.

From user-friendly, ready-to-use questionnaire templates that cover all the key data points required by the
final standards, to a comprehensive reporting package, Panorays provides everything you need to generate
the Register of Information report that regulators require.

Panorays helps you with the following:

1. ICT-Related Incident Reporting. Panorays provides comprehensive support for ICT-related incident
reporting, helping organizations stay resilient and responsive.

This includes:

• Vulnerability Monitoring: Continuous tracking of potential threats and weaknesses.

• Risk Insights and Response: Real-time analysis and actionable recommendations for addressing risks.

• Alerts and In-App Communication: Instant notifications and seamless communication channels.

Panorays not only reports incidents, but also contextualizes them to your business, prioritizing third parties
critical to your supply chain. Additionally, the platform facilitates direct communication with affected third
parties, ensuring a swift and coordinated response.

2. ICT Third-Party Risk Management.

• Vendor Classification: Categorize and document vendors by criticality and sensitivity relative to your
critical and important functions (CIFs) with ready-to-use, DORA-specific templates covering all required
data points.

• Compliance Assessment: Evaluate ICT compliance with DORA, security requirements, and other
regulations and standards using Shared Assessments 2025 SIG content.

• Supply Chain Visibility: Uncover your digital supply chain and identify third-party dependencies.

3. Register of Information.

• Streamlined File Creation: Easily compile and prepare files for SA submission.

A Guide to DORA Compliance and Third-Party Risk Management 7

 • Comprehensive Reporting: Ensure all required data is complete and accurately entered.

• Regulator-Ready Package: Panorays automatically generates the full Register of Information report in
the precise format required by regulators.

Strengthening the Resilience of Finance Services

According to Akamai Technologies, the number of attacks on European financial services doubled in 2023, with the
industry being the third most attacked within the EMEA (Europe, Middle East, and Africa) region. At the same time,
Gartner has reported that 45% of organizations experienced third-party-related business interruptions over the past
two years. More than half of CISOs (65%) view third-party security threats as a top priority today.

With third-party attacks on the rise and regulatory requirements tightening, CISOs must take proactive steps to
minimize third-party risks. While DORA’s security control requirements continue to evolve, organizations should
focus on maintaining full compliance. Strengthening your security posture, preparing to mitigate attacks, and
enhancing your brand’s trustworthiness go hand in hand. Ensuring compliance isn’t just about meeting regulations—
it’s about building long-term resilience in an increasingly complex threat landscape.

A Guide to DORA Compliance and Third-Party Risk Management 8

About Panorays

Panorays is a leading provider of third-party cyber risk management

solutions, helping businesses optimize their defenses for each unique
third-party relationship. Trusted by the most complex supply chains in the
world, Panorays goes far beyond the generic third-party risk management
solution with its AI powered platform making assessments adaptable and
more personalized. Panorays provides businesses the tools to stay ahead
of emerging third-party threats and delivers actionable remediations with
strategic advantages.

Want to learn more about how Panoray’s third-

party cyber management platform can help you
comply with DORA? Get a demo today.

Get a Demo Today

Copyright © 2024, Panorays. All rights reserved.