DORA - Trever’s role as an ICT third party service provider

Under DORA, financial entities are required to report significant ICT (Information and Communication Technology) related incidents, implement proactive risk mitigation measures, and establish robust strategies for managing operational disruptions. Furthermore, the regulation mandates a comprehensive ICT third-party risk management framework to minimize risks associated with outsourced ICT services, thereby ensuring the stability and security of the EU financial system.

DORA applies to a wide range of financial institutions, including banks, crypto asset service providers, and investment firms, among others. Organizations that engage ICT/cloud service providers such as Trever must ensure that these providers also operate in full compliance with DORA requirements. ¹

Requirements institutions must comply with

The following points provide an overview of the key requirements financial institutions must meet to ensure DORA compliance:

• ICT Risk Management: Financial institutions must establish resilient ICT systems, identify critical functions and assets, and continuously monitor all sources of ICT risk. This includes the real-time detection of anomalous activities, comprehensive incident response and recovery plans with regular testing, and mechanisms to learn from incidents and external events. The objective is to minimize risks and ensure business continuity, even in crisis situations.
• Management, Classification, and Reporting of ICT-Related Incidents: DORA sets uniform requirements for handling major ICT-related incidents within the EU financial sector. Financial institutions must establish effective processes to detect, contain, and resolve such incidents. Additionally, the regulation mandates standardized classification and reporting to ensure a consistent and structured risk assessment framework.
• Testing of Digital Operational Resilience: Financial institutions are required to conduct annual ICT resilience assessments, promptly remediate vulnerabilities, and perform regular threat-led penetration testing (TLPT) for critical ICT services. Third-party providers must also fully cooperate in these testing procedures.
• ICT Third-Party Risk Management: Financial institutions must comprehensively monitor risks associated with ICT third-party providers and maintain a complete inventory of outsourced activities, including any changes to critical services. They must assess IT concentration risks, sub-outsourcing risks, and ensure that service agreements cover all relevant contractual details, such as the scope of services and data processing locations. Critical ICT third-party providers are subject to an EU regulatory framework, allowing authorities to issue risk-mitigating recommendations, which financial institutions must ensure are implemented. ²

How Trever supports being DORA-compliant

These points are Trever’s contribution in supporting financial institutions being DORA-compliant:

• ICT risk management framework and third-party service providers: Trever adheres to the highest standards of information security and fully complies with international ISO 27001 requirements. For critical or essential functions, additional transparency is ensured through regular self-assessments, annual penetration tests, and vulnerability analyses. These measures guarantee that the most up-to-date and stringent information security standards are consistently applied.
• Emergency Plans: In addition, a comprehensive emergency management framework has been implemented designed to meet the highest security and resilience requirements. IT response and recovery plans are regularly tested, documented, and optimized to ensure rapid service restoration and minimize potential damage in the event of a disruption.
• Compliance with contractual Requirements under Article 30: Trever ensures that all essential contractual provisions in accordance with Article 30 of DORA are fully implemented and strictly adhered to. This includes, for example, appropriately long termination periods for contractual agreements and the obligation to provide support in the event of an ICT incident, either free of charge or at predefined costs. These and additional requirements are outlined in Article 30 of DORA.

To sum up, Trever’s Digital Asset Operating System prioritizes reliability, transparency, and compliance in meeting the requirements of DORA. It ensures operational continuity, minimizes risks, and upholds regulatory standards, giving financial institutions the confidence to navigate the evolving digital landscape.

If you have further detailed questions about Trever's role as an ICT service provider, do not hesitate to contact our team of experts straightaway: https://trever.io/contact/

Sources:

¹, ² Digital Operational Resilience Act (DORA). (o. D.). PwC Österreich GmbH Wirtschaftsprüfungsgesellschaft. https://www.pwc.at/de/dienstleistungen/wirtschaftspruefung/cybersecurity/der-digital-operational-resilience-act--dora.html

Disclaimer:

The information provided on this website and in blog posts is for general informational purposes only. It does not constitute legal or financial advice and should not be interpreted as such. In particular, this information does not constitute an offer or solicitation to buy, sell, or trade any assets or digital currencies.

Please note that Trever GmbH is neither licensed under the Austrian Securities Supervision Act (Wertpapieraufsichtsgesetz 2018, WAG 2018) or the German Commercial Securities Authorization Act (Gewerbliches Wertpapierberechtigungsgesetz, GWB), nor a licensed credit institution. Trever is not registered as a financial service provider and do not offer investment advice or similar services. The views expressed in the content are solely those of the author and are subject to change without notice.

Trever GmbH assumes no liability for any decisions made based on the information provided. The use of this content is at your own risk. We recommend that you seek advice from qualified professionals and conduct your own independent evaluation of the legal and financial implications before making any investment decisions.