DORA ICT Third-Party Risk Manager Made Simple – Managing Outsourcing Risk Under the Digital Operational Resilience Act (C19-I)

This course focuses on managing ICT third-party risk under DORA. You’ll gain: DORA Outsourcing Requirements Understand DORA’s definition of critical ICT third-party providers Learn the legal obligations for financial entities and vendors Explore Articles 28-31 and related EBA/EIOPA/ESMA guidelines Risk Identification & Classification Identify ICT services subject to DORA oversight Classify providers based on criticality and impact Use risk matrices and tiering models Contractual & Monitoring Obligations Draft DORA-compliant outsourcing contracts Include clauses for audit rights, incident reporting, and exit strategies Monitor performance, resilience, and compliance continuously Incident & Continuity Planning Ensure third-party incident response aligns with internal protocols Validate business continuity and disaster recovery capabilities Coordinate joint testing and tabletop exercises Oversight & Governance Build third-party risk governance frameworks Assign roles, responsibilities, and escalation paths Report to senior management and regulators Cross-Regulatory Alignment Align DORA third-party risk with NIS2, GDPR, and ISO 27036 Harmonize controls across privacy, security, and resilience domains Reduce duplication and streamline vendor oversight