Due diligence of ICT services and ICT service providers in the context of the requirements of the DORA Regulation

Digitalisation has developed unprecedented momentum in the financial and insurance industries in recent years. This transformation is accompanied by increasing regulatory requirements, which necessitate risk-oriented and structured management of IT-supported business processes. The EU's Digital Operational Resilience Act (DORA) regulation represents a significant milestone in this regard. It aims to strengthen the digital resilience of financial companies and their service providers and to establish uniform standards with regard to ICT risks. A central element of the DORA Regulation is the due diligence of ICT services and service providers. This blog post highlights how structured and regulatory-compliant due diligence must be designed in the financial and insurance environment.

Definition of ‘critical function’ according to DORA

A key challenge in applying the DORA Regulation is the clear definition of the term ‘critical function’. DORA itself provides a framework, but leaves the specific application to the interpretation of the institution. A function is critical if its disruption has a significant impact on the financial stability, business operations or compliance with legal obligations of the institution. This includes, in particular, core processes such as payment transactions, lending, asset management and regulatory reporting. The determination of criticality must be systematic, documented and based on defined criteria, taking into account both internal and external factors.

Process map as the basis for due diligence

An up-to-date and complete process map is the foundation of any sound due diligence. It enables the identification of all relevant business processes and their dependencies on ICT services. Only with a complete overview is it possible to assess which services are to be classified as critical. The process map should contain both functional and technical process descriptions and clearly document which software solutions, hardware components and IT service providers are used to support the respective processes. In addition, continuous updating is essential in order to adequately reflect changes due to new technologies or organisational adjustments.

Determining protection requirements at the process and service level

Another key component is the determination of protection requirements, which must be carried out for every relevant business process and the supporting ICT services. In particular, the three protection objectives of confidentiality, integrity and availability (CIA) must be taken into account. The protection requirement analysis should be risk-based and embedded in the institution's information security strategy. Processes that are highly relevant for compliance with legal requirements or for business success usually require a high level of protection. The analysis must be granular enough to be able to reflect differences within a process or service.

Consistency check of protection requirements

One of the most common weaknesses in due diligence processes is the lack of consistency checks of protection requirements between processes and the ICT services that support them. A process must never have a lower protection requirement than the underlying ICT service, as this can lead to misjudgements in risk management. Therefore, a comparison is absolutely necessary. This comparison ensures that the technical and organisational security of the service meets the requirements of the business process. Additional measures such as encryption, redundancy or high-availability solutions may be necessary to ensure the required level of protection.

Risk assessment and service provider evaluation

As part of due diligence, a comprehensive risk assessment of the ICT service provider must be carried out. This includes, among other things:

• Market presence: How stable is the service provider's position in the market? Are there any signs of economic weakness?
• Maturity of the service: What stage is the service offered at? How long has it been in productive use?
• Substitutability: How easy is it to replace the service provider or the service? Are there suitable alternatives?
• Location of service provision and data storage: Is the service provided in an EU member state or a third country? What data protection requirements apply?
• Sub-service providers: Are services outsourced to third parties? What role do they play in the provision of services? How critical is their contribution?
• Repatriation of the service: How complex is it to repatriate the outsourced service to the institution? Is there an exit scenario in place?
• Concentration risks: Are there dependencies on one or a few service providers or locations?
• Conflicts of interest: Are there any potential conflicts of interest, for example due to shareholdings?
• EU sanctions list: Is the service provider or one of its sub-service providers on a sanctions list?

These criteria must be systematically recorded, evaluated and regularly reviewed.

Gross and net risks and mitigating measures

A key element of risk management is the distinction between gross and net risks. Gross risks represent the unfiltered risks associated with the ICT service. Net risks are the remaining risks after taking into account the security and control measures that have been implemented. The introduction of mitigating measures – such as SLAs, contractual exit options, business continuity plans or technical security precautions – is crucial to reducing risks to an acceptable level. As part of due diligence, these measures must be identified, evaluated and continuously reviewed for effectiveness.

Conclusion: Due diligence as a continuous control process

Due diligence of ICT services and service providers is not a one-off activity, but a continuous process that must be deeply embedded in IT governance and risk management. The requirements of the DORA Regulation significantly increase regulatory requirements and necessitate a structured, systematic and traceable approach. For institutions in the financial and insurance sectors, this means that they must analyse, control and document their processes, systems and service providers even more intensively. This is the only way to meet the requirements of DORA and strengthen digital resilience in the long term.