DORA System for ICT Providers and Digital Resilience
Use supplier registry for ICT service providers, risk management for ICT risks, and self-assessments for supplier monitoring. Digital Operational Resilience Act applies from January 2025.
Supplier registry for ICT service providers
DORA requires a registry of ICT providers. Use the supplier registry to document ICT providers along DORA's logic — classify critical providers, link contracts and exit strategies.
Risk management for ICT risks
DORA requires a documented ICT risk management framework. Document ICT assets in the asset registry, assess ICT risks in the risk matrix, and link security measures to manage risks systematically.
Supplier assessments and monitoring
DORA requires regular assessment of critical ICT providers. Send security assessments to critical providers, track performance, and document continuous monitoring.
Compile reports without weekly spreadsheet work
Activity is logged in the platform — supplier registry, risk assessments, contract requirements and measures. Export supporting documentation without manual compilation.
DORA represents a paradigm shift for financial companies' management of digital risks. With ChainSec, you get a systematic approach to supplier monitoring and ICT risk management that supports your work with both current and future requirements for digital resilience.
What is DORA and who is covered?
The Digital Operational Resilience Act (DORA) is an EU regulation that came into force in January 2025 and aims to strengthen digital resilience within the financial sector. The regulation covers banks, insurance companies, securities firms, payment institutions, pension funds, and other financial actors, as well as their critical ICT service providers.
To meet DORA requirements, financial companies need to implement comprehensive measures:
Robust ICT risk management with focus on digital risks and security in information and communication technology.
Systematic monitoring and verification of critical ICT providers' security level and performance.
Mandatory stress tests and crisis management processes to verify digital resilience and recovery capability.
Structured ICT provider tracking. From the first supplier.
DORA requires a complete ICT provider registry, systematic risk assessments and documented follow-up. ChainSec gives you the GRC tools to structure that work — supplier register, risk register and assessments.
Structure your ICT provider registry
DORA requires a registry of all ICT service providers. Document services, contracts and data locations, classify critical providers and link exit strategies — a structured view of your ICT chain you can maintain over time.
Document your ICT risk framework
DORA requires a documented ICT risk management framework. Register ICT assets, assess risks in the risk matrix and link security controls to each risk — so your ICT risk management is structured, not ad hoc.
Assess critical ICT providers
DORA requires regular assessment of critical ICT providers. Send structured security assessments that cover resilience, recovery capability and security level. All assessments are documented with full history.
Compile reports without weekly spreadsheet work
Export reports on your ICT registry, provider classifications, risk assessments and monitoring history — without manual compilation each time someone asks.
See ChainSec in action
Book a demo and we'll show you how you can handle gap analyses and supplier reviews in one system – instead of Excel. After the demo, you can test the platform for free.
Frågor och svar
- When does DORA take effect and who is covered?
DORA came into force on January 17, 2025 and applies to all financial companies in the EU: banks, insurance companies, securities firms, payment institutions, fund managers, pension funds, and crypto companies. There are no size exemptions - even small companies must comply.
- What must we include in our ICT provider register?
You must document all ICT providers with: provider name and contact details, which services they provide, whether they are critical or not, contract information and contract periods, and location where data is stored and processed. The register must be continuously updated.
- How do we classify critical ICT providers?
An ICT provider is critical if: the service is difficult to replace in the short term, disruption would significantly impact operations, the provider handles sensitive or business-critical data, or you have significant dependency on the provider. Document the classification and risk assessment.
- What clauses are required in ICT provider contracts?
Contracts must include: right to audit the provider's security and processes, requirements for incident reporting to you, documented exit strategies and transition plans, security requirements and SLAs, and information about any sub-processors.
- How often should we assess our ICT providers?
Critical providers must be assessed at least annually. Conduct security assessments, review their incident management and recovery capability, verify that contract requirements are met, and document all assessments and identified risks.
- What is an exit strategy and why is it required?
An exit strategy describes how you can terminate cooperation with an ICT provider without disrupting operations. It should include: alternative providers, transition timeline, how data is transferred, and how continuity is ensured during the switch. This is mandatory for critical providers.
- Must we report provider incidents?
Yes, if an ICT provider has an incident that affects your operations, you must report according to DORA's timelines: Initial notification within 4 hours, incident report within 72 hours, and final report within one month. Also document minor incidents for annual reporting.
- How does ChainSec help with DORA provider requirements?
ChainSec provides a central register for all ICT providers, tools to classify critical providers, customizable security assessment templates, structured follow-up of provider performance, and exported reports you can share with supervisory authorities.