Meet DORA Requirements with ChainSec
Use supplier registry for ICT service providers, risk management for ICT risks, and self-assessments for supplier monitoring. Digital Operational Resilience Act applies from January 2025.
Supplier registry for ICT service providers
DORA Article 28 requires a registry of ICT providers. Use the supplier registry to document all ICT providers, classify critical providers, link contracts and exit strategies.
Risk management for ICT risks
DORA Article 6 requires an ICT risk management framework. Document ICT assets in the asset registry, assess ICT risks in the risk matrix, and link security measures to manage risks systematically.
Supplier assessments and monitoring
DORA Article 30 requires assessment of ICT providers. Send security assessments to critical providers, track performance, and document continuous monitoring.
Documentation for supervision
DORA requires demonstrable compliance. All information is automatically logged - supplier registry, risk assessments, contract requirements, and measures. Export reports ready for supervisory authorities.
DORA represents a paradigm shift for financial companies' management of digital risks. With ChainSec, you get a systematic approach to supplier monitoring and ICT risk management that supports your work with both current and future requirements for digital resilience.
What is DORA and who is covered?
The Digital Operational Resilience Act (DORA) is an EU regulation that came into force in January 2025 and aims to strengthen digital resilience within the financial sector. The regulation covers banks, insurance companies, securities firms, payment institutions, pension funds, and other financial actors, as well as their critical ICT service providers.
To meet DORA requirements, financial companies need to implement comprehensive measures:
Robust ICT risk management with focus on digital risks and security in information and communication technology.
Systematic monitoring and verification of critical ICT providers' security level and performance.
Mandatory stress tests and crisis management processes to verify digital resilience and recovery capability.
How to use ChainSec for DORA compliance
ChainSec provides financial companies with the tools to meet DORA's requirements for ICT supplier management and risk management. Here's how you use the platform:
Supplier registry for Article 28
DORA Article 28 requires a registry of all ICT service providers. Gather ICT providers in the registry, document services and contracts, classify critical providers, link exit strategies, and show authorities a complete overview of the ICT chain.
Risk management for Article 6
DORA Article 6 requires an ICT risk management framework. Document ICT assets in the asset registry, assess ICT risks in the risk matrix, link security controls to risks, and demonstrate systematic ICT risk management.
Supplier assessments for Article 30
DORA Article 30 requires assessment of critical providers. Send security assessments to evaluate providers' resilience, recovery capability, and security level. Document all assessments and follow up on actions.
Documentation ready for supervision
DORA requires demonstrable compliance. Export reports on ICT supplier registry, classification of critical providers, risk assessments, contract requirements, and continuous monitoring. Documentation ready for supervisory authorities.
See ChainSec in action
Book a demo and we'll show you how you can handle gap analyses and supplier reviews in one system – instead of Excel. After the demo, you can test the platform for free.
Frågor och svar
- When does DORA take effect and who is covered?
DORA came into force on January 17, 2025 and applies to all financial companies in the EU: banks, insurance companies, securities firms, payment institutions, fund managers, pension funds, and crypto companies. There are no size exemptions - even small companies must comply.
- What must we include in our ICT provider register?
You must document all ICT providers with: provider name and contact details, which services they provide, whether they are critical or not, contract information and contract periods, and location where data is stored and processed. The register must be continuously updated.
- How do we classify critical ICT providers?
An ICT provider is critical if: the service is difficult to replace in the short term, disruption would significantly impact operations, the provider handles sensitive or business-critical data, or you have significant dependency on the provider. Document the classification and risk assessment.
- What clauses are required in ICT provider contracts?
Contracts must include: right to audit the provider's security and processes, requirements for incident reporting to you, documented exit strategies and transition plans, security requirements and SLAs, and information about any sub-processors.
- How often should we assess our ICT providers?
Critical providers must be assessed at least annually. Conduct security assessments, review their incident management and recovery capability, verify that contract requirements are met, and document all assessments and identified risks.
- What is an exit strategy and why is it required?
An exit strategy describes how you can terminate cooperation with an ICT provider without disrupting operations. It should include: alternative providers, transition timeline, how data is transferred, and how continuity is ensured during the switch. This is mandatory for critical providers.
- Must we report provider incidents?
Yes, if an ICT provider has an incident that affects your operations, you must report according to DORA's timelines: Initial notification within 4 hours, incident report within 72 hours, and final report within one month. Also document minor incidents for annual reporting.
- How does ChainSec help with DORA provider requirements?
ChainSec provides a central register for all ICT providers, tools to classify critical providers, templates for DORA-adapted security assessments, structured follow-up of provider performance, and reports demonstrating compliance for supervisory authorities.