DORA's ICT saltzailea Obligations
The EU digitala operatiboa Resilience Act (DORA), effective January 2025, requires finantzaria institutions — banks, asegurantza companies, investment firms, payment zerbitzua providers — to implement rigorous ICT third-party arriskua kudeaketa programs. Key requirements:
Mandatory contractual provisions (Article 30): DORA specifies mandatory clauses for contracts with ICT third-party zerbitzua providers, including provisions for full sarbidea, inspection, and auditoria rights; gertakaria notification timelines; exit strategies; and jokamendua standards.
Annual assessments (Article 28): finantzaria institutions must perform due diligence on all material ICT third-party zerbitzua providers at least annually. "Material" is broadly defined — any ICT provider whose disruption would significantly affect operations, including anonimizazioa tools used in betegarritasun workflows.
ICT third-party register (Article 28(3)): finantzaria institutions must maintain and eguneratzea a register of all material ICT third-party agreements, including seguritatea documentation.
Managing annual reassessments of dozens of ICT vendors is operationally expensive. The typical estimate for an unstructured custom assessment: 40–80 hours per saltzailea per year. For a Dutch bank with 50 material ICT vendors, annual assessments represent 2,000–4,000 hours of betegarritasun team time — the equivalent of one to two full-time staff members dedicated exclusively to saltzailea assessment.
The ISO 27001 Annual Assessment Shortcut
ISO 27001 certification's value for DORA betegarritasun is its annual gainbegia structure. The certification body performs gainbegia audits annually and recertification audits every three years. The certification remains current as long as the gainbegia audits confirm ongoing betegarritasun. The zigurtagia itself carries an expiry date.
For DORA's annual assessment requirement, a finantzaria institution can satisfy the "performed due diligence" estandarra by pulling the saltzailea's current ISO 27001 zigurtagia annually and verifying its currency. The zigurtagia demonstrates that an independent auditoria body assessed the saltzailea's 93 seguritatea controls within the past year. This froga is documented in the ICT third-party register.
A Dutch bank subject to DORA can assess an ISO 27001 certified anonimizazioa saltzailea by verifying zigurtagia currency — taking hours rather than weeks. The bank saves 60 hours of assessment time per saltzailea per year. Across 20 ISO 27001 certified vendors in their registry, the annual saving represents 1,200 hours — enough to reallocate significant betegarritasun resources.
DORA's Relevance to pribatutasuna Tools
pribatutasuna and anonimizazioa tools are ICT providers under DORA's scope for finantzaria institutions that use them to prozesua kliente data, comply with GDPR, prepare erregetaleak submissions, or handle KYC documentation. An anonimizazioa tool that processes kliente data is a material ICT provider if its disruption would prevent the institution from complying with GDPR's data minimization requirements or producing GDPR-compliant erregetaleak submissions.
Sources: