DORA's ICT Vendor Obligations
The EU Digital Operational Resilience Act (DORA), effective January 2025, requires financial institutions — banks, insurance companies, investment firms, payment service providers — to implement rigorous ICT third-party risk management programs. Key requirements:
Mandatory contractual provisions (Article 30): DORA specifies mandatory clauses for contracts with ICT third-party service providers, including provisions for full access, inspection, and audit rights; incident notification timelines; exit strategies; and performance standards.
Annual assessments (Article 28): Financial institutions must perform due diligence on all material ICT third-party service providers at least annually. "Material" is broadly defined — any ICT provider whose disruption would significantly affect operations, including anonymization tools used in compliance workflows.
ICT third-party register (Article 28(3)): Financial institutions must maintain and update a register of all material ICT third-party agreements, including security documentation.
Managing annual reassessments of dozens of ICT vendors is operationally expensive. The typical estimate for an unstructured custom assessment: 40–80 hours per vendor per year. For a Dutch bank with 50 material ICT vendors, annual assessments represent 2,000–4,000 hours of compliance team time — the equivalent of one to two full-time staff members dedicated exclusively to vendor assessment.
The ISO 27001 Annual Assessment Shortcut
ISO 27001 certification's value for DORA compliance is its annual surveillance structure. The certification body performs surveillance audits annually and recertification audits every three years. The certification remains current as long as the surveillance audits confirm ongoing compliance. The certificate itself carries an expiry date.
For DORA's annual assessment requirement, a financial institution can satisfy the "performed due diligence" standard by pulling the vendor's current ISO 27001 certificate annually and verifying its currency. The certificate demonstrates that an independent audit body assessed the vendor's 93 security controls within the past year. This evidence is documented in the ICT third-party register.
A Dutch bank subject to DORA can assess an ISO 27001 certified anonymization vendor by verifying certificate currency — taking hours rather than weeks. The bank saves 60 hours of assessment time per vendor per year. Across 20 ISO 27001 certified vendors in their registry, the annual saving represents 1,200 hours — enough to reallocate significant compliance resources.
DORA's Relevance to Privacy Tools
Privacy and anonymization tools are ICT providers under DORA's scope for financial institutions that use them to process client data, comply with GDPR, prepare regulatory submissions, or handle KYC documentation. An anonymization tool that processes client data is a material ICT provider if its disruption would prevent the institution from complying with GDPR's data minimization requirements or producing GDPR-compliant regulatory submissions.
Sources: