Home > Security and Compliance Blog > Regulatory Compliance > 6 Solutions to Help you Comply with DORA UK Third-Party Risk Management

6 Solutions to Help you Comply with DORA UK Third-Party Risk Management

by Danielle Barbour updated May 1, 2024 Regulatory Compliance

Reading Time: 3 minutes

Is your supply chain secure? This is the big question posed by the DORA UK third-party risk management pillar. Setting out strict requirements for contracting, managing and reporting against ICT service providers, DORA is making firms responsible for mitigating cyber risk that may be introduced through third-party suppliers.

In short, it’s essential that UK firms are using DORA-compliant content communication tools for any business associated with the EU. In this blog, we break down DORA third-party risk management and the top six tools you should be introducing.

Table of Contents

How Does Third-Party Risk Management Affect UK Firms?

“Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in accordance with the following principles …” – Article 28

One of the main focuses of EU DORA regulation is third-party risk. In this pillar, the act addresses the potential cyber risks that come from third-party ICT providers. This refers to not only the resilience of your own externally provided software, but also to those that your partners are using to communicate, collaborate or share content with your organisation.

For example, are the emails sent between you and your supply chain secure? Are your tools or theirs introducing any cyber risks? Is your file sharing tool compliant and can you be sure that you’re not sending data to an unsafe third-party environment?

In other words, UK firms working with EU partners or that deliver services in the EU must take responsibility for secure third-party content communication.

DORA is also more prescriptive than the UK operational resilience regulation and has higher penalties than GDPR. With this in mind, UK firms can’t rely on their partners or providers to be accountable for data and content security. They need a proactive approach to third-party risk and resilience, built with solutions they trust.

6 Solutions for DORA UK Third-Party Risk Management

1.Secure Third-Party File Sharing

Whether organisations are sharing files for audits or providing services that necessitate file sharing in the EU, firms must use secure file sharing tools to protect this content. Secure file sharing tools will let you set and enforce policies from your own system. This way, you can share large volumes of sensitive data while confident that data confidentiality is intact.

2.Digital Rights Management (DRM)

There will always be instances where you need to collaborate with partners, for example shared files that require joint editing or commenting. Under DORA, firms need to maintain complete (and granular) access control in this process.

Digital rights management solutions, like Kiteworks SafeEDIT, allows editable file access without giving up source control. You can share files that external organisations can work on without them ever leaving your own digital environment.

3.End-to-End Email Encryption

Traditional email is often unsuitable for sharing customer data, market data or audit data, for example. To manage third-party risk effectively, organisations should ensure that all email content is encrypted and can only be accessed by the intended recipient.

Kiteworks’s secure, DORA-compliant email tools are end-to-end encrypted. This means any sensitive emails your organisation sends are completely secured, in transit and in the recipient’s inbox. Plus, recipients cannot forward them to unauthorised persons, so you can be confident you’re always in control.

4.Third-Party Compatibility

It’s important to introduce tools that are unaffected by third-party systems. For example, a common challenge is that recipients are forced to download encrypted email files in order to view them. This undermines the security of encryption and introduces unnecessary risk.

In contrast, Kiteworks email encryption uses a compatible gateway so that recipients can always open emails within a secure environment.

5.Comprehensive Audit Logs

For DORA in the UK, monitoring and tracking activity across your third-party communication will be essential. Once again, using a single platform to manage all channels will reduce risk and improve visibility.

Look for solutions that offer comprehensive logging and reporting capabilities against all activity. This should include data access, file transfers, log ins and more. This allows you to record all content communication and, as a result, evidence compliance against DORA UK regulatory standards.

6.Access Control Mechanisms

Organisations can manage the potential risks introduced by third-party ICT solutions (and partners) by using access controls. These can be applied to both stored and transferred files, controlling who can access what and to what extent.

Some solutions, like Kiteworks, offer granular control capabilities such as role-based policies. This reduces the risk of a breach or unauthorised access even further.

A Compliance-First Approach for DORA UK Requirements

Overall, your content communication solutions should reflect the DORA EU regulation. Look for vendors that are promoting DORA compliance. It’s also a good idea to search for solutions that follow industry best-practice cybersecurity, such as the NIST cybersecurity framework.

You can trust that a solution purpose-built for compliance will be ready to implement, getting you DORA ready in time for January 2025. Plus, these organisations will work proactively to keep your tools up to date with regulatory standards as they change.

To learn more about Kiteworks, schedule a custom demo today.

Additional Resources

Related Links