Feature - DORA Register of Information

We would like to include the Register of Information regarding the DORA (Digital Organizational Resilience Act) Key Control 14 Supplier Risk Management within Eramba within the 3rd Party supplier. The customized fields of the Enterprise version are very limited.

image800×395 79.9 KB

following links are relevant for the the consolidation of the data

https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fwww.eba.europa.eu%2Fsites%2Fdefault%2Ffiles%2F2024-11%2F2506bbcd-f8d6-4710-a273-46d812b154f3%2FDraft%2520validation%2520rules%2520for%2520DORA%2520reporting%2520of%2520RoI.xlsx&wdOrigin=BROWSELINK

is not very clear to me to which particular chapter/article from the directive you are referring to, perhaps if you highlight the article on the oficial legislation is easier for people around to know what you are trying to achieve.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554

Dear Kisero,
I’m referring to the following

Chapter V
Managing of ICT third-party risk

Article 28
Paragraph 3

this is excluded in your mapping DORA, ISO, NIST, Etc

BR

2. As part of their ICT risk management framework, financial entities, other than entities referred to in Article 16(1), first subparagraph, and other than microenterprises, shall adopt, and regularly review, a strategy on ICT third-party risk, taking into account the multi-vendor strategy referred to in Article 6(9), where applicable. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.

you are referring to this paragraph? if yes, this is plain old third party risk management. in eramba you could:

• manage your risk mgt policy as a document on the policy module
• list your critical suppliers on the third party module
• for those you consider relevant based on whatever criteria your company has, perform assessments using online assessments
• out of those assessments use the risk module to document third party risks

our dora guide also mentions online assessments as a recommended route for this type of requirements.

i dont see much how that paragraph and the original post of your relate, i dont know where that screenshot you did comes from, etc. im sorry if we cant comment on that.

Blockquote
3. As part of their ICT risk management framework, financial entities shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

The contractual arrangements referred to in the first subparagraph shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not.

Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.

Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.

Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

The Register of Information requires more details and that companies should maintain those details in some kind of database → see Data Model PDF from first post. Gathering those information with the correct relations in Eramba would be really beneficial for all your customer in the finance sector who needs to be compliant to DORA.

yes i see now, eramba is in general framework agnostic so modeling data for a specific framework is a no-no. you could use custom fields but im not sure that suffices their expectations.

i’m adding here a link from EBA that has the reference to the db model you uploaded on the first post for more reference: Preparations for reporting of DORA registers of information | European Banking Authority

You could also say that with GDPR and it is part and implemented in Eramba. For sure we could now develop our own DB and own web frontend ourselves and then we need to link them to the Eramba assets it would be just produce overhead and somehow redundant - I thought maybe you see here an opportunity to provider to your costumer added value and see a chance for your company to tap further into the European financial sector.

yes, the first and last time we focused on a framework specifically

we have been in the grc software business for more than a decade, the european financial market is less than %3 from the global market we address. with the little resources we have we need to serve the majority of the community.