When Compliance Meets Reality
When Claire, the COO of a fast-growing ICT supplier, opened her inbox on Monday, the subject line hit her like a freight train:
“Termination of Contract – Non-Compliance with NIS2/DORA Requirements.”
Her team had built secure infrastructure, offered solid uptime, and had happy clients — until one of them, a financial institution subject to DORA and NIS2, ran a compliance audit. Claire’s company hadn’t fully mapped ICT asset risks, couldn’t prove encryption key governance, and lacked recovery time guarantees.
What seemed like a technicality was now a €2.4 million revenue loss.
“We thought we were secure,” she said. “But they wanted resilience they could prove — not just assume.”
This isn’t fiction. As NIS2 and DORA transform operational resilience into a compliance obligation, ICT suppliers must adapt or risk being dropped from the critical supply chain.
The draft Regulatory Technical Standards (RTS) under DORA Articles 15 and 16(3) are reshaping how financial entities and their ICT third-party suppliers manage digital operational resilience. While DORA focuses on the financial sector, its reach directly impacts ICT providers delivering services to essential or important entities under NIS2.
Here are key highlights relevant to NIS2 essential-level third-party ICT service providers:
1. Risk Appetite, Now Linked to Customer Impact
RTS guidance emphasizes that ICT risk appetite must reflect not just internal business processes but also the potential impact on customers, users, and market integrity. This means third-party suppliers must:
- Consider downstream harm from service outages
- Prioritize customer-centric resilience decisions
2. ICT Asset and Data Lifecycle Management
Third-party ICT suppliers must:
- Maintain inventories of ICT assets with support end dates
- Implement secure end-of-life procedures for assets
- Classify assets based on their criticality and potential data exposure
3. Encryption & Cryptographic Controls
Suppliers must:
- Use “leading practices” in encryption
- Justify deviations from modern standards
- Include secure key management and encryption for data in use, in transit, and at rest
4. Proportionality and Governance
RTS includes a proportionality principle, but suppliers to essential entities are expected to:
- Implement robust governance frameworks
- Involve control functions in resilience testing and security by design
- Include independent assurance in ICT change projects
5. Supply Chain & Cloud Considerations
Suppliers in third countries or those using other subcontractors must:
- Manage supply-chain risk across all layers
- Log dependencies and critical third-party inputs
- Consider cloud-specific resilience and data jurisdiction requirements
6. Incident Detection and Business Continuity
Third-party providers are expected to:
- Implement incident triggers that reflect customer impact (not just internal disruption)
- Enable continuity for critical services within same-day or next-day RTOs (recovery time objectives)
- Test and document crisis scenarios, including climate-related disruptions
7. Training and Awareness for All Staff
- Annual minimum requirement for ICT security training
- Awareness programs aligned with critical functions supported
Final Takeaway
DORA does not regulate all third-party ICT service providers directly, but those serving financial entities or NIS2-essential operators must align with these RTS expectations. The shift from internal resilience to ecosystem-wide digital continuity is clear:
If your service supports critical data, infrastructure, or processes, your resilience practices will be judged not only on performance — but on how well you protect your client’s clients.
