Tenacy

The DORA regulation requires financial entities to significantly strengthen third-party management, particularly regarding security and operational resilience. However, contrary to popular belief, evaluating your third parties does not mean evaluating them directly against the DORA framework.

Understanding What DORA Requires (and What It Doesn’t)

Following a cross-analysis (conducted in January 2025) of the DORA regulation, EU Delegated Regulation 2024/1773, and the Final Report JC 2023 86 draft, Tenacy conducted an in-depth keyword-based search (e.g., prestataire, third party, must, commits, etc.) to identify all direct and indirect obligations related to third-party providers.

Result: 32 obligations were identified and linked in Tenacy to existing measures. This set forms a minimum baseline for any third-party evaluation within the context of DORA compliance.

🔎 If your organization is subject to DORA and you need to evaluate your third parties, your assessments should at a minimum cover these topics (measures):

⚠️ This interpretation does not constitute legal advice. It should be adapted to your contractual context in consultation with your legal department.

Which Frameworks Should Be Used for Assessments?

DORA does not provide a specific evaluation framework but does mandate certain thematic areas. That’s why Tenacy has mapped the identified measures to standard frameworks available in our catalog.

The two most relevant frameworks today are:

ISO 27002:2013 – covers 95% of DORA-related measures

NIST CSF – covers 91% of DORA-related measures

- ISO 27002:2013 – covers 95% of DORA-related measures
- NIST CSF – covers 91% of DORA-related measures

These frameworks enable you to meet DORA requirements without duplicating efforts or creating hard-to-maintain custom frameworks.

What This Means for Your Third-Party Evaluations

💡Being compliant with DORA means your evaluations should cover the topics mandated by DORA — not that you must build a DORA-specific framework for each provider.

Categorizing your suppliers by criticality level to adjust the scope of your assessments

Using appropriate frameworks based on criticality (e.g., ISO 27002, NIST CSF, etc.)

- Categorizing your suppliers by criticality level to adjust the scope of your assessments
- Using appropriate frameworks based on criticality (e.g., ISO 27002, NIST CSF, etc.)

A Practical Approach: Categorization in Tenacy

In Tenacy, we recommend structuring your third parties directly in the Organization module, using criticality groups that match your internal policy. For example, based on the CESIN model:

Criticality Group C1: Critical or essential providers (e.g., hosting, telecom, cloud services)

Criticality Group C2: Important but non-critical providers (e.g., maintenance, non-essential SaaS tools)

Criticality Group C3: Non-sensitive providers (e.g., logistics, general services)

- Criticality Group C1: Critical or essential providers (e.g., hosting, telecom, cloud services)
- Criticality Group C2: Important but non-critical providers (e.g., maintenance, non-essential SaaS tools)
- Criticality Group C3: Non-sensitive providers (e.g., logistics, general services)

This categorization allows you to trigger targeted assessments based on risk level.

💡See this article for more information on <a href="https://help.tenacy.io/en/articles/205319-model-my-organization">modeling your organization in Tenacy.</a>

To manage your third parties in line with DORA, you can follow this methodology within Tenacy:

Categorize your third parties in Organization (C1, C2, C3…)

Associate an appropriate evaluation framework based on criticality

Check for DORA coverage using the measures already mapped by Tenacy (see visual)

Document and trace your evaluations to demonstrate compliance.

1. Categorize your third parties in Organization (C1, C2, C3…)
2. Associate an appropriate evaluation framework based on criticality
3. Check for DORA coverage using the measures already mapped by Tenacy (see visual)
4. Document and trace your evaluations to demonstrate compliance.

___________________________________________________________

🔎 For any questions about implementing this approach in your Tenacy space, don’t hesitate to contact your Customer Success Manager.

Manage third parties under DORA

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Manage third parties under DORA

Understanding What DORA Requires (and What It Doesn’t)

Which Frameworks Should Be Used for Assessments?

What This Means for Your Third-Party Evaluations

A Practical Approach: Categorization in Tenacy

Putting It into Practice in Tenacy