← Thought Leadership

Regulation

Your compliance tool is a third-party risk

DORA made banks map every critical technology provider. Few have turned that discipline on the software they use to manage compliance itself.

Martin Foerster
Co-founder
· 2 min read

New to the topic? Start with What sovereign compliance actually means.

A modern glass office tower seen from below

Photo: Rafael Garcin / Unsplash

The Digital Operational Resilience Act turned a specialist concern into a board-level obligation. Every bank in scope now maintains a register of its critical technology providers, runs concentration analysis, and writes exit plans for the systems it cannot afford to lose. The exercise is thorough, and it has a blind spot the size of the compliance function itself.

The provider hiding in plain sight

Most compliance platforms work by pulling. They connect to a bank’s systems, take custody of its policies, evidence, and incident records, and analyse that material in their own cloud, frequently on infrastructure outside the EU. In doing so they meet the definition of an ICT third party under the very regulation the bank bought them to satisfy. The software acquired to manage third-party risk is itself a third party, and one with unusually deep access. Because that provider is US-based, it can also be compelled under the US CLOUD Act to surrender the material it holds, wherever that material is stored, at times under an order that legally bars it from telling the customer.

Definition
What counts as a critical ICT third party
DORA treats a provider as critical when a failure or compromise on its side would materially disrupt the institution’s ability to operate or meet its regulatory duties. A platform holding a bank’s complete compliance record can readily qualify, yet it is routinely left off the map because teams think of it as their tool rather than someone else’s system.

The questions rarely asked of the compliance vendor

Banks interrogate their cloud providers, their core-banking suppliers, and their data processors with precision. They ask where processing occurs, which laws govern the provider, and what happens to their data if the contract ends. Those same questions are seldom put to the compliance vendor, even though it holds the most sensitive material of all. The result is a provider with privileged access to a bank’s regulatory reasoning that has never been assessed as the critical dependency it is.

Putting it on the map

The remedy is not to abandon compliance software, which is now indispensable. It is to hold that software to the standard DORA already demands of everything else. Ask where your compliance data is processed and under whose jurisdiction. Ask what becomes of your evidence if the provider fails or the relationship is severed. A platform designed so that your documents never leave your control, and your data is processed within the EU, answers those questions before they are asked. A platform that cannot answer them belongs on the risk register, not outside it.

The discipline DORA imposed on third parties was overdue. It is worth turning that discipline on the one system most likely to escape it.

Frequently asked questions

Is a compliance platform an ICT third party under DORA?
Yes. Under DORA, a compliance platform that ingests a bank's documentation into its own cloud meets the definition of an ICT third party — often one hosted outside the EU — so it belongs on the register of critical providers alongside every other critical dependency.
Why is a US-based compliance tool a risk under DORA?
Because it can be compelled under the US CLOUD Act to surrender the material it holds regardless of where that material is stored, at times under an order that legally bars it from telling the customer.
What questions should a bank ask its compliance vendor?
Where is our data processed and under whose jurisdiction, and what happens to our evidence if the provider fails or the relationship ends. A platform designed so that your documents never leave your control answers those questions before they are asked.

Sources