Primarily for IT and business service providers that are partners of DORA-obliged entities (suppliers, outsourced service providers, cloud/operations/development, managed services) and need an auditable, structured ICT risk management, incident and resilience operating model to meet customer expectations – aligned both contractually and operationally.
For partners of DORA-obliged entities, the challenge is typically that customers do not only want ‘nice documentation’ – they expect an operating model that is auditable, can be described in contracts, and remains predictable during incidents. Our approach is service-provider oriented: first we clarify the service scope and dependencies (including subcontractors), then we establish the required risk, incident and resilience frameworks so they are embedded in the actual operations/development/service processes.
A key area is contractual traceability and the management of customer interfaces: what must be reported, how and by when; what evidence needs to be produced; and which audit and inspection rights must be supported. In addition, we address how service handover or replacement can be ensured (exit strategy). Resilience becomes credible when testing and exercises are not one-off events, but feed back into operations through measurable corrective actions and increasingly stable service capability.
