Governance

Due Diligence

A comprehensive investigation or assessment conducted before entering into a business relationship or transaction. In compliance contexts, due diligence refers to the thorough evaluation of third-party providers, business partners, or acquisition targets for regulatory and security risks.

Due diligence in the compliance context is a critical risk management activity that helps organizations understand and manage the risks associated with third-party relationships. It involves assessing a partner's or vendor's financial health, legal compliance, security practices, operational capabilities, and reputation before establishing a formal relationship.

DORA elevates the importance of ICT due diligence by requiring financial entities to assess the risks of ICT third-party service providers both before entering into contracts and on an ongoing basis. Key due diligence areas under DORA include the provider's information security certification status, geographic location of data processing, subcontracting arrangements, concentration risk implications, and exit strategy feasibility.

Effective due diligence processes are typically risk-based, with the depth and frequency of assessment proportional to the criticality of the service and the sensitivity of data involved. Automated vendor risk management platforms can streamline this process by standardizing assessments and continuously monitoring provider risk profiles.

Related Terms

Third-Party Risk Management

The process of identifying, assessing, and controlling risks arising from outsourcing to third-party service providers. Under DORA Article 28, financial entities must maintain a register of all ICT third-party providers and conduct thorough due diligence on critical providers.

Vendor Risk Assessment

A structured evaluation of the security posture and compliance status of third-party vendors before and during a business relationship. DORA Article 28 mandates specific due diligence requirements for ICT service providers used by financial entities.

DORA (Digital Operational Resilience Act)

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.

Request a demo