Security Awareness for ICT Third-Party Service Providers

Security Awareness for ICT Third-Party Service Providers

Mandatory ICT Security Training for External ICT Providers & Contractors

The Security Awareness for ICT Third-Party Service Providers programme ensures that vendors, contractors, consultants and outsourced ICT professionals meet the security and behavioural requirements imposed by the Digital Operational Resilience Act (DORA).

Under Article 13(6) DORA, financial entities must extend ICT security awareness training to third-party service providers where relevant, especially when they have logical or physical access to ICT systems, data, interfaces, infrastructure or critical and important functions.
In parallel, Article 28–30 DORA require strong governance and contractual alignment — including third-party training as part of the ICT risk management framework.

We offer this programme in four delivery formats:

  • Seminar
  • In-House Training
  • Live Webinar
  • E-Learning (SCORM)

Purpose of Third-Party Security Awareness Training

External ICT service providers often operate with elevated permissions, system access or remote connectivity. This makes them part of the organisation’s extended digital perimeter — and a critical element of cyber, operational and compliance risk.

This training ensures that third-party personnel:

  • understand their access responsibilities,
  • know how to prevent incidents,
  • follow secure operational procedures,
  • meet contractual and regulatory obligations under DORA,
  • uphold confidentiality, integrity and availability of ICT assets,
  • support compliance documentation for internal audit and supervisors.

It forms a mandatory component of the outsourcing and ICT-third-party governance process.

Training Content (Aligned with Articles 13(6), 28–30 & 5(2)(g) DORA)

Entity-Specific ICT Security Requirements

  • handling of access rights and remote access tools
  • secure device usage and workstation hygiene
  • contractor responsibilities for system and data security

Confidentiality, Data Protection & Information Handling

  • secure handling of customer data and confidential information
  • preventing data leakage during remote operations
  • integrity and availability of hosted or managed systems

Incident Notification & Escalation Obligations

  • third-party duties in reporting ICT anomalies (Article 23 RTS RMF)
  • required timelines and escalation routes
  • alignment with contractual incident-handling procedures

Secure Behaviour During Operations & Maintenance

  • patching, updates and configuration safety
  • avoiding misconfigurations and change-related risks
  • secure handling of deployments, integration points and APIs

Secure Access, Authentication & Privileged Handling

  • safe management of accounts, keys, tokens and credentials
  • temporary access, session management and non-repudiation
  • privileged use awareness aligned with the entity’s policies

Contractual & Regulatory Alignment Under DORA

  • obligations arising from Articles 28–30
  • understanding contractual security clauses
  • cooperation with audits, inspections and resilience tests

This curriculum ensures that external providers operate in full compliance with the financial entity’s ICT risk management framework.

Training Formats

Seminar

Suitable for individual contractors, smaller service providers or ICT consultants delivering services to financial entities. Includes case studies, practical attack scenarios and DORA-aligned requirements.

In-House Training

Delivered directly to your ICT third-party workforce — ideal if your organisation has multiple vendor technicians, external developers or shared-service teams. Content is customised to your infrastructure and contractual requirements.

Webinar

A virtual instructor-led session designed for dispersed external teams, remote service providers and multi-national ICT outsourcing partners.

E-Learning

Self-paced, LMS-ready modules with:

  • automated tests,
  • completion certificates,
  • version control,
  • audit-ready tracking,
  • multilingual deployment options.

This delivery format is ideal for large vendor ecosystems or continuous onboarding of new ICT partners.

Documentation, Certification & Compliance Evidence

To meet supervisory expectations and audit requirements, every participant receives:

  • digital certificate of completion,
  • assessment results,
  • timestamped training records,
  • documented version history for recurring training cycles.

These artefacts demonstrate compliance with:

  • Article 13(6) DORA (training requirement),
  • Article 5(2)(g) (management body oversight),
  • Article 28–30 DORA (ICT third-party governance duties).

Why This Training Is Essential

  • fulfils mandatory DORA obligations for ICT third-party providers
  • reduces supply-chain, contractor and insider-threat risks
  • aligns external providers with your internal ICT security framework
  • strengthens resilience of critical and important functions
  • supports audit readiness and supervisory examinations
  • ensures secure, standardised behaviour across the extended digital perimeter