Digital threats aren’t just escalating; they’re evolving with alarming speed. The statistics are compelling. A majority (78%) of European financial institutions reported third-party data breaches in 2023. Not only that, but the average cost of a data breach rose to hit £4.88 million in 2024. No longer a compliance checkbox, operational resilience is now a fundamental pillar for any organisation.
This pressing requirement is precisely what the Digital Operational Resilience Act (DORA) aims to address. Effective January 17, 2025, this EU regulation aims to significantly bolster the Information and Communication Technology (ICT) security of financial entities, ensuring the financial services sector can withstand severe operational digital disruptions.
Who exactly does DORA apply to?
DORA applies to a broad range of financial entities operating within the EU. These include traditional institutions like banks, insurers, investment firms or payment institutions. The scope also extends to investment firms, insurance and reinsurance undertakings, asset managers, crypto-asset service providers, crowdfunding service providers, and central securities depositories, among many others.
Crucially, DORA’s reach extends beyond these direct financial entities. The regulations also encompass Information and Communication Technology (ICT) third-party service providers that offer services to financial institutions. Critically, these regulations apply regardless of where these providers are based globally. This includes critical services like cloud computing providers, data centre operators, and software vendors. It’s a welcome recognition of the fact tha weakness anywhere in the supply chain can jeopardise the entire ecosystem.
Even if your organisation falls outside DORA’s formal jurisdiction, its principles are highly relevant. Similar operational resilience frameworks, such as the UK FCA’s operational resilience framework and the US FFIEC guidelines, highlight the universal need for strong digital defences. Aligning with DORA’s best practices can sharpen your competitive edge, regardless of your specific regulatory jurisdiction.
What are the core areas covered by DORA Regulation?
DORA establishes a holistic framework across key pillars, designed to provide a comprehensive approach to digital operational resilience. It mandates robust ICT Risk Management, requiring financial entities to develop, implement, and maintain resilient ICT systems and protocols. This includes identifying, assessing, mitigating, and monitoring ICT-related risks, ensuring a proactive stance against potential disruptions. DORA also introduces stringent requirements for ICT-Related Incident Management, Classification, and Reporting. Entities must establish processes to swiftly detect, manage, and classify significant incidents, reporting major events to competent authorities within specified deadlines and formats.
The regulation emphasises Digital Operational Resilience Testing. Financial entities are required to regularly test their ICT systems to verify their preparedness and identify vulnerabilities. DORA places significant focus on ICT Third-Party Risk Management, acknowledging the growing reliance on external providers. It mandates thorough due diligence, robust contractual arrangements, and ongoing monitoring of these critical relationships to ensure third-party compliance with cybersecurity standards. Additionally, DORA encourages Information Sharing Arrangements on cyber threats and intelligence, fostering collaboration among financial entities to enhance collective defence capabilities, detection techniques, and overall resilience.
Why should organisations care about DORA?
The EU created DORA in direct response to the rising tide of operational and supply chain vulnerabilities across financial services and ICT networks. Here are some key areas that DORA seeks to address within the procurement and supply chain:
- Escalating supply chain attacks: The supply chain has become a prime target. In 2024, a concerning 58% of large UK financial services firms reported at least one third-party supply chain attack, with 23% targeted three or more times. This trend highlights increasing vulnerability within supply chains and reinforces the need for a framework like DORA to help address these weaknesses.
- Inadequate continuous risk assessment: A worrying 44% of financial institutions assess third-party risk only during initial onboarding, while a mere 14% engage in continuous risk assessment using dedicated tools. This fragmented approach leaves firms exposed and underscores the importance of consistent, end-to-end risk visibility.
- Prevalence of third-party breaches: As mentioned, 78% of European financial institutions experienced third-party data breaches in 2023, with many also impacted by fourth-party breaches. Without strong governance, such as centralised spend management and integrated oversight, organisations are vulnerable to significant business disruption.
How to embed resilience in your procurement and supply chain strategy?
To ensure compliance with DORA’s requirements and enhance supply chain resilience, organisations should focus on three key areas:
1. Defined procurement and supply chain strategy
Clarity around your supply chain strategy goals is essential, and embedding the principle of due diligence is key. As BNP Paribas’ Global Head of Resilience notes, digital transformation plays a critical role in managing cyber and technology risks while strengthening customer trust. Developing and implementing digital transformation strategies aligned with an organisation’s procurement and supply chain strategies helps achieve long-term results through regular risk assessment, ensuring compliance and alignment with overall business goals.
2. Building continuous monitoring and controls
DORA requires robust controls across the Procure-to-Pay lifecycle. Modern platforms enable centralised spend management, streamline supplier onboarding, and unify risk processes. Such solutions simplify supplier risk assessments, financial verification, and regulatory compliance. Their flexible, configurable workflows allow organisations to rapidly adapt to new regulations. These capabilities are key to mitigating supplier-related risks and ensuring operational resilience.
3. Improving supplier relationships
Building strong, trust-based supplier partnerships is more important than ever to foster transparency and enable threat intelligence sharing. Under DORA, organisations must assess potential partners against specific criteria to evaluate their cybersecurity and digital resilience. Advanced risk orchestration platforms offer a streamlined approach to managing supplier relationships – improving visibility and efficiency in onboarding and selection. By focusing on collaboration, organisations can strengthen supply chain security and improve responsiveness in identifying any potential attacks.
The principles championed by DORA – clarity in strategy, continuous monitoring, and collaborative supplier relationships – are universally applicable, offering significant competitive advantages even beyond its formal jurisdictional reach. Building this resilience is an ongoing journey, one that requires strategic investment in digital enablement, and a commitment to fostering a culture of security throughout your organisation and its extended network.
Ultimately, resilience transcends compliance. It directly impacts your organisation’s reputation, its ability to reliably serve customers, and its readiness to withstand future disruptions.
- Collaboration & Optimization