In an era where cyber threats and operational disruptions are increasingly common, the European Union has taken a significant step to safeguard its financial sector through the introduction of DORA.
The Digital Operational Resilience Act (DORA) is a regulation designed to enhance the IT security and operational resilience of financial institutions and ICT service providers in the EU such as banks, insurance companies and investment firms. The regulation will apply to more than 22,000 financial entities and ICT service providers operating within the EU.
While it may seem to target IT departments, DORA significantly involves Procurement and Finance. IT handles technology architecture and operations, but maintaining compliant relationships with third parties falls to Procurement and Finance leaders.
In this article, we will explore DORA, its objectives, core components, and implementation timeline. We will also discuss how Procurement and Finance Professionals can prepare for DORA regulations and how Ivalua supports compliance.
What is DORA?
The Digital Operational Resilience Act (DORA) is a landmark regulation introduced by the European Union to enhance the digital operational and cyber resilience of the financial sector. Officially entering into force on January 16, 2023, DORA will be applicable starting January 17, 2025.
This regulation aims to establish a harmonized and comprehensive framework that strengthens the ability of financial institutions to withstand and respond to digital risks and disruptions. By doing so, DORA seeks to ensure the stability and security of the EU’s financial sector in the face of growing digital threats.
DORA reinforces the role of the European Supervisory Authorities (ESAs), which include the European Bank Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Market Authority (ESMA) – all of which oversee its implementation and enforcement to protect the financial sector from digital threats.
Its extensive scope covers all financial services institutions (FSIs) in the EU, including banks, insurers, pension funds, stock exchanges and ICT systems providers. The regulation is developed through a thorough legislative process involving stakeholder consultations to ensure it is comprehensive and adaptable to the evolving digital landscape.
Key objectives of DORA
The Digital Operational Resilience Act (DORA) sets forth key requirements for financial institutions to ensure the security and stability of their digital operations. Below are the main areas that DORA addresses:
- Strengthen IT Security: DORA mandates that financial institutions implement stringent IT security measures to protect against cyber threats and ensure the integrity of their digital systems.
- Promote Operational Resilience: The regulation emphasizes the importance of operational resilience, requiring institutions to develop and maintain robust frameworks for responding to digital disruptions.
- Enhance Risk Management: DORA sets high standards for risk management, ensuring that financial institutions have comprehensive strategies in place to identify, assess and mitigate digital risks.
- Facilitate supervision and coordination: The regulation enhances the supervisory powers of competent authorities, allowing them to monitor and enforce compliance with DORA requirements. It also promotes coordination and information sharing among authorities to address cross-border risks and ensure consistent implementation across the EU.
What Are the Five Core Components of DORA?
The Digital Operations Resilience Act encompasses five key components that collectively strengthen the digital operational and cyber resilience of financial systems in European markets:
- ICT Risk Management Strategy: DORA requires financial institutions to develop strategies to identify, assess, and mitigate ICT-related risks. This includes regular risk assessments, implementing security controls and establishing threat response protocols to maintain the integrity, availability, and confidentiality of information systems.
- ICT-Related Incident Reporting: DORA mandates prompt reporting of significant cyber incidents to relevant authorities to facilitate a coordinated response to threats. This helps to mitigate potential impacts and enhance overall cybersecurity efforts across the sector by identifying trends and patterns in cyber attacks.
- Digital Operational Resilience Testing: Financial institutions must conduct regular resilience testing, including scenario-based and penetration tests, to evaluate the effectiveness of their ICT systems. These tests identify vulnerabilities and ensure preparedness against real-world cyber threats.
- ICT Third Party Risk Management: DORA emphasizes managing risks associated with third-party ICT service providers. Institutions must conduct thorough due diligence and ongoing monitoring to ensure third-party compliance with cybersecurity standards, mitigating risks from external partnerships.
- Information Sharing Arrangements With FSI Peers: DORA encourages financial institutions to share insights, threat intelligence, and best practices with peers. This collaboration enhances collective cybersecurity resilience, allowing institutions to stay ahead of emerging threats and respond effectively to cyber incidents.
DORA Timeline: Key Phases and Implementation
DORA is marked by several key phases, each contributing to the development and implementation of a comprehensive DORA framework aimed at enhancing the digital resilience of the EU financial sector:
Conceptualization and Initial Drafting (2019-2020)
The journey of DORA began with recognizing the growing digital threats to the financial sector. The EU aimed for a harmonized approach to digital resilience, leading to the initial drafting of DORA, establishing foundational principles to protect financial institutions from ICT-related risks.
Consultation Phase (2020-2021)
During this phase, extensive stakeholder engagement refined the proposed regulations. Financial institutions, industry experts and regulatory bodies provided insights and feedback, ensuring DORA addresses practical challenges and needs, and paving the way for an effective framework.
Station 1 (Batch 1) – Formal Proposal and Initial Adoption (January 2021 – January 2022)
In January 2021, the European Commission formally proposed DORA. The proposal was reviewed and debated by the European Parliament and the Council, leading to its adoption by early 2022, which set the stage for implementation.
Station 2 (Batch 2) – Preparation and Initial Implementation (January 2022 – January 2023)
Financial institutions and regulatory bodies prepared for DORA implementation, focusing on understanding the requirements and initiating necessary organizational changes. Training, assessments and compliance strategies were key activities, supported by regulatory guidance.
Final Implementation (January 2023 – January 2025)
DORA officially came into force on January 16, 2023. Over the next two years, financial institutions aligned their processes, systems and controls with DORA’s requirements, involving rigorous testing, cybersecurity incident reporting, third-party risk management and information-sharing mechanisms.
DORA Compliance (January 2025 Onwards)
From January 17, 2025 on, DORA compliance will be mandatory. Financial institutions across the EU must integrate DORA’s requirements into their operations, with European Supervisory Authorities (ESAs) ensuring adherence and maintaining high levels of digital resilience. As digital threats evolve, DORA will undergo further refinements. Financial institutions need to maintain a proactive stance, updating resilience strategies and compliance measures.
How Procurement and Finance Professionals Should Prepare for DORA Regulation
DORA introduces significant changes to procurement activities within financial institutions by emphasizing the importance of digital resilience and cybersecurity.
In this video, Thomas Meyer from KPMG discusses the objectives, scope and approach of DORA regulations:
Watch the full webinar highlights to learn more from Arnaud Malardé and Simone Smits from Ivalua as they share invaluable strategies and a step-by-step guide to empower procurement professionals in adapting to the evolving regulatory landscape.
Watch the full webinar: How Procurement and Finance should prepare for DORA regulation.
What Procurement Processes Should Companies Review for DORA Compliance?
DORA regulations impact several stages of procurement processes, from Source-to-Pay (S2P) to Procure-to-Pay (P2P), and overall change management and process governance.
First off, organizations must update their procurement policies to reflect the requirements of DORA by establishing clear guidelines for incorporating cybersecurity and digital resilience considerations into procurement activities.
Sourcing Strategy and Concentration Risk
Developing a robust sourcing strategy and managing concentration risk are vital for DORA compliance.Enhanced due diligence processes are required to assess all risks related to suppliers, especially the concentration risk.
Organizations must conduct thorough risk assessments and ensure that suppliers have robust IT security and resilience measures in place. A well-defined sourcing strategy ensures careful selection of suppliers who meet stringent cybersecurity standards through thorough due diligence.
In addition, managing concentration risk involves diversifying the supplier base to avoid over-reliance on a few vendors. By spreading risk across multiple suppliers, organizations can provide continuous service delivery, despite supply chain disruptions.
Contract Lifecycle Management
Contract Lifecycle Management (CLM) is crucial for DORA compliance, embedding stringent cybersecurity and resilience standards throughout the contract process. Contracts with suppliers must include clauses that address compliance with DORA to ensure that suppliers are contractually obligated to adhere to specific cybersecurity and digital resilience standards and protocols.
By incorporating DORA-specific clauses in contract creation and negotiation, financial institutions ensure suppliers meet high security standards. Effective CLM manages supplier relationships with a focus on robust cybersecurity, aligning with DORA’s goal of enhancing digital operational resilience in the financial sector.
Supplier Management
Supplier management involves implementing thorough due diligence, regular risk assessments, continuous monitoring and performance audits, and financial institutions to ensure vendors adhere to DORA’s requirements.
Organizations need to incorporate cybersecurity and digital resilience criteria into their supplier selection process by evaluating potential suppliers based on their ability to meet DORA’s digital resilience requirements.Transparent communication and clear contractual obligations further reinforce compliance.
Procure-to-Pay
The P2P process involves the steps from purchasing goods and services to making payments. DORA impacts the P2P process by necessitating stronger controls and monitoring mechanisms:
- Purchase Orders and Approvals: Financial institutions must implement secure and compliant workflows for generating and approving purchase orders to ensure that all purchases are vetted for cybersecurity risks.
- Invoice Processing: The processing of invoices must be done in a secure manner, with systems in place to detect and prevent fraudulent activities. Organizations must verify the authenticity of invoices and their compliance with DORA’s standards.
- Payment Security: Payment processes must be fortified with enhanced security measures using secure payment gateways and encryption technologies.
Risk and Issue Management and Reporting
Risk and issue management and reporting help financial institutions proactively identify, assess and address vulnerabilities and incidents. Detailed issue management helps teams defect and resolve incidents quickly to minimize disruptions, while comprehensive reporting procedures provide transparency and accountability and help keep regulatory authorities and stakeholders informed.
Register of Information
A register of information is a detailed record of all critical data, assets, systems, processes and activities within an organization’s IT infrastructure. It includes hardware and software inventories, data flows, network configurations, security policies, incident reports and compliance statuses.
Maintaining an up-to-date register ensures financial institutions have a holistic view of their digital environment, which is essential for effective management and regulatory compliance.
How Ivalua Supports DORA Compliance
While Ivalua is not directly supervised by the ESAs, we are dedicated to helping customers meet their regulatory requirements. Ivalua’s platform offers key features to support DORA compliance, acting as the essential digital repository for financial institutions subject to DORA.
This repository is more than just a contract database; it’s defined in DORA’s regulatory technical standards (RTS) as a collection of 14 interconnected databases linked by five distinct identifiers, to ensure seamless communication between them.
What’s more, the platform enables monitoring of the service supply chain with visibility into Tier N subcontractors, ensuring compliance with requirements for transparency and oversight in the supply chain. This comprehensive approach supports robust compliance and enhances operational resilience.
While many S2P vendors struggle to extend their data model to the required degree, Ivalua supports all the new and specific data points. Handling complex requirements with multiple data tables and identifiers is particularly challenging with a multi-tenant architecture.
To be compliant with DORA regulation, customers need several key modules at a minimum:
- Supplier Relationship and Performance Management (SRPM) module: Essential for supplier due diligence, managing supplier information, operating a Risk Center, tracking supplier performance, and handling issue tracking and improvement plans.
- Sourcing module: To manage risks before entering any new agreements.
- Contract Lifecycle Management (CLM) module: Provides contract templates where all DORA-specific clauses – those related to cooperation with competent authorities, data integrity and accessibility, exit strategies and migration provisions – can be embedded.
Watch a demo of Ivalua’s Source-to-Pay platform that meets all of DORA’s requirements.
Conclusion
Achieving DORA compliance is vital for financial institutions to ensure robust digital operational resilience and safeguard against increasing cyber threats. Starting the compliance journey sooner rather than later is imperative, as the complexities of DORA require thorough preparation and integration of comprehensive solutions.
Ivalua is designed to meet DORA compliance, providing a seamless and efficient way to manage the necessary regulatory requirements.
Get practical advice on how to navigate DORA compliance: Navigating DORA’s Requirements for Procurement and Finance Leaders.