Arnaud Malarde , Product Director at Ivalua.
Following the 17th January 2025 deadline for compliance with the Digital Operational Resilience Act (DORA), companies in the financial sector must demonstrate they are addressing growing IT security concerns.
Introduced by the European Union in 2023, the Act ensures the digital resilience of financial entities including banks, investment firms, and other related institutions. As the number of online threats grows, DORA provides companies with a robust digital framework that can promote operational resilience through risk management, resilience tests, and incident reporting. Those who don’t comply could face dire consequences such as fines, legal liabilities, and exclusion from markets they rely on.
Whilst DORA is an EU legislation, this does not mean that UK organisations are automatically exempt from its requirements. Any Financial Services organisation firm that works with legal entities in the EU is within the scope of DORA. We also know the UK regulator often follows EU regulations in this regard. Therefore, UK organisations must ensure compliance to avoid potential penalties, maintain their relationship with EU-based entities, and get ahead of any corresponding UK regulation in the future.
Although the regulation may seem to target IT departments, DORA places demands on procurement and finance teams. IT handles technology architecture, but it is the job of finance and procurement to maintain compliant relationships with third parties.
To stay in line with DORA regulations, procurement teams must embrace digitalisation and take the following steps to transform the digital risk landscape:
1. Adopt a sourcing model that manages concentration risk
To be DORA compliant, organisations must have developed a robust sourcing model. This model should be designed to not only identify and mitigate the security risks associated with individual suppliers but also manage the issue of concentration risk. This occurs when a company relies heavily on a small group of suppliers. If organisations don’t have alternate providers lined up, they can be vulnerable when a key supplier is disrupted or goes out of business. Whether it’s due to a supply chain security breach, financial issues, geographical events, natural disasters, or other factors, over-reliance on a single or small group of suppliers can lead to significant instability.
By evaluating a supplier’s cybersecurity standards, disruptions to supply chains that arise from cyber-attacks can be avoided. This is becoming more vital as supply chains become increasingly digitised, meaning the risk of cyber-attacks will continue to escalate. This threat was highlighted by the SolarWinds Orion system hack in 2020. After gaining access to the data of thousands of SolarWinds customers, threat actors delivered backdoor malware to over 30,000 public and private organisations, compromising the data of thousands of SolarWinds customers and partners.
By adopting a sourcing model that thoroughly assesses a supplier’s cybersecurity practices, procurement teams will be able to better maintain integrity and resilience against the growing number of threats against them and their suppliers.
2. Improve contract-lifecycle management
For procurement teams, cyber resilience should now be a central part of their supplier relationships. By clearly defining responsibilities and compliance requirements, procurement companies can create a transparent framework that nurtures mutual understanding and trust. In the case of DORA compliance, the importance of these relationships becomes more pronounced, as a successful contract lifecycle management process is vital to ensure that both parties are compliant with the regulation, thus mitigating both supply chain and legal risks.
A well-structured contract lifecycle management process serves as an essential tool for safeguarding against cyber risks. By implementing a robust process that includes DORA compliance clauses – for instance local data storage, data retrieval, contract exit strategy, audit by the regulatory bodies, etc. – companies will be able to ensure that both businesses maintain compliance with cyber security requirements. This approach will allow organisations to maintain ongoing compliance and also mitigate the risk of either party exposing the other to potential harm, thereby protecting both sides against significant disruptions.
3. Ensure suppliers are managed effectively
Due diligence, continuous monitoring, and regular risk assessments are essential to help companies remain in compliance with DORA. Firms must integrate these practices into their supplier selection process. By digitising the source-to-pay processes, organisations can automate supplier selection and continuously evaluate onboarded suppliers. This will facilitate real-time monitoring and risk assessment, ensuring that potential compliance and risk issues are identified and addressed immediately.
4. Enhance Procure-to-Pay
DORA impacts the procurement process by demanding that there be stronger controls and monitoring mechanisms. To simplify this, teams should modernise their Procure-to-Pay process to implement secure workflows for generating and approving purchase orders (POs), whilst ensuring that they are vetted for security risks. What’s more, by verifying the authenticity of invoices, this procure-to-pay model will ensure that invoices are secure, with systems in place to detect and prevent fraudulent activities. Similarly, the payment process will be fortified with enhanced security measures with secure payment gateways.
The path to maintaining DORA compliance
To effectively maintain compliance with DORA, companies must fully embrace digitalisation by adopting cloud-based source-to-pay technology. These platforms act as digital repositories, helping to build a register of information that details all the critical data, assets, systems, processes, and activities within an organisation’s IT infrastructure. This is crucial for maintaining and managing the data required by the regulation, enabling seamless supply chain communication and oversight, and even granting visibility into subcontractors to help bolster compliance.
By prioritising digitalisation, companies can streamline their procurement process, improve digital operational efficiency, and use data to make informed decisions and improve resilience. Taking a proactive approach to procurement will not only safeguard organisations against cyber threats, it will help them maintain compliance, while also providing a competitive edge amongst their peers.