How to prepare for the implementation of DORA regulation?

1
January 14th, 2025
Share :
{{totalComments}} comments

How to prepare for the implementation of DORA regulation?

In today's world, cyber risks and operational disruptions are growing exponentially. To protect its financial sector, the European Union has introduced the DORA regulation (Digital Operational Resilience Act). This law officially entered into force on 16 January 2023, giving financial entities two years to prepare for its final implementation. As it will apply from 17 January 2025, procurement departments must take a closer look to master its ins and outs.

What is DORA regulation?

The Digital Operational Resilience Act (DORA) is a new regulatory oversight framework that addresses the risks induced by digital transformation in financial services. As Karine Pariente, Partner at PwC, emphasises: "Banks and insurance companies need access to an increasing number of internal and external data. They are also increasingly dependent on ICT third-party service providers. European regulators therefore want to ensure that the risk generated by these developments is controlled."

This regulation aims to strengthen digital operational resilience of financial entities, particularly against significant cyber threats. In other words, they must be able to withstand, respond to and recover from any operational disruption related to Information and Communication Technology (ICT), ensuring the continuity of critical or important activities.

DORA regulation establishes a detailed, harmonised and comprehensive framework that defines key requirements to guarantee the stability and security of the European financial system. This thus strengthens cyber security, promotes operational resilience and improves risk management within concerned organisations, while facilitating oversight and coordination between competent supervisory authorities.

As you may have understood, DORA regulation's scope covers the entire financial sector, including banking and insurance companies, investment firms, credit institutions, stock exchanges, occupational pensions authority and ICT service providers.

What is digital operational resilience?
According to DORA regulation texts, it is "the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions."

Areas covered by DORA regulation

The application of DORA regulation covers five main areas to frame digital operational resilience, from risk management framework to information-sharing arrangements in cyber security.

ICT risk management

Implementing a robust and simplified ICT risk management framework is an essential step in DORA regulation. This includes a comprehensive and well-documented framework, with ICT third-party risk assessment and management processes, as well as technical and organisational protection and prevention measures. All this follows a continuous improvement approach.

Incident management, classification and reporting

Financial entities are required to record and classify all significant ICT incidents and cyber threats, enabling the reporting of major ICT-related incidents to competent authorities within set deadlines and according to a predefined model. In practical terms, this means defining and implementing a specific process from detection to ICT-related incident reporting.

Digital operational resilience testing

Financial entities will be required to test their digital operational resilience at regular intervals. This allows them to verify their risk preparedness and identify potential failures and implement necessary corrective measures. The regulation also recommends establishing a cyber threat-led penetration testing schedule, where the frequency and intensity of tests will depend on the risk profile.

Third-party provider risk management

DORA regulation harmonises existing official rules for ICT third-party service providers risk management. This notably involves defining a dedicated strategy and policy in this area, following a due diligence approach.

Information-sharing arrangements

Lastly, this regulation encourages entities to share cyber threat information within trusted communities. This aims to strengthen defence capabilities, detection techniques and all associated strategies.

The role of procurement regarding DORA regulation

Procurement and financial departments of financial institutions have a key role to play in managing risks related to ICT service providers. As Thomas Meyer, Director at KPMG Belgium, points out: "This is the area of greatest challenge for many organisations, looking not only at their third parties, but actually at the full supply chain, ensuring that throughout the lifecycle of the supplier that the risk is actually managed effectively within it."

DORA regulation will thus affect several procurement activities such as strategy adjustment, supplier sourcing, supplier relationship management, Contract Lifecycle Management and many others.

Procurement strategy

Companies must integrate the principle of due diligence at the heart of their procurement strategy. This translates into thorough risk assessment, rigorous supplier selection according to strict technical standards for IT security and associated controls.

Sourcing and supplier management

Buyers must integrate criteria for determining cyber security and digital resilience into their supplier selection process, allowing them to evaluate potential partners based on their ability to meet DORA requirements. This also involves ensuring continuous monitoring and conducting periodic risk assessments.

Contract lifecycle management

Procurement teams must ensure, when developing and negotiating supplier contractual arrangements, to include clauses relating to DORA compliance. This allows the company to ensure that its service providers maintain high security standards.

Procure-to-Pay process

DORA regulation requires implementing stricter controls and monitoring mechanisms throughout the Procure-to-Pay process. This includes secure workflows for purchase orders, ICT systems and tools to detect and prevent fraudulent activities in invoicing, and advanced security measures for payments.

Information register

Lastly, it is imperative to maintain an up-to-date register of information related to your organisation's IT infrastructure. This includes data flows, systems and hardware, security policies and incident reports, etc. This provides a comprehensive view of the digital environment.

Did you know?
According to a recent study by Board of Cyber, 52% of firms are preparing to review their supplier risk approach in the context of DORA regulation and/or the NIS2 directive. They plan to strengthen security risk management, documentation, and conduct supplier audits or any other systematic assessment method.
DORA regulation (Digital Operational Resilience Act) is part of the EU digital finance strategy, promoting innovation and technology development, as well as consumer data protection. It is now up to companies to understand the requirements and take concrete measures to strengthen their resilience to ICT risks.
Livre blanc
white paper
Optimise your long tail spend with our white paper on e-procurement