
Get Started
Graphite's supplier management tool helps you onboard faster, cut time on risk reviews and streamline supplier validations. Save time and money.
January 23 2025
Understanding DORA (Digital Operational Resilience Act): A Guide for Procurement
Can your company handle a major IT disruption?
Many businesses assume they’re ready until an unexpected outage or cyberattack proves otherwise. This is an outcome that the Digital Operational Resilience Act (DORA) is intended to prevent for businesses in the financial sector. The EU regulation focuses on keeping financial institutions secure, prepared, and resilient in the face of operational risks.
Starting January 2025, compliance with DORA won’t be optional for relevant companies, but the good news is that the right tools and strategies can make the process simpler than you think. Many companies doing business with financial institutions may find new questions or compliance protocols could be asked of them as companies prepare for becoming DORA compliant. Let’s take a closer look at what DORA requires, why it matters, and how your organization can meet its standards moving forward.
What is DORA (Digital Operational Resilience Act)?
The reliance on third-party vendors in financial services is higher than ever. But what happens when a key vendor goes offline or a cyberattack targets your IT systems? Even a small disruption can lead to massive losses: missed transactions, customer frustration, and reputational damage.
DORA was created to address these risks and bring order to the chaos. It didn’t come out of nowhere; over the last decade, cyberattacks and IT failures have exposed glaring weaknesses in financial systems across the EU. Events like the 2017 WannaCry ransomware attack and high-profile IT outages made it clear that businesses needed a unified playbook to handle operational risks.
By establishing clear rules, DORA forces financial institutions to build cybersecurity resilience. From managing risks to sharing intelligence on threats, DORA ensures businesses can withstand disruptions and protect their customers and their data. Compliance isn’t just about following regulations—it’s about future-proofing the business.
What is the purpose of DORA for businesses?
Why does DORA matter? For procurement professionals, business disruption is a problem that must be top of mind. DORA looks to address technical issues causing business disruption by requiring that essential vendors and third parties are managed effectively. In other words, procurement teams now need to gather the information necessary for internal stakeholders like Risk, Information Security, IT and Operations to determine if a new or existing vendor will impact their DORA compliance.
Imagine relying on a cloud provider that suffers an outage during a key transaction period. Without a plan, you’d lose time, money, and customer trust. DORA requires businesses to have strategies in place to keep your operations running smoothly, even when the unexpected happens. In order to put those plans in place, risk leaders need to understand operational dependencies and where digital service providers and vendors may have gaps that could present risk.
What does DORA cover?
ICT Risk Management
Are your IT systems secure enough to handle cyber threats or outages? If you’re not constantly evaluating your infrastructure, the answer is probably no. DORA requires businesses to actively identify, manage, and reduce risks in their ICT (Information and Communication Technology) systems. This means conducting regular assessments to find vulnerabilities: outdated software, weak passwords, gaps in network security, etc.
It doesn’t stop there. Businesses must implement strong controls—think encryption, endpoint protection, and real-time monitoring tools—to minimize these risks. DORA pushes organizations to create a risk management framework that doesn’t just fix problems but prevents them from happening in the first place.
ICT Third-Party Risk Management
This is where procurement teams will see the majority of change to their supplier management strategies, including new requests from Risk and InfoSec teams to information-gather during the sourcing event, supplier onboarding or RFP/RFI process. Do you really know how secure your vendors are? DORA makes it clear that if you rely on third-party providers for critical operations, their risks are your risks. It requires businesses to take responsibility for vendor oversight.
This includes assessing vendors’ security practices, monitoring their compliance with regulatory standards, and ensuring they have the resilience to withstand disruptions. It’s not enough to set it and forget it—DORA mandates continuous monitoring to ensure vendors don’t become a weak link in your system. Platforms like Graphite Connect can simplify this process by centralizing vendor data and automating risk assessments, saving your team valuable time.
Digital Operational Resilience Testing
When was the last time you tested your systems? If the answer isn’t “recently,” you’re leaving yourself exposed. DORA requires regular, real-world testing of your IT systems to identify weaknesses before they turn into costly failures.
This isn’t about running a basic penetration test once a year. DORA calls for advanced simulations, such as mimicking cyberattacks or testing how your systems would recover from an extended outage. These tests help you uncover hidden vulnerabilities and ensure your recovery protocols work under pressure.
The bottom line is resilience isn’t something you assume; it’s something you prove, and DORA makes that a requirement.
ICT-Related Incidents
Things will go wrong. That’s inevitable. Systems fail, hackers strike, and mistakes happen. DORA ensures that when incidents occur, businesses are ready to act fast. It requires organizations to establish clear protocols for identifying, reporting, and resolving ICT-related incidents.
Speed is critical here. Under DORA, businesses must notify relevant authorities within strict timeframes and document every step of their response. This transparency helps prevent small incidents from escalating into larger crises and ensures lessons are learned to avoid repeat mistakes.
Procurement teams can expect to be charged with action items and remediation plans for specific vendors when this testing is completed by Risk and InfoSec/Operations teams. Tracking and monitoring these remediation plans and their progress is another way procurement teams can leverage Graphite Connect in order to execute on DORA compliance.
Information Sharing
DORA promotes collaboration across the financial sector by encouraging businesses to share information about emerging risks.
This is a way to strengthen the entire industry. By sharing threat intelligence, companies can learn from each other’s experiences, adopt better defenses, and reduce the likelihood of widespread disruptions.
For example, if one company discovers a new ransomware attack targeting payment systems, sharing that information could help others prepare and protect themselves. DORA makes this kind of collaboration a key part of operational resilience.
Oversight of Critical Third-Party Providers
For critical vendors like cloud providers, the stakes are even higher. These providers are often the backbone of financial institutions’ operations, which is why DORA enforces stricter rules. Regulators will directly oversee critical third-party providers to ensure they meet the highest standards of security and resilience.
This oversight means businesses must be more diligent when selecting and managing these vendors. Contracts should include clear terms for compliance, and ongoing performance reviews are a must. If your critical vendor falls short, it’s not just their problem—it’s yours.
DORA’s focus on critical providers ensures the entire supply chain remains secure, giving businesses confidence that their most essential operations won’t be derailed by vendor failures.
What will DORA enforcement look like after January 2025?
Starting January 2025, regulators will be watching. Non-compliance could mean expensive fines, restrictions on business activity, or even reputational damage.
For example, if you fail to report a cyber incident within the required timeframe, not only could you face penalties, but your business might lose the trust of customers and stakeholders.
Here’s the good news: platforms like Graphite Connect make compliance much easier. By automating supplier risk assessments and centralizing vendor data, you’ll have the tools you need to meet DORA’s requirements with confidence.
How to ensure DORA compliance: 6 best practices for procurement
Compliance with DORA is an ongoing commitment. From training your team to monitoring vendor risks, each step you take improves your organization’s resilience against disruptions.
Get the proper DORA compliance training
When was the last time your team got up to speed on compliance? If the answer isn’t recent, it’s time to prioritize training. Compliance with DORA requires alignment across departments: IT, procurement, and risk management must all understand their specific roles in meeting regulatory requirements.
Start by creating department-specific training sessions that break down DORA’s requirements in actionable terms. For IT teams, focus on cybersecurity and system resilience. For procurement, emphasize third-party risk management and contract requirements. Risk managers should be trained to spot vulnerabilities and ensure protocols are in place for quick action during disruptions. Regular refreshers will keep everyone sharp as regulations evolve.
Conduct comprehensive risk assessments
How confident are you that you’ve identified every vulnerability in your business? Risk assessments are the foundation of DORA compliance, and they go beyond just your IT systems. You’ll need to evaluate internal processes, third-party dependencies, and even your incident response strategies.
Use a structured framework to analyze weaknesses in areas like system availability, data integrity, and vendor performance. Tools like Graphite Connect can take the heavy lifting out of this process. With automated reporting and real-time insights, you’ll save time while ensuring no blind spots are overlooked. Once risks are identified, rank them by severity and address the most critical gaps first.
Develop a strategy for managing ICT risks
This is where the real work begins. Identifying risks is important, but having a clear plan to manage them is what makes the difference. Your strategy should include both preventative measures and response protocols. For example, set up redundancy systems to ensure operations can continue during an outage and define escalation procedures so teams know exactly what to do when issues arise.
Make contingency planning a priority. Instead of scrambling to fix problems when they occur, map out solutions ahead of time. How will you handle a prolonged IT outage? What if a vendor fails to meet security requirements? A well-thought-out plan ensures you’re not just reacting but staying ahead.
Pro tip: Don’t just focus on fixing problems. Prevent them by planning ahead. Read more in our guide: What’s a Good Contingency Planning Process Under DORA?
Implement robust security measures
Think your current security setup is enough? If you haven’t upgraded your systems recently, the answer is probably no. DORA pushes businesses to adopt cutting-edge security practices, and that means more than just installing antivirus software.
Start with multi-factor authentication (MFA) to secure access points. Add encryption to protect sensitive data and use real-time monitoring tools to detect unusual activity before it becomes a threat. Don’t forget the human element – train employees to recognize phishing attempts, suspicious emails, and other common security risks.
Remember, the goal isn’t just to meet compliance – it’s to create a security-first culture where every team member plays a role in keeping your organization safe.
Test audit systems regularly
How recently have you tested your systems under real-world conditions? Audits are critical for identifying weak points before they turn into problems. Think of it like a fire drill for your IT infrastructure.
DORA requires regular testing, so plan simulations that mimic real disruptions. For example, what happens if your payment systems go offline? How does your team respond to a data breach? Document the results and use them to fine-tune your processes. Continuous testing ensures your systems aren’t just resilient – they’re battle-tested.
Learn more in our guide The Role of Incident Reporting Risk Management in DORA Compliance.
Monitor third-party risks in ICT ecosystem
Third-party vendors are essential to your business, but they’re also one of your biggest risks. Every vendor you rely on—whether it’s for cloud services, payment processing, or cybersecurity—introduces potential vulnerabilities into your ICT ecosystem.
DORA emphasizes the importance of ongoing vendor monitoring. This starts during onboarding, with a thorough evaluation of each vendor’s security posture. But it doesn’t stop there. Regular performance reviews and compliance checks are essential to ensure vendors continue to meet your standards.
Graphite Connect’s centralized data platform simplifies this process. Instead of juggling spreadsheets or chasing down updates, you get real-time insights into vendor performance and compliance. It’s a smarter, faster way to reduce third-party risks and keep your supply chain secure.
For more tips and strategies, please review our guide Doing Your Third Party Risk Due Diligence Under DORA.
How to develop your third-party vendor assessment for DORA
Vendor assessments don’t have to be overly complicated, but they do need to be thorough. A strong process ensures you’re working with reliable partners who won’t introduce unnecessary risks into your business. Here’s how to build an assessment process that delivers results.
For a more in-depth explanation, check out our guide How to Conduct Third Party Vendor Assessment Under DORA.
Identify your critical vendors
Who are the vendors you absolutely can’t operate without? Start by mapping out your vendor ecosystem and pinpointing those that play a vital role in your ICT infrastructure. These are typically vendors that provide essential IT services, handle sensitive customer data, or have access to critical systems.
Critical vendors often include cloud service providers, payment processors, or cybersecurity firms. By narrowing your focus to the most impactful partners, you can allocate resources to where they’re needed most. Remember, not all vendors pose the same level of risk, so prioritization is key.
Assess their current security posture
How secure are your vendors right now? Don’t assume they’re prepared for disruptions—verify it. A comprehensive assessment should include:
- Incident response plans: How quickly can they detect and respond to issues like data breaches or system outages?
- Security certifications: Do they meet industry standards, such as ISO 27001 or SOC 2? These certifications demonstrate their commitment to protecting your data.
- Risk management strategies: Are they actively identifying and mitigating their own risks? Look for evidence of regular security audits and testing.
This step is all about asking the right questions and getting clear answers. If a vendor can’t provide adequate documentation, that’s a red flag you can’t afford to ignore.
Monitor their compliance over time
Compliance isn’t something you check once and forget about. DORA requires ongoing oversight, which means continuously monitoring vendor performance and addressing new risks as they emerge.
Graphite Connect allows you to centralize vendor data, set automated alerts for compliance issues, and track performance metrics in real time. Instead of relying on periodic check-ins, you’ll have a constant pulse on your vendors’ status. This proactive approach ensures that minor issues are caught early before they escalate into bigger problems.
Implement mitigation measures for any risks
Not all vendors will meet your standards 100% of the time. When gaps appear, it’s critical to act quickly. Depending on the severity of the issue, mitigation measures could include:
- Strengthening security requirements: Ask vendors to adopt stricter protocols, such as advanced encryption or multi-factor authentication.
- Scheduling audits: Conduct follow-up assessments to ensure corrective actions have been taken.
- Exploring alternatives: If a vendor repeatedly falls short, it may be time to look for a more reliable partner.
The goal isn’t to sever relationships at the first sign of trouble but to ensure that every vendor aligns with your business’s resilience and compliance goals.
Get ahead of DORA compliance during onboarding with the help of Graphite
Let’s face it: DORA compliance can feel overwhelming. But with the right tools, it doesn’t have to be.
Graphite Connect simplifies compliance by streamlining vendor onboarding and automating risk assessments. With a centralized platform, you’ll have everything you need to stay ahead of DORA’s requirements without adding extra stress to your team.
Ready to tackle DORA compliance without breaking a sweat? Discover how Graphite Connect can help. Schedule a demo today!