DORA compliance for procurement: A complete guide

The Digital Operational Resilience Act (DORA) is a European Union initiative that aims to ensure financial organizations remain resilient to severe operational digital disruptions.

It came into effect on January 16, 2023, and following a two-year implementation period, financial organizations like banks, insurance firms, and financial services companies, are now required to be fully compliant as of January 17, 2025. While it is a European regulation, other regions such as Australia, the United Kingdom, and the United States, are presently considering implementing similar cyber resiliency measures.

In this article, we’ll take a look at what DORA is, what DORA covers, and strategies for procurement leaders on achieving DORA compliance.

‍

‍

What is DORA?

‍
The EU’s Digital Operations Resilience Act (DORA) requires financial entities and their most critical third-party technology service providers to implement stringent system guidelines.

Dora covers EU financial institutions and ICT service providers. 

• Part of procurement’s role is to help their financial service organization designate third party suppliers according to criteria and impact, with an evaluation of TPRM frameworks in place in accordance with the regulations.
• DORA requires reporting of ICT incidents with procedures for monitoring, classification, and communication to authorities.

“DORA introduces a new area of accountability,” said Gary Jones, Senior Programme Manager at KPMG UK, a  global advisory firm that advises procurement leadership on industry trends. “It shifts from reactive to proactive digital resilience risk management. It's mandatory."

What does DORA cover?

DORA covers many aspects of cyber resilience, auditability, and the responsibilities shared between financial institutions and third-party software and IT service providers. 

The goal of DORA is to limit the potential disruption to banking systems caused by issues related to Information and Communication Technology (ICT) issues. The act establishes binding rules for:

• ICT risk management
• ICT incident management
• Digital operational resilience testing
• Third-party risk management
• Information sharing

DORA applies to a wide range of entities operating in the EU financial sector, including banks, insurance companies, investment firms, payment and trading platforms, as well as ICT third-party service providers.

The Five Pillars of DORA: Key requirements for procurement leaders

The Digital Operational Resilience Act (DORA) establishes a comprehensive framework for ensuring the resilience of the financial sector. 

Gary Jones pointed out the essential components of the compliance requirements. "Contracts with suppliers must include clauses that address compliance with DORA to ensure that the suppliers are contractually obligated to measure specific cybersecurity, digital resilience standards, and protocols,” he said.

DORA significantly impacts procurement practices just as organizations are increasingly reliant on third-party vendors for essential services. DORA’s requirements are structured around five key pillars, each with specific implications for procurement:

1. ICT risk management

This pillar requires businesses to have robust frameworks in place to continuously monitor key digital systems, data, and connections. Procurement teams play an important role in ensuring that these frameworks are in place. 

They must ensure that vendors who are selected and onboarded have strong IT risk management practices. This means considering a vendor's governance, security policies, and incident response plans during the procurement process.

2. Testing of digital resilience

DORA mandates that financial entities conduct threat-led penetration testing (TLPT) at least every three years. Procurement is impacted because you must verify that your third-party providers are capable of and compliant with this testing requirement. This means making sure that contracts specify how often testing must happen—in DORAs case, every 36 months, or three years) who is qualified to do the tests and how the testing results are followed up.

3. Third-Party Risk Management (TPRM)

This is a core focus of DORA. It requires financial organizations to thoroughly conduct due diligence on ICT third parties. This includes assessing the criticality of third-party service providers based on business impact and the level of risk they pose.

DORA requires financial institutions to manage ICT third-party risk as an integral component of their ICT risk management framework. Procurement must implement processes to assess risks of vendors before agreements are made, manage the entire lifecycle of the vendor relationship, and include specific clauses in contracts to ensure adherence to DORA.

4. Incident reporting

Financial entities must have procedures to detect, manage, and report ICT-related incidents. Procurement’s role is to ensure contracts with third-party providers include requirements for incident reporting. 

These procedures should align with DORA requirements, specifying how incidents are classified and reported, and must include transparent cooperation with authorities. The procedures should also require elimination of the root causes to prevent recurrence and timely reporting to oversight bodies.

5. Information sharing

DORA encourages financial entities to share information about cyber threats and vulnerabilities across organizations and with relevant authorities. While information sharing is not mandatory, sending notifications and informing regulators about participation in information sharing is required. 

Procurement can support this by ensuring that contracts with third-party vendors include provisions for sharing relevant security information and participating in threat intelligence and sharing schemes.

By adhering to these five pillars, procurement teams can contribute to their organization's overall resilience and ensure compliance with the Digital Operational Resilience Act.

The importance of Third-Party Risk Management (TPRM)

A significant aspect of DORA is its focus on third-party risk management. According to SecurityScorecard, 98% of the top 100 European companies experienced a breach involving third-party suppliers between August 2023 and August 2024. 

DORA requires financial institutions to identify and assess the criticality of their third-party service providers based on business impact and the level of risk they pose. 

Article 28 of DORA stipulates that financial entities “must manage ICT third-party risk as an integral component of their ICT risk management framework.” Financial institutions are held accountable for the overall cybersecurity of their business and must conduct a full risk assessment of their suppliers.

DORA auditing and asset management 

Organizations should run a discovery process to classify the risks associated with their contracted products and services. Financial institutions should invest in platforms that can centralize their ICT asset catalogs, offering a holistic view of third-party providers, which allows them to understand the risks they pose to the business. 

Advanced spend orchestration platforms provide automation features that can be used to simplify the review process. 

DORA requires at least an annual review of ICT assets, and for third parties deemed high risk, the review cycle occurs more frequently. Platforms like Zip can automatically trigger review processes and log stakeholder activity, ensuring all aspects of the process are auditable at any time.

The IT Impact of DORA

Since DORA requires organizations to assess the resiliency of their software supply chain, third parties also need to understand their responsibilities under DORA. Leaders in financial organizations need to consider what IT they implement, and if IT vendors do not comply with DORA, they have the option to terminate those contracts. 

Additionally, DORA mandates organizations to define and enforce policies to encrypt data at rest, in transit, and in use, and manage the cryptographic keys this encryption relies on.

6 tactics to achieve DORA compliance in procurement

To ensure your organization is resilient and properly compliant with DORA’s requirements, procurement leaders should adopt several tactical best practices into their work. Here’s a breakdown of how to tackle DORA’s requirements in your procurement process:

1. Embed ICT risk management into vendor selection

Don’t treat IT risk as a separate concern—integrate it directly into your procurement process.

• Develop a standardized risk assessment checklist that evaluates potential vendors’ IT governance, security policies, and incident response capabilities. Make this a mandatory part of vendor evaluation.
• Prioritize vendors with robust security certifications and established security practices. Ensure your questionnaires include specific questions around security measures, incident response plans and business continuity plans.

2. Proactively manage digital resilience testing requirements

DORA mandates threat-led penetration testing (TLPT) every three years, and its procurement responsibility ensures compliance.

• Include clauses in all third-party IT contracts that explicitly require vendors to undergo TLPT at least every three years and provide proof of these tests.
• Build a process to track when vendors need to conduct their next TLPT. You can use Zip’s scheduled vendor reviews capability, which provides reminders about upcoming testing requirements.

3. Elevate Third-Party Risk Management (TPRM)

TPRM shouldn’t be just a simple checklist item; DORA requires that it elevates to a significant part of your process.

• Create a comprehensive vendor risk assessment framework, going beyond basic due diligence. This framework must evaluate the criticality of third-party services based on potential business impact and level of risk.
• Implement a tiered approach to vendor risk management, with more stringent assessments for essential vendors.
• Ensure your procurement process includes a step where all ICT contracts are logged in a central register. This register should be easily accessible for audits.
• Implement continuous monitoring processes, and make sure your processes do not just include pre-contract evaluations.

4. Strengthen incident reporting and response through contracts

Contracts should be your primary tool for managing incident reporting. Your contracts should have clearly defined incident reporting procedures that align with DORA requirements, specifying timelines for reporting incidents and their severity levels.

• Require third parties to share incident reports and root cause analysis with your organization and with regulatory bodies, as required by DORA.
• Include clauses in your contracts that detail how vendors will support your organization during incident response, as well as what measures they will take to prevent recurrence.

5. Facilitate information sharing and collaboration

DORA’s Article 45 outlines the specific information-sharing requirements with regards to cyber threat information and security intelligence. 

• Add provisions to contracts that require vendors to participate in information-sharing schemes and to share relevant security information.
• Build a process to share information between your third party vendors and your own internal teams.
• Work with your legal teams to clarify data protection requirements and how you will ensure that you are complying with applicable data protection laws when sharing information.

6. Prepare for audits and inspections

DORA requires annual reviews of ICT assets with accompanying documentation, and for third parties deemed high risk, review cycles may occur more frequently.

• Ensure contracts include clauses that provide your organization with the right to audit the vendor's security and compliance practices.
• Document all aspects of the procurement process, including vendor selection, risk assessments, contract terms, and performance reviews, to facilitate audits.
• Schedule audits and inspections on a regular basis, based on risk assessments. Make sure auditors have the right skills and that you follow established audit standards.

Utilize Zip’s capabilities for DORA compliance

Zip’s spend orchestration platform features several areas and opportunities for managing and maintaining the requirements for DORA compliance. 

• Customizable due diligence: Use Zip to create tailored vendor questionnaires to evaluate ICT infrastructure and screen for digital risk.
• Risk-based approval workflows: Zip can automatically flag and route high-risk vendors for extra review and approvals.
• Centralized repository: Leverage Zip to store vendor documents (certifications, audit reports, etc.) in one accessible location and generate compliance reports at any time.
• Scheduled alerts for compliance: Set up automatic alerts in Zip for vendors to run digital resilience tests every 3 years, as required by DORA.

For more information on how Zip can help facilitate DORA and other international regulatory initiatives, schedule some time with one of our compliance experts today.