The deadline for compliance with the EU’s Digital Operational Resilience Act (DORA) comes into effect on January 17th.
With — according to research from Orange Cyberdefense — 43% of the UK financial services industry set to miss the deadline, the act could significantly disrupt commerce between the UK and the EU. Organisations found to be in breach of DORA could face serious financial fines of up to 1% of worldwide daily turnover for as long as six months. In addition to potential fines levied against the financial services sector, DORA’s new regulatory requirements pose challenges for procurement teams operating across the channel, as well as IT teams governing the movement of data.
Financial services and digital infrastructure
The digital infrastructure sector underpins multiple sectors, including cloud computing and financial services, about to be affected by DORA.
All of these sectors will experience profound changes as a result of DORA coming into effect. “Critical digital infrastructure providers, like Equinix, may become directly regulated for the first time and will play a critical role in supporting its financial services clients in adhering to stringent requirements,” observes Adrian Mountstephens, Strategic Business Development for Banking at data centre giant Equinix. All financial service companies in the EU, he adds, will need to update their contracts with their supply chain to remain compliant.
Mountstephens also notes that, along with other legislation focused on digital security, like NIS2 (EU-wide legislation on cybersecurity) and the European Cybersecurity Act, DORA will result in organisations adopting enhanced security measures. “Third-party risk management will intensify, with increased supply chain oversight and emphasis on companies having certifications. We aim to keep our customers future-ready by providing financial institutions with solutions that address their digital transformation challenges while ensuring compliance with evolving regulations,” he says. “As one of the most comprehensive cybersecurity regulations the financial industry has seen, the new policies aim to ensure infrastructure is in place to prevent, respond to, and minimise disruptions, specifically as financial institutions are increasingly dependent on technology and face growing risks of cyber attacks.”
DORA and the cloud
Dmitry Panenkov, CEO of cloud management platform Emma, also notes that “One of the main challenges with the upcoming DORA regulation is ensuring visibility and control across cloud environments, as introducing hybrid or multi-cloud setups to strengthen resilience, often comes with a lack of the integration needed for comprehensive risk management and compliance oversight.”
Ensuring that businesses have a “dedicated and mature” Digital Resilience Framework will also reportedly be critical, and Panenkov stresses that organisations must be prepared to conduct required annual evaluations and tests. However, even as DORA comes into effect, “many are still building the capabilities and processes needed to meet these obligations.”
If organisations can’t take steps like enhancing their real-time risk mitigation strategies and ensuring that data security processes up to a suitable standard to withstand operational and regulatory scrutiny, they could find themselves in noncompliance.
“Organisations must recognise that DORA is as much an organisational challenge as a technical one,” he says. “It demands collaboration between compliance, IT and cloud teams to embed resilience planning into operations. The most successful organisations will not only align with DORA but also use it as an opportunity to strengthen their overall operational resilience.”
Purchasing and DORA
Arnaud Malardé, Smart Procurement Expert at Ivalua agrees with regard to DORA being an operational issue. “Until now, many procurement teams might have mistakenly viewed compliance with the regulation as solely an IT responsibility – but this Friday will act as a serious wake up call for many organisations,” he says. “The fact is that procurement plays a crucial role in managing the third-party risks at the heart of digital operational resilience. Without robust supplier oversight, organisations risk non-compliance that can result in crippling fines, legal liabilities, and exclusion from markets they rely on.”
However, he adds that many procurement teams are still reliant on outdated processes, fragmented data, and manual contract review that is both prone to human error and provides limited visibility into supplier performance and compliance. These legacy holdovers only increase the chances of being found in violation of the new regulations and forced to accept significant penalties.
To “play catch-up” and meet these challenges, Malardé argues that organisations need to digitalise their procurement processes — and fast. “For example, cloud-based Source-to-Pay platforms create a centralised repository for contracts, DORA-specific reporting, and supplier data, allowing for real-time risk monitoring and automated compliance tracking,” he says. “By embedding resilience into procurement strategies, businesses will not only meet DORA’s demands, but also strengthen supply chains, mitigate cyber risks, and unlock long-term competitive advantages.”
- Fintech & Insurtech