<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=229461991482875&amp;ev=PageView&amp;noscript=1">

The Digital Operational Resilience Act (DORA) is the first piece of legislation at the European level addressing digital operational resilience for financial services. The regulation will come into effect in January 2025 and will impact most financial entities in the EU.

What is the focus of DORA?

DORA establishes rules for ICT risk management, incident reporting, resilience testing, and third-party risk management. In short, it wants to make financial organisations and their supply chains more resilient in terms of cyber protection and operational resiliency.

We’re seeing recognition that digital supply chains need some form of regulation.

The idea is to harmonise the approach across the EU and for organisations to supply services to EU-based entities.

DORA applies to over 22,000 entities in the EU, as well as the ICT infrastructure supporting them," states PwC.


The breadth of this new regulation is far and wide, and there is a lot of work to do in 2024.


The areas of focus are:

  • Governance and ICT Risk Management
  • ICT Incidents and Reporting
  • Digital Operation Stability Testing
  • ICT Third-Party Risk
  • Information and Intelligence Sharing

At Gatekeeper, we fundamentally believe in the approach we call VCLM. That’s Vendor & Contract Lifecycle Management.

VCLM is an integrated approach that combines Vendor Lifecycle Management, Contract Lifecycle Management, and Third-Party Risk Management.

It aims to streamline operations, enhance control, and ensure compliance throughout the vendor & contract management process. This unified approach enhances strategic decision-making, risk mitigation and regulatory compliance. It is a game-changer in today's complex business environment."


The Digital Operational Resilience Act is the perfect use case for VCLM.

In this article, I will cover how a VCLM approach could significantly improve your prospects of compliance with this regulation.

I’ve been researching DORA for months. And, so far, I’ve noted that every piece of literature around this regulation notes common themes including:

  • Third-party suppliers
  • Third parties
  • Third-party vendors
  • Critical suppliers
  • Vendor risks
  • Supply chain risks
  • Vendor contracts
  • Supplier contracts
  • Third-party risk management

But none have mentioned the need for procurement teams, who I think are particularly well placed to take a leading role alongside legal and risk colleagues.

The oversight could be attributed to the attention given to companies under DORA's scope. However, vendor management teams throughout the EU will be examining their vendors to ensure they adhere to DORA regulations.

This is why we believe in VCLM; it brings everyone together to solve challenges such as DORA compliance.


Understanding the Digital Operational Resilience Act’s Core Requirements

We’ll look at this from a Vendor Management perspective. Contracts with vendors who fall within the remit of DORA will need to change.

Contracts with third-party ICT service providers must include mandatory clauses. Contract requirements supporting critical or essential functions are particularly detailed, including obligations for threat-based penetration testing, contingency plans, and security measures.

Financial entities also need to maintain a register of information on their ICT contracts and distinguish between those that support critical functions and those that do not.

In addition to this, we'll need to stay on top of:

  • Critical ICT third-party service providers under a Union Oversight Framework can suggest ways to lessen identified ICT risks. Financial entities must consider the risks of ICT third parties who don't adhere to these suggestions.
  • The risks related to IT concentration and risks from sub-outsourcing activities.
  • ICT Risk Management throughout your vendor base.
  • Incident Management throughout your supply chain.
  • Operational and Resilience Testing.
  • The main elements of the service and relationship with ICT third-party providers for comprehensive monitoring.
  • All outsourced activities with a detailed record of all vendors, including services within the group and changes to critical service outsourcing to ICT third parties.

New or updated processes will be required for ICT software vendors, and throughout this article, I will show you how to achieve this using our VCLM platform.

Where Should Vendor Management Teams Focus Their Efforts for DORA Compliance?

 

Vendor Categorisation

We’ll need to identify every ICT vendor the organisation engages with and whether they fall within the remit of DORA.

The EU will assess whether these vendors are deemed to be critical, as will your vendors, but we’ll want to get ahead and be proactive here.

We may want to align your vendor categories to DORA, which might mean changing “Software” vendors to “ICT” for any that are critical to the organisation. Using a VCLM platform means we can keep tabs on DORA-specific vendors.

We can do that in Gatekeeper by creating a new ICT category. However, under DORA, we’ll need to segment these by the vendors that fall within the Act’s remit and those that do not.

I’m going to suggest something akin to:

  • ICT - DORA
  • ICT - Standard

💡 I’ve created these new categories in Gatekeeper here.

Vendor Communications and Compliance Checks

You also need to understand your current vendor segmentation. I’m aware that some of you won’t have defined vendor categories yet, but this process gives you a blank slate to work with, so do not worry about that.

We need to do this so we can easily reach out to every ICT vendor. One method would be to use Gatekeeper’s Workflow Engine to power up a DORA compliance workflow.

It will send out a DORA-specific questionnaire to every vendor to understand their intentions around compliance. This questionnaire might be as simple as asking if they expect to fall within the scope of DORA. If they do, you can ask a series of qualifying questions specific to the regulation.

From here, we’ll want to get insights into the subcontractors our vendors are using to map out our vendor base more effectively - especially as the new DORA contract requirements will need to flow down the supply chain.

We’ll also need to conduct collaborative risk management exercises, penetration testing, and more. It will require knowledge and visibility of Tier 2 to Tier N supply chains. Without this, DORA compliance will be difficult to achieve.

Build a Vendor Risk Register For The Digital Operational Resilience Act

As we start bringing new information from our ICT vendors into our organisation, we can officially categorise them. However, as we do this, we will likely uncover several vendor risks.

  • Not yet started DORA preparations
  • Poor sub-contractor visibility
  • Business Continuity Plans and Disaster Recovery not compliant with DORA
  • Contract Amendment Issues
  • Concentration Risks with strategic vendors and mitigation plans for new vendors

There will be others, and we want to start documenting these as specific DORA risks. Fortunately, for every vendor that you have in Gatekeeper, you can create risks for them.

We covered this in our most recent webinar (non-DORA specific), but it’s worth watching to understand how you can improve your vendor compliance.

 

We could use the Risk Register to track anticipated or current incidents. We’ll need to create a specific category for these.

I’d suggest that we make it clear that every risk is DORA-related, but it depends on the team you have and the skills at your disposal as to your approach here.

We could simply create a new risk called: “DORA Risk”.

Or we could create a list of risks, as I’ve done before, and map these into Gatekeeper with the DORA prefix.

Either way, what you end up with is a detailed set of DORA-related risks that you can actively work on within your vendor base.

DORA Vendor Contracts

Existing vendor contracts are going to need updating and you’ll likely want to get a standard set of DORA clauses ready, much like you do for data protection.

Currently, there is no standard wording. However, the EU expects public authorities to develop standard clauses for this purpose and suggests financial services companies and ICT third-party vendors use such language.

Contracts under the Digital Operational Resilience Act (DORA) must have mandatory clauses. These include obligations for threat-based penetration testing, contingency plans, security measures, and maintaining a register of information on their ICT contracts.

Contracts with ICT service providers must include comprehensive monitoring and accessibility details, full-service level descriptions, and indications of locations where data is processed.

There are also specific requirements for contracts supporting critical functions, and these requirements need to be met by Q4 2024.


All contracts for ICT services, including Service Level Agreements, must be captured in "one written document" which must be available "on paper, or in a document with another downloadable, durable and accessible format".

Here’s a checklist of what you need when it comes to DORA-compliant contracts:

  • A clear and complete description of the services
  • Location of services performed
  • Service level descriptions
  • Detailed data protection provisions
  • Appropriate termination rights include exit/transition management
  • Minimum notice periods
  • Provisions requiring full cooperation with the competent authorities
  • Assistance (and cost) in the event of an ICT incident
  • Vendor’s participation in the financial entities' security awareness programmes
  • Vendor’s participation in the financial entities' digital operational resilience training

You’ll likely have some of these included, however, when it comes to provisions that require assistance, collaboration, and involvement in your operational resilience training, it’s unlikely you’ll have these in place with existing vendors.

For your existing vendors, you’ll need to triage the contracts that need attention, and you’ll need to understand which are the most important to focus on initially.

With Gatekeeper, we can triage these and place every vendor contract that needs an amendment into the Best Practice Workflow for Contract Amendments. This is a workflow that takes you minutes to set up via our guided configuration guide.

We’ll then update the trigger in this workflow to only trigger our high-priority DORA-relevant contracts, and this will pull every contract into the workflow.

Subcontracting under DORA

Regarding subcontracting, DORA only has basic rules. It says that the contract must state if subcontracting of an ICT service, that supports a key or important function, is allowed.

The contract should also mention the terms of subcontracting and the places where the subcontracted functions, ICT services, and data processing activities are happening.

The best practice will likely be to flow these DORA-specific clauses throughout your supply chain to enforce compliance beyond tier vendors.

Detailed Vendor Reporting of ICT Vendors for DORA

You’ll now have an incredible dataset that you can use to report on the compliance status across your vendor base when it comes to DORA. You can present reports to auditors and internal stakeholders.

Gatekeeper has built-in reporting, and via the vendor repository, we can create saved views that let us tailor reports depending on what we need.

From here, you’ll get a read on your existing vendors and contracts regarding their compliance levels. As you onboard new vendors and sign new contracts they’ll be pulled into the reporting so that you understand your DORA compliance levels at a glance.

Closing thoughts

DORA will stretch far and wide for any entity trading within the EU. Its coverage will be similar to GDPR and it mimics a move across the globe of increased focus on digital supply chains that have largely gone unregulated until now.

DORA compliance isn’t going to be possible with a spreadsheet. You need digital vendor and contract management to enable this.


If you’re considering your approach to DORA, book a call with one of our Vendor and Contract Management experts today to discuss your approach.

Daniel Barnes
Daniel Barnes

Daniel Barnes is a seasoned Procurement and Contract Management Leader, with a Masters in Commercial Law from the University of Southampton. He’s on a mission to transition the sector from manual, spreadsheet-driven processes to efficient, automated operations. Daniel hosts the Procurement Reimagined Podcast, exploring innovative strategies to modernise procurement and contract management, striving for a more streamlined and value-driven industry.

Tags

Contract Management , Control , Compliance , Vendor Management , Contract Lifecycle Management , Contract Management Software , Visibility , Contract Lifecycle , Case Study , Supplier Management , Vendor Management Software , Contract Risk Management , Vendor and Contract Lifecycle Management , Contract Management Strategy , Contract Repository , Risk Mitigation , Regulation , Contract Automation , Workflows , CLM , Contract Ownership , Contract Visibility , Contracts , Regulatory compliance , Supplier Performance , Supplier Risk , TPRM , Third Party Risk Management , VCLM , Contract and vendor management , Legal , Legal Ops , Podcast , Procurement , Risk , Vendor Onboarding , contract renewals , Future of Procurement , Gatekeeper Guides , Procurement Reimagined , Procurement Strategy , RFP , Supplier Relationships , Business continuity , CLM solutions , COVID-19 , Contract Managers , Contract Performance , Contract Redlining , Contract Review , Contract Risk , Contract compliance , ESG , Metadata , Negotiation , SaaS , Supplier Management Software , Vendor Portal , Vendor risk , webinar , Artificial Intelligence , Clause Library , Contract Administration , Contract Approvals , Contract Management Plans , ESG Compliance , Kanban , RBAC , Recession Planning , SOC Reports , Security , Sustainable Procurement , collaboration , AI , Audit preparedness , Audit readiness , Audits , Business Case , Clause Template , Contract Breach , Contract Governance , Contract Management Audit , Contract Management Automation , Contract Monitoring , Contract Obligations , Contract Outcomes , Contract Tracking , Contract Value , Dashboards , Data Fragmentation , Due Diligence , ECCTA , Employee Portal , Excel , FCA , ISO Certification , KPIs , Legal automation , LegalTech , Market IQ , NetSuite , Obligations Management , Procurement Planning , Redline , Scaling Business , Spend Analysis , Standard Contractual Clauses , Suppler Management Software , Touchless Contracts , Vendor Relationship Management , Vendor risk management , central repository , success hours , time-to-contract , APRA CPS 230 , APRA CPS 234 , Australia , BCP , Bill S-211 , Breach of Contract , Brexit , Business Growth , CCPA , CMS , CPRA 2020 , CSR , Categorisation , Centralisation , Certifications , Cloud , Conferences , Confidentiality , Contract Ambiguity , Contract Analysis , Contract Approval , Contract Attributes , Contract Challenges , Contract Change Management , Contract Community , Contract Disengagement , Contract Disputes , Contract Drafting , Contract Economics , Contract Execution , Contract Management Features , Contract Management Optimisation , Contract Management pain points , Contract Negotiation , Contract Obscurity , Contract Reminder Software , Contract Reporting , Contract Routing , Contract Stratification , Contract Templates , Contract Termination , Contract Volatility , Contract relevance , Contract relevance review , Contracting Standards , Contracting Standards Review , Cyber health , DORA , DPW , Data Privacy , Data Sovereignty , Definitions , Digital Transformation , Disputes , EU , Electronic Signatures , Enterprise , Enterprise Contract Management , Financial Services , Financial Stability , Force Majeure , GDPR , Gatekeeper , Healthcare , ISO , IT , Implementation , Integrations , Intergrations , Key Contracts , Measurement , Mergers and Acquisitions , Microsoft Word , Modern Slavery , NDA , Operations , Parallel Approvals , Partnerships , Pharma , Planning , Port Agency , Pricing , RAG Status , Redlining , Redlining solutions , Requirements , SaaStock , Shipping , Spend optimzation , Startups , SuiteApp , SuiteWorld , Supplier Cataloguing , Technology , Usability , Vendor Governance , Vendor compliance , Voice of the CEO , automation , concentration risk , contract management processes , contract reminders , document automation , eSign , esignature , post-signature , remote working , vendor centric , vendor lifecycle management

Related Content

 

subscribe to our newsletter

 

Sign up today to receive the latest GateKeeper content in your inbox.

Subscribe to Email Updates