DORA (Digital Operational Resilience Act) — Procurement Glossary

EU regulation (effective January 2025) requiring financial entities to ensure they can withstand, respond to, and recover from ICT-related disruptions. Has major implications for procurement of technology services.

The Digital Operational Resilience Act (DORA) is an EU regulation that sets uniform requirements for the security of network and information systems of financial sector companies and their critical ICT third-party service providers.

DORA Impact on Procurement

ICT Third-Party Risk Register — mandatory register of all ICT service providers with risk classifications
Contractual requirements — specific clauses required in ICT outsourcing contracts (audit rights, exit strategies, incident reporting)
Concentration risk — must assess dependency on critical ICT providers
Incident reporting — ICT-related incidents must be reported to regulators
Testing — regular testing of digital operational resilience

Procurement teams in financial services must update their third-party risk management processes to comply with DORA requirements.