DORA – Beyond the Deadline & the impact on the supply chain

The Digital Operational Resilience Act (DORA) is a significant regulatory framework introduced by the European Union to enhance the operational resilience of the financial sector. It came into effect on January 17, 2025, applying to a wide range of financial institutions, including banks, investment firms, insurance companies, and payment providers.

Impact on Critical Third-Party Suppliers

Perhaps one of the most novel requirements of the DORA is the impact on Critical Third Party Providers (CTPs). For these firms, DORA imposes stringent requirements to ensure failure of these services does not disrupt the financial sector. These suppliers must undergo rigorous assessments, including risk management controls, incident reporting, and resilience testing. They are also subject to enhanced supervisory oversight and must maintain detailed registers of their ICT services. This means CTPs need to invest in robust cybersecurity measures, conduct regular audits, and ensure full compliance with the new regulatory standards.

Considerations for Non-Critical Suppliers

Suppliers not deemed critical under DORA may still need to align with the regulatory framework to support their financial institution clients. While the requirements are less stringent, non-critical suppliers must still demonstrate their ICT controls and processes by conducting self-assessments and possibly seeking external advisory reports to ensure they meet the necessary standards. This may help build assurance with clients and ensure the whole supply chain is operating within the regulatory requirements.

Regulatory Expectations Post-January 17, 2025

With the deadline passed, financial institutions and their suppliers are expected to have fully implemented DORA's requirements. Regulators will conduct ongoing assessments to ensure compliance, and any gaps identified must be addressed promptly. The European Supervisory Authorities (ESAs) will continue to monitor the sector with non-compliance likely to result in penalties and reputational damage. DORA being in full-force represents a significant shift in the regulatory environment for financial services, emphasising the importance of robust ICT risk management and operational resilience down the supply chain.