At a time when supply chains are becoming increasingly complex and digital, companies’ vulnerability to cyber risks is also increasing exponentially. The European Union has created the Digital Operational Resilience Act (DORA) as essential legislation to increase financial institutions’ resilience to cyber threats. The law requires organizations to implement more robust controls and processes not only for internal systems but also within the broader supply chain. This article examines the impact of DORA on supply chain (risk) management and third-party risk management and offers insights into how organizations can prepare for these new requirements.
DORA and the pressure on supply chains
DORA is designed to strengthen the resilience of the European financial sector by setting strict requirements for digital operational resilience. This means that organizations must now prove that they are not only prepared for disruptions, but also able to recover quickly. A key aspect of this is the management of risks arising from third-party and supply chain partners, as vulnerabilities at these external parties can actually impact the organization itself.
The requirement under DORA to identify third-party risks is closely aligned with the broader trend of enhanced Supply Chain Risk Management. This law states that organizations must now conduct a full risk assessment for every aspect of their digital supply chain and must continuously update the information. This requires a pragmatic but comprehensive approach that has not been fully implemented by many companies to date.
The four core pillars of DORA within Supply Chain Risk Management
DORA places particular emphasis on four key areas essential for effective cyber resilience within the supply chain:
- Third-party risk analysis and monitoring: Under DORA, financial institutions are required to conduct a thorough risk analysis of third-party providers in the supply chain, including IT service providers, data center providers and cloud solution providers. The goal is to understand the specific vulnerabilities and potential risks these external parties pose to the organization itself. This requires a detailed approach, with continuous monitoring and evaluation of these external parties being critical
- Cyber incident management and recovery plans: DORA requires that organizations have a clearly defined incident response plan for potential cyber attacks or digital disruptions that arise from within the chain. This must include a practical approach to identifying, reporting, and recovering from cyber incidents. It also includes testing and evaluating these plans, including scenarios that cover different types of supply chain risks.
- Resilient and robust IT systems: Under DORA, organizations must ensure that their IT infrastructure is not only functional but also robust so that it can withstand external risks. This goes beyond traditional measures such as firewalls and antivirus programs; it requires layered security that also takes into account vulnerabilities in the chain. This means that not only the suppliers, but also fincnial institutions themselves must take measures to ensure continuity of critical services in the event of supplier failure.
- Compliance and reporting requirements: An important aspect of DORA is compliance with detailed reporting requirements. Companies must not only be able to demonstrate compliance, but also document the results of their assessments, incidents and remedial actions. This requires a streamlined documentation and reporting approach that scrutinizes third-party compliance as well.
Concrete steps for implementing DORA in supply chain risk management
To comply with DORA and effectively manage risk in the supply chain, organizations must take a number of steps:
- Appoint a central team for supply chain management: Create a dedicated team as part of regular procurement and contract management that focuses on monitoring and assessing suppliers, in addition to DORA, numerous other legal frameworks apply such as GDPR and CSRD, among others. This team can also serve as a central point of contact for incident management and compliance.
- Conduct continuous risk assessments of external parties: Risk assessments should go beyond just surveying the party itself. It is important to understand in detail how external parties interact with their own suppliers so that potential supply chain risks can be identified early on. A risk-based approach is the key concept here – scoping suppliers based on how critical they are to operations and tailoring enforcement accordingly.
- Standardize and automate for reporting and monitoring: Given the extensive reporting requirements of DORA, automation and standardization can be valuable. Third Party Risk Management tools can help streamline both monitoring and documentation, facilitating continuous compliance. For example, a number of financial institutions are using 3rdRisk . While this has been slow to take off in practice, there is considerable scope for standardization through sector-wide collaboration.
- Test and update recovery plans regularly: Recovery plans should be tested with scenarios specifically tailored to chain risks. Regular updates and exercises ensure that organizations remain prepared for new threats. The goal here is just more than paperwork, but revolves around actively practicing together.
- Encourage transparency and cooperation in the chain: Open communication with stakeholders is essential. By making partners and suppliers aware of the impact of DORA and working together on compliance, weaknesses can be addressed more effectively.
Looking ahead with DORA and Supply Chain Risk Management.
The implementation of DORA will significantly change how financial institutions manage their supply chain, especially when it comes to digital resilience. In an increasingly complex digital world, an organization’s resilience is determined not only by internal measures, but also by the weakest link in the chain. DORA provides a solid framework to address these challenges, but at the same time requires that supply chain and third-party risks be taken seriously and new, pragmatic approaches implemented to meet the requirements.
Proper implementation of these strategies can additionally provide a competitive advantage, with financial institutions not only complying with legislation, but also occupying a firmer, more reliable position in the industry.
