Requirements, Impact and Implementation

Explanation of Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is an EU regulation aimed at sustainably strengthening the digital resilience of financial institutions. It focuses on the ability of banks, insurance companies and other financial service providers to operate information and communication technologies (ICT) securely, manage risks, and remain operational even in the event of a disruption.

For the first time, DORA establishes a uniform regulatory framework for addressing digital risks in the financial sector. Of particular relevance are the requirements regarding:

  • IKT – Risk Management
  • Incident Management and Reporting Obligations
  • Resilience Tests
  • Management of ICT third-party Providers (Third-Party Risk Management)

In particular, the use of external service providers—such as cloud providers or IT service providers—is becoming a major focus of supervision.

The Impact of DORA on Procurement in the Financial Sector

For procurement, DORA represents a fundamental shift: Regulatory requirements must be taken into account much earlier in the procurement process—not just afterward or as part of audits.

In particular, the following challenges arise:

  • Early Risk Assessment: Even before a procurement process begins, it is necessary to determine whether it involves an ICT service provider or a critical outsourcing arrangement.
  • Documentation Requirements: All decisions must be documented in an audit-proof and traceable manner.
  • Process Standardization: Manual checks and media breaks are no longer acceptable.
  • Collaboration across multiple functions: Purchasing, Compliance, IT and business units must work closely together.
  • Regulatory Governance: There should be clear rules regarding approval requirements and risk assessments.

DORA in the Procurement Process: Both a challenge and an opportunity

Many companies are faced with the question:
How can the extensive DORA requirements be incorporated into the procurement process early on, in a structured and audit-proof manner—and before a procurement process is even initiated?

This is exactly the key: Compliance must not be an after-the-fact checkpoint, but must become an integral part of day-to-day procurement.

Our Approach: Embedding DORA Compliance directly into the system

We help companies in the financial and insurance sectors integrate DORA requirements into their procurement processes efficiently and with system support—particularly using SAP Ariba.

A specific project example illustrates how this works in practice:

A client in the financial sector faced the challenge of incorporating the extensive DORA requirements early in the procurement process—without additional manual verification processes or system disconnects.

Our solution in SAP Ariba:

Together, we have designed the process so that key DORA requirements are checked right in the request for requirements—using intelligent, dynamic forms.

Specifically, this means

  • Assessment of the criticality of services (e.g. ICT-related aspects, critical functions)
  • Structured risk and outsourcing assessment directly within the system
  • Mandatory disclosures regarding information security, exit strategies and subcontractors
  • Automatic control of approvals based on regulatory relevance
  • Complete, audit-proof documentation

The result for our client

By integrating DORA into the operational procurement process, companies benefit from:

  • Ensuring regulatory compliance early on
  • Significantly reduced operational risks
  • Clear governance without additional manual supervisory body
  • High transparency and audit assurance
  • Noticeable relief for procurement, compliance and business units

It is particularly important to note that this does not create a “parallel world.” Instead, DORA is seamlessly integrated into existing processes.

Why we are the right partner

As specialists in digital purchasing processes within a regulated environment, we help banks and insurance companies efficiently implement regulatory requirements such as DORA—not only from a business perspective, but also technically within their systems.

Our focus:

  • Integration in existing SAP-Ariba and S/4HANA processes
  • Connection of Procurement, Compliance und IT
  • Solutions proven in practice rather than theoretical concepts
  • Audit-compliant and scalable process design

Conclusion: DORA as a driver of modern procurement

DORA is more than just a regulatory requirement—it is a catalyst for the further development of procurement. Companies that adapt their processes early on and digitize them intelligently not only ensure compliance but also achieve efficiency and transparency.

How do you currently ensure that regulatory requirements are thoroughly reviewed before the procurement process begins?

You are interested in SAP Ariba Next-Gen? Then you are right here!