The area of compliance that I’ve most frequently been asked about over the last 12 months is DORA, or the Digital Operational Compliance Act. It’s a complex piece of regulation that comes down to some simple, key principles. At Omnea, we’ve brought together some of the leading experts in this space along with many of our customers to consider the best possible way to prepare for DORA, from both a process and tooling standpoint. In this article, I discuss DORA’s key objectives, scope, and how foundational procurement and third-party risk management processes can keep you compliant.

What is DORA (the Digital Operational Resilience Act)?

In July 2024, 8.5 million devices were ‘bootlooped’—stuck in an perpetual loop of turning off and on again—by a faulty, routine software update pushed by CrowdStrike. The update was not intended to be malicious. It wasn’t engineered to cause specific disruption. Yet it rendered services all the way from financial institutions, healthcare, and local government inoperable for days, causing a $5.4B toll on the Fortune 500. Now, imagine if it had instead been designed to cause harm, and how much more devastating it could have been. That’s the kind of attack that the Digital Operational Resilience Act, or DORA, seeks to prevent. Its core objective is to increase the digital operational resilience of the financial sector as a whole. To that end, its scope is spread across a number of key areas:

  • ICT risk management
  • ICT third-party risk management
  • Digital operation resilience testing
  • ICT-related incidents
  • Information sharing
  • Oversight of critical third party vendors

How does DORA impact third-party risk management?

DORA introduces a number of key requirements to third-party relationships—all designed to increase the resilience of systems, and reduce the likelihood and impact of digital supply chain attacks. Those impacted by DORA need to:

Identify and assess critical third-party vendors

This means mapping systems and suppliers, and identifying which vendors pose the biggest threat to operations should they be compromised. 

Fulfil due diligence and contractual obligations

They must conduct due diligence to confirm third party vendors have adequate risk management practices, and contractual terms in place to manage those risks that remain.

Maintain ongoing oversight and monitoring

Additionally they must continuously monitor vendors to ensure that these risk management processes are being followed, new risks are flagged and addressed, and that they are meeting their contractual obligations. 

Incident management and reporting

They are required to have processes in place to respond to and report incidents arising from third-party suppliers. 

Contingency planning and testing

They are required to maintain business continuity plans, and periodically test contingency plans to address service disruptions that could be caused by third party disruptions.

Who needs to comply with DORA?

DORA is primarily aimed at financial entities—including banks, credit institutions, investment banking, payments providers, electronic money institutions, and insurance. It applies to all businesses who operate in the EU, not just those who are based in the EU. Some of the expectations vary based on the entity’s footprint and size. DORA must be applied to third party suppliers who are critical to financial services. Some key areas covered are IT systems and services, cybersecurity, outsourcing, and data management.

When is DORA regulation coming into force? 

DORA came into force on 16 January 2023 and applies as of 17 January 2025. Coming into force means that the legislation was adopted and published, but does not necessarily produce legal effects. In practice this means that the legislation will be binding as of 17 January 2025. 

How can Omnea help you meet DORA requirements?

The most difficult part of maintaining compliance with DORA is not necessarily the understanding of the regulations and resulting obligations, nor even the typical risk management strategies for identifying and resolving risks, but instead the tying of those obligations to your internal processes.

TPRM (third-party risk management) cannot exist in a silo. It needs to be closely integrated with those other business processes that can bring Risk into your business such as Procurement. Maintaining ‘live’, automatically updating, registers of Vendors, Services, and Agreements requires working as closely as possible with with the Procurement process to prevent multiple instances of duplicate data entry, copying and pasting, and manual handoffs that introduce pain to every process it touches and reduces business velocity.

Omnea enables compliance with the third party risk management requirements of DORA. We work with many DORA-regulated businesses to make visibility, assessment, and monitoring of third-party risk simple. Here’s how we do it. 

Automatically assess the risks associated with vendors

Omnea automatically classifies vendors and sends them the correct assessments at intake—including for DORA, but also for SOC2, SOX, and many more geography-specific requirements. Omnea ensures you apply the right level of scrutiny based on data usage, location, or other critical factors. If vendor responses diverge from expectations you’ll be alerted with a tailored risk summary and remediation steps. 

Centralized supplier register

Omnea creates a single repository of all vendors, contracts, and due diligence. All supplier and vendor information lives in one place—eliminating duplication and the need for manual spreadsheets. Once you’ve identified your third-party risks, store them in our risk repository alongside remediation steps, along with inherent and residual risk scores. You can capture extra metadata such as categorisation and internal owners, and set up automated reminders to action treatment plans so things get done on time. 

Monitoring risk over time

Omnea triggers automatic risk questionnaires for vendors to ensure they remain compliant over the course of your relationship, or at renewal. They only ever interact with our Supplier Portal, which makes it easy for them to supply documents and data—and keeps all communication in one place, not scattered across multiple systems.

Workflow automation

From onboarding to renewal and reassessment, Omnea’s workflow engine captures critical data at the right time, automatically populating DORA and Outsourcing Registers using information captured in both internal and external questionnaires. I’ll get into the mechanics of setting up DORA compliant workflows in the next section.

Dynamic reporting

Omnea’s risk analysis dashboards make it easy to spot areas of potential exposure across critical service providers. Build dashboards tailored to your needs and send the data directly to your regulator-ready reports in a click. 

Implement DORA compliant processes quickly with Omena’s templates

We offer pre-configured templates for Outsourcing Registers and DORA-specific information, developed in collaboration with clients already using our system to enable DORA compliance. That said, every organisation has unique regulatory nuances. You can define your own custom definitions and conditionality around tagging for things like Criticality and Important Business Service lists— to categorize suppliers accurately and meet both DORA and outsourcing requirements.

Our templates match supervisory authority guidelines, enabling the automatic mapping of key register metadata such as “contract termination clauses,” “residual risk assessment outcomes,” “ease of replacement,” and “alternative providers”. Omnea’s automated register ensures data is always up to date, meaning you’re always on top of requirements.

Configuring DORA-compliant workflows in Omnea

Omnea workflows are easy to create in our no-code, drag-and-drop workflow builder. A typical DORA-compliant workflow affects three key components of your usual purchase and renewal workflows:

  1. Intake assessment

During intake, requesters walk through a structured process. It’s conditionally triggered based on simple questions, and there’s no training needed in advance. They’re asked key questions relevant to DORA, without having to have any pre-existing knowledge, that guides them to provide the information so we can automatically make an assessment of whether something needs to be classed as Outsourcing, for example? This step gathers information to inform the subsequent approvals processes, dynamically triggering automatic involvement of risk and compliance stakeholders for review. 

  1. Supplier onboarding and assessment

Suppliers then undergo due diligence as part of onboarding. They provide all information in Omnea’s Supplier Portal, which captures risks requiring acceptance or mitigation. Our Supplier Portal gathers data in a standard format. This eliminates free-text confusion and ensures consistent reporting. Risk, Security, and Compliance teams can then configure additional approval steps so that critical services receive appropriate scrutiny.

  1. Tagging and categorization

Omnea automatically then assigns key tags and mappings based on answers to questionnaires, such as “Outsourcing”, “Critical”, and “ICT Related.” This enables the quick filtering of categories of vendors, and immediate exporting of all vendors meeting DORA-defined attributes in just a few clicks.

Driving DORA automation with Omnea

Individually emailing hundreds of vendors to provide DORA information, following up, categorizing, and loading back into an Outsourcing Register is a mammoth task. Omnea automatically sends prompts and reminders, guiding vendors through the process. They are automatically notified, before onboarding, to fill out the due diligence questionnaire which is synced to the register. Omnea intelligent automates reviews from different internal stakeholder groups—so everyone is involved when needed, and with the right context.

"Omnea simplifies how we manage supplier risk and saves us so much time. A previously manual process is now simple and easy — non-compliance is flagged before contracts renew, and our TPRM is automated.”

Chris Cottrell-Mason (Senior Tech Risk Lead, Onfido)