As digital threats escalate year on year, operational resilience is no longer a compliance checkbox – it’s a strategic imperative.
In 2023, 78% of European financial institutions experienced third-party data breaches, while the average cost of a data breach surged to USD 4.88 million in 2024 (IBM, 2024) (BusinessWire, 2024). Enter the Digital Operational Resilience Act (DORA), an EU regulation, enforced from 17 January 2025, which aims to strengthen the information & communication technology (ICT) security of financial entities, ensuring the financial services sector remains resilient against severe operational digital disruption.
But while its purpose is clear, many are asking: Who exactly does DORA apply to? See a summary of the scope of DORA outlined in the visual below.
Who needs to comply with DORA?
It’s important to note that even if your organisation falls outside DORA’s formal remit, similar operational resilience frameworks exist such as the UK FCA’s operational resilience framework and the US FFIEC guidelines. Hence, aligning with DORA best practices can therefore sharpen your competitive advantage, regardless of regulatory jurisdiction.Why should organisations care about DORA- what problems does DORA help to resolve?
DORA was created in response to a rising tide of operational and supply chain vulnerabilities across financial services and ICT networks. Here are a few key areas that DORA seeks to address in the procurement and supply chain space.
Escalating Supply Chain Attacks:
In 2024, 58% of large UK financial services firms reported at least one third-party supply chain attack, with 23% being targeted three or more times (Orange Cyberdefense, 2025). This trend highlights the increasing vulnerability within supply chains and reinforces the need for a framework like DORA to help address these potential weaknesses.
Inadequate Continuous Risk Assessment:
Data indicates that 44% of financial institutions assess third-party risk only during initial onboarding, while a mere 14% engage in continuous risk assessment using dedicated tools (Orange Cyberdefense, 2025). This fragmented approach leaves firms exposed and underscores the importance of consistent, end-to-end risk visibility.
Prevalence of Third-Party Breaches:
As mentioned, in 2023, over 75% of European financial institutions experienced third-party data breaches, with many also impacted by fourth-party breaches (BusinessWire, 2023). Without strong governance-such as centralised spend management and integrated oversight-organisations are vulnerable to significant business disruption.
How do organisations embed resilience in your procurement and supply chain strategy through digital enablement?
To ensure compliance with DORA’s requirements and enhance supply chain resilience, organisations should focus on three key areas:
Defined Procurement Strategy & Supply Chain Strategy:
Having clarity around the goals of your supply chain strategy is essential, and along with it – embedding the principle of due diligence is key. As BNP Paribas’ Global Head of Resilience notes, digital transformation plays a critical role in managing cyber and technology risks while strengthening customer trust (McKinsey, 2025). Developing and implementing digital transformation strategies that are aligned to an organisation’s procurement and supply chain strategies helps organisations to achieve long-term results through regularly assessing risks, ensuring compliance and alignment to overall business goals.
Building Continuous Monitoring & Controls:
DORA requires robust controls across the Procure-to-Pay lifecycle. Platforms such as Zip, enable centralised spend management, streamline supplier onboarding, and unify risk processes. Zip’s Risk Orchestration solution simplifies supplier risk assessments, financial verification, and regulatory compliance. Its no-code workflows allow organisations to rapidly adapt to new regulations. These capabilities are key to mitigating supplier-related risks and ensuring operational resilience.
Improving Supplier Relationships:
Building strong, trust-based supplier partnerships is more important than ever to foster transparency and enable threat intelligence sharing. Under DORA, organisations must assess potential partners against specific criteria to evaluate their cybersecurity and digital resilience. The Zip risk orchestration platform offers a streamlined approach to managing supplier relationships — improving visibility, collaboration, and efficiency in onboarding and selection. By focusing on collaboration, organisations can strengthen supply chain security and improve responsiveness in identifying any potential attacks.
Embedding clear procurement strategies with strong controls, contingency planning, and supplier networks is key to building digital operational resilience. Resilience isn’t just about complying with regulations – it’s key for reputation, reliability and readiness. Speak to us today to find out more about our expertise and how we can help lay these foundations to ensure your organisation adapts to new regulations while staying aligned with long-term strategic goals.
GET IN TOUCH WITH OUR TEAM TODAY
To discuss further or explore your tech questions, get in touch with Joe Gibson FCIPS, FCMI, Head of Digital Transformation; Allison Ford-Langstaff (FCIPS), Managing Partner; Andy Hemsley, Partner or Julia Cullen , Digital Transformation Consultant. We’re always happy to collaborate, share insights, and support.
