The Digital Operational Resilience Act (DORA) defines the technical standards that financial institutions and their critical technology service providers must implement in their ICT systems (information and communication technologies) at the beginning of 2025. But are companies really ready to comply with these requirements and, therefore, to properly manage risks in their supply chain ? Jaggaer's response, leader in the digitalization of purchasing and collaboration within the supply chain.
The Digital Operational Resilience Act (DORA) defines the technical standards that financial institutions and their critical technology service providers must implement in their ICT systems (information and communication technologies) at the beginning of 2025. But are companies really ready to comply with these requirements and, therefore, to properly manage risks in their supply chain ? Jaggaer's response, leader in the digitalization of purchasing and collaboration within the supply chain.In France as in many European countries, the rise of artificial intelligence and global tensions strongly fuel the risk of cybercrime. The European Union Cybersecurity Agency (ENISA) warned that the number of attacks on infrastructure doubled between the fourth quarter of 2023 and the first quarter of 2024, probably for geopolitical reasons. Cyberattacks leak millions of internal data, including customer data. Which can give cybercriminals a hand to more easily carry out other types of attacks, like scams where they try to deceive the user into providing personal data that is real. Faced with a phenomenon that seems to have no limits, the law on digital operational resilience (DORA) legally sets the requirements to be respected by banking and insurance establishments. It helps strengthen security and maintain good digital resilience.
Managing ICT risks
By January 17, 2025, a binding and comprehensive framework will therefore be put in place for the management of risks linked to information and communication technologies (TIC) in the EU financial sector. But also for that of essential third parties who provide them with related services, such as cloud platforms or data analysis services. In other words, their main suppliers. So, ICT suppliers that are deemed “critical” by the European Commission will be directly monitored by European supervisory authorities (AES). As the competent authorities, they may require security and remediation measures and sanction suppliers who do not comply with them.
Analysis of current contracts
This new regulation implies that certain contracts, which have not been analyzed under the aegis of the European Banking Authority, will need to be reviewed. This involves significant work analyzing current contracts : Firstly, to identify new clauses that were already included in old ones on the other hand, to identify contracts that will need to be renegotiated to include new clauses. This new DORA regulation is a step forward for business security. Cyberattacks from suppliers, especially when they are small, represent a danger that was not yet controlled.
The question of suppliers
For most businesses, the DORA law will not have a major impact, because they already use security protocols to improve the management of exposed risks. However, they will need to carry out additional resilience testing by increasing the number of assessments they carry out, refining methodologies and incorporating best practices in systems control and monitoring. So far, so good, but a question arises : are companies and their teams really ready to audit and certify their suppliers ? According to a survey organized by Forsitis, 72% of large companies register and approve all their suppliers. A percentage which falls to 18% in those whose turnover is less than 20 million. And among these, eight out of ten are limited to recording. One of the most worrying findings of this study, made less than a year ago, is that 82% of companies of less than 20 million euros do not control the risks of their suppliers, but that 35% of companies worth more than 100 million euros do not do so either. These organizations endanger the company itself.
Control for better digitalization
In purchasing operations in the financial sector, of that of insurance and, par extension, in any relationship involving management with suppliers, many parties are involved and the processes become very complex. This requires ongoing risk assessment, and manual and traditional procedures do not guarantee effective control. Faced with these time-consuming tasks, repetitive and low added value, technology must gain ground. In addition to their own team of legal advisors, Companies choose external partners specializing in risk management and accreditation through innovative platforms that measure and qualify suppliers around the world using comprehensive and diversified risk mapping. Those who do so will be advantaged in the new scenario that DORA regulations will bring for companies that manage huge volumes of data. It is only with technology and, of course, compliance that they will be able to effectively protect their customers against the constant threat to their security.
