DORA Isn’t Just Legal’s Problem

When DORA took effect in January 2025, plenty of procurement teams shrugged it off as “a legal thing.”
Now, six months in, some are scrambling, some are firefighting, and others are realizing that this wasn’t a policy change—it was a procurement wake-up call.

DORA wasn’t about compliance.
It was about exposing the cracks in vendor governance—and procurement was supposed to be the one holding the flashlight.

What the Data Was Screaming (But Everyone Whispered Past)

• 22,000+ financial entities and ICT vendors were pulled into DORA’s scope as of January 17, 2025 (Ivalua).

• Only 8% of procurement teams were investing in AI or risk visibility tools, according to Gartner—while over 70% deprioritized procurement tech when setting IT budgets (Gartner).

• A 15% increase in cybersecurity budgets was forecasted for 2025—largely driven by compliance mandates like DORA (Splunk).

• IDC and Zycus warned that operational risk was procurement’s next strategic frontier, especially under DORA’s scope (Zycus + IDC Horizon).

What Procurement Teams Missed (While Legal Was Counting Clauses)

1. Sub-tier risk didn’t exist—until it exploded
   Everyone knew who their vendors were. Nobody mapped who their vendors relied on. DORA did.

2. Contracts were legally sound—and practically useless
   Most lacked:

   • Breach timelines

   • Audit rights

   • Subcontractor approval clauses
     And when something broke, there was nothing in writing to enforce accountability.

3. The “register” was a spreadsheet last edited during GDPR onboarding
   DORA expected a real-time digital register of critical ICT. Most teams had a static Excel file with half the fields missing.

4. Stress testing wasn’t even scoped
   Vendors were expected to participate in resilience simulations. Most had no idea—it wasn’t in the contract, wasn’t in onboarding, and wasn’t followed up.

What High-Maturity Teams Did Differently

✅ Mapped the hidden dependencies
They asked not just “Who do we pay?” but “Who do our vendors rely on?”
That alone exposed dozens of sub-tier risks no one had flagged before.

✅ Negotiated DORA clauses during renewals
Teams didn’t wait for legal. They brought:

• Mandatory resilience testing

• Timely breach notifications

• Regulatory cooperation clauses
  To the negotiation table. Leverage was real.

✅ Transformed QBRs into resilience reviews
Pen-tests replaced PowerPoint fluff. Incident history replaced vague metrics. Risk posture became the KPI.

✅ Ran simulations with vendors
Instead of waiting for the next outage, they triggered tabletop exercises and supplier stress tests—using procurement as the coordinator.

✅ Joined DORA squads across the org
High-functioning teams worked cross-functionally with legal, IT, and security from day one—not month six.

What Procurement Now Owns—Like It or Not

What Everyone Avoided Saying (But We’ll Say It)

Legal doesn’t run vendor relationships.
Security doesn’t touch contracts.
IT doesn’t manage renewals.

Only procurement connects all three.
If you weren’t embedded in DORA planning six months ago, you’re now retrofitting policies around contracts that can’t support them—and hoping no one notices until next year’s review.

Final Thought

DORA wasn’t a policy checklist. It was a structural audit of your entire ICT supplier strategy.
Procurement teams that stepped up? They became risk translators, contract architects, and business continuity enablers.
The rest are now racing to fix what they thought didn’t concern them.

If you’re in procurement and still treating DORA like someone else’s compliance checklist—this is your reminder: regulators don’t care who owns the problem. They care who solves it.

Until next time,
Zvi
Founder, ProcureNerds