One of the biggest issues firms are grappling with is figuring out which suppliers truly matter under DORA. Some are narrowing their focus using their own definitions of Tier 1 and Tier 2 suppliers, while others are casting a wide net, mapping every technology provider. 

Some firms are focusing on operational resilience frameworks, using the Important Business Services as a starter, then scoping DORA through identifying the 'critical' IT providers for those services.

Other firms are also factoring in their latest assessment of Critical or Important Functions (CIFs), adding another layer of complexity.

There was no single, consistent approach being used. With institutions struggling to align, this is likely to lead to mixed messages and inconsistent expectations of suppliers further down the chain. In turn, this may expose inconsistencies in the required Registers of Information.

We expect regulators to ask for copies of the Registers of Information in 2025 in order to understand the critical supplier landscape to a greater extent. Inconsistent scoping and definitions of critical ICT providers may set off alarm bells once their analysis is completed.  

Another major issue is that suppliers aren’t engaging. Most firms haven’t heard from their suppliers about DORA compliance. In fact, one institution even had a supplier ask for money to ensure compliance (which was thankfully a one-off). 

Worse still, firms are finding themselves in a passive position. The feeling is that large suppliers are going to implement their own compliance plans, and the firms will just have to adapt, without much say in how it all plays out. They’ll simply be on the receiving end of whatever changes their suppliers make. 

Another contentious issue that came up is the disconnect between firms and their suppliers over what’s considered 'critical'. Firms have experienced pushback as they have told suppliers they’re essential to a business service, only to have suppliers shrug it off. It’s shaping up to be a difficult negotiation, with neither side agreeing on who or what is critical. 

When it comes to exit planning, most firms admit it’s still being seen as a tick-box exercise. While contingency plans exist, they’re not always used when things go wrong. In reality, many institutions deal with issues as they arise, rather than relying on detailed business continuity plans. Scenario testing, if it happens at all, tends to be reactive rather than proactive. 

In the scenario where suppliers are deeply embedded into the business, finding an exit strategy becomes even harder. Firms can’t just pull the plug on them without risking major disruption. Firms are left either trying to build in-house alternatives or simply accepting the risk and moving on. 

Many firms are keen to automate their supplier management systems, but the challenge is making sure the information going into these systems is accurate. Until firms fully map their suppliers and understand what’s 'critical', automation won’t solve the underlying issues.

Tools are only as good as the data they’re built on. 

DORA is coming, and financial institutions are still trying to get to grips with it. Although the looming deadline is January 2025, firms are likely to be grappling with these challenges well into 2025 (and possibly even beyond that).  

From confusion over which suppliers are 'critical', to a lack of engagement from suppliers themselves, and the logistical challenge of exit planning – it’s clear that, for most, the road to compliance will be rocky.