Regulation

DORA Is Here: What It Means for Your Vendor Risk Program

R
Rusha
Founder, Garnet AI
March 8, 2026 8 min read

DORA Changes Everything for Third-Party Risk

The Digital Operational Resilience Act (DORA) became enforceable on January 17, 2025. It's the EU's most significant regulation for ICT third-party risk management, and it affects every financial institution operating in Europe.

Who Does DORA Apply To?

DORA covers:

  • Banks and credit institutions
  • Insurance companies
  • Investment firms
  • Payment service providers
  • Crypto-asset service providers
  • And critically: their ICT third-party providers

The Key Requirements

Article 28 — ICT Third-Party Risk Management requires financial entities to:

  • Maintain a register of all ICT third-party arrangements
  • Conduct due diligence assessments before entering into contracts
  • Continuously monitor the risk profile of ICT providers
  • Ensure exit strategies exist for critical providers

Article 30 — Key Contractual Provisions mandates specific clauses in ICT contracts covering:

  • Service level descriptions
  • Data processing locations
  • Audit and access rights
  • Subcontracting conditions
  • Termination rights

What This Means in Practice

For most organizations, DORA means:

  • More vendors to assess: The definition of "ICT third-party provider" is broad
  • Deeper assessments: Surface-level reviews won't satisfy regulators
  • Continuous monitoring: One-time assessments are no longer sufficient
  • Documentation requirements: Full audit trails of every assessment decision

The Capacity Problem

Here's the math: If you have 200 ICT vendors and each assessment takes 40 hours, that's 8,000 hours per year — roughly 4.4 full-time employees doing nothing but reading compliance documents.

Most organizations don't have that capacity. The result? Rushed assessments, missed exceptions, and regulatory risk.

How Garnet AI Helps

Garnet reduces assessment time by 90% while improving exception detection rates. Our proprietary AI engine:

  • Reads and parses compliance documents in seconds
  • Cross-references against DORA-specific requirements
  • Flags exceptions with specific document citations
  • Generates audit-ready verification reports

DORA compliance isn't optional. But spending 40 hours per vendor assessment should be.

Previous
Why Manual Vendor Assessments Are Broken
Next
Building GDPR-Compliant AI from Scratch: Our Technical Approach