Caught in the middle: why DORA means tough times for Procurement

ISO 27001, SOC 2 and HIPAA certificates filed as DORA evidence answer a different question than the one DORA asks. — Alexander Ant, Abstract background of bright paints

Gleb Etinzon, DORA Consultancy.
A boutique consultancy addressing complex regulatory requirements in a pragmatic way. London, UK.

ISO 27001, SOC 2, and HIPAA walk into a DORA audit. None of them walks out. This can be the start of a funny joke, but it is the actual and tragic reality.

I had a call with a procurement person at one of the world's largest insurance companies, and the topic was operational resilience in one of their business units. Apparently, the SOC 2 certification is a prerequisite set by their compliance team for many of their ICT suppliers. My facial expression probably disclosed my feelings much faster than is appropriate for this type of conversation, but I followed up anyway to check whether there was a rationale that might be misunderstood.

There wasn’t one.

The criteria?

For many years, certification frameworks were designed to answer the question “Does this organisation have reasonable security controls?” ISO 27001 is control-based and largely self-attested against a scope defined by the organisation itself. SOC 2 is a point-in-time report for a commercial audience in the US, not for the EU regulators, and its Trust Services Criteria don’t address concentration risk, exit strategies, or ICT third-party registers at all. HIPAA is a US healthcare privacy regime that says nothing about operational resilience in any meaningful sense, even for the health-related systems.

Another side is legal: there were no publicly published judgments in which a company successfully sued a supplier for non-compliance with their certifications. Having another clause in a legal agreement covers nothing in practice, especially because of the limitation of liability, exclusion of consequential loss, indemnity caps tied to fees paid, and entire-agreement clauses that kill most B2B claims before they’re worth bringing.

ISO 27001 certifies that an ISMS exists and is operating; it doesn’t warrant that no incident will occur. SOC 2 Type II is a point-in-time attestation by the auditor about controls, not a guarantee. Neither framework is structurally guaranteed. ISO explicitly states that it does not perform certification itself and that certification only attests to conformity with a management system standard at a point in time. SOC 2 is, by the AICPA’s own structure, an attestation engagement producing an auditor’s opinion on controls — not a certification, not a pass/fail, and (for SOC 1 and SOC 2) a use-restricted report intended for specified user entities.

The ‘not a guarantee’ framing is the orthodox reading of these structures by audit firms and counsel, rather than something either body says in those exact words.

DORA asks a fundamentally different question: “Can this organisation, and its critical suppliers, keep operating through a severe-but-plausible disruption, and prove it with evidence the regulator can verify?” Those are not the same question, and passing the first does not even partially answer the second. All those frameworks are the opposite of DORA’s prescriptive testing regime, and their appearance in DORA conversations is a category error that reveals the firm hasn’t read either regulation carefully.

I would expect the financial entity subject to DORA compliance to separate a cancer diagnosis from a runny nose, but my expectations often crash against reality.

Someone, probably senior enough to make decisions, made such a determination for the whole organisation, published it both internally and externally, and nobody ever challenged it. Beyond wrong business judgement, there are real implications for many areas, including, you can guess, the operational resilience and associated cost, which is not trivial.

Is there any practical way to manage this?

Third-Party Risk Management (TPRM), which is an allegedly heavily audited regulatory pillar for European financial entities. Under this framework, firms are legally required to:

Map their dependencies: maintain comprehensive, detailed registers (the “Register of Information”) documenting every active ICT service provider and the exact services they deliver.
Assess criticality: explicitly identify which third-party vendors support “critical or important functions” (CIF).
Enforce contractual standards: ensure all vendor Service Level Agreements (SLAs) and contracts contain mandatory DORA provisions. This includes defined exit strategies, guaranteed access and audit rights, and strict incident-reporting timelines.
Monitor concentration risk: actively track sub-outsourcing (fourth-party risk) to ensure the institution isn’t systemically vulnerable to the failure of a single dominant provider or a specific cloud region.

A common misconception in corporate governance is that achieving ISO 27001 certification or receiving a clean SOC 2 Type II report makes an organisation immune to cyber disasters. The most obvious is that having a certification will not make any organisation more secure, ask Capita, EquiLend and Finastra. Some, like ION, are beating their chests about the importance of security certifications, but for some reason, they are not certified themselves. Not that it helped ION from being hacked. Many more financial entities were affected by the SolarWinds hack as their supplier, which held those certifications. Maybe a reason that you can buy the certificate for less than $5,000 nowadays?

But the biggest victims of this approach are the procurement teams, who love certifications because they turn a hard question (“Is this supplier safe?”) into an easy one (“Do they have the badge?”). Every procurement team in Europe is currently receiving ISO 27001 and SOC certificates from suppliers and filing them as “DORA evidence.” They are wrong to do this, and while some of them already suspect it, the inertia and guidelines will prevail.

In recent years, procurement teams have shifted from evaluating vendors strictly on cost and service-level agreements (SLAs) to risk-management hubs, and some have been more successful than others.

It is the same procurement team that suddenly owns:

Article 30 contract remediation across hundreds to thousands of contracts
Sub-outsourcing chain elicitation from large providers who don’t want to disclose
Audit-right exercise execution against hyperscalers (impractical bilaterally, achievable through pooled audit)
Exit strategy artefacts that need to be tested, not just written
The CTPP designation list as input to the portfolio shape
The RoI as a downstream artefact of the contract estate

Unfortunately, due to the complexity of risk management as a discipline, most remain immature and require a baseline definition of risk from compliance and legal teams. The typical range of third-party suppliers in my own delivery experience across the industry ranges from approximately 10-100 for small investment funds, 200-500 for a small bank, and the largest universal banks typically run vendor populations in the thousands, where the critical number from them moves in the opposite direction: ~10% for large companies and ~30-40% for small ones.

In addition, procurement teams lack resources. US TPRM survey data (per Ncontracts¹, which offers a product in this space) show that 73% of financial institutions operate with two or fewer FTEs managing vendor risk while overseeing 300+ vendors; the European picture is unlikely to be materially better. This creates a real bottleneck in evaluating supplier risk.

The larger entities are seeking dedicated DORA TPRM roles inside procurement teams to cover areas that they are now operationally accountable for, things that didn’t sit in procurement before: exit strategy execution, audit-right exercise against hyperscalers, sub-outsourcing chain visibility under the new RTS, the new Regulatory Technical Standard on subcontracting (EU 2025/532)², and Article 30 mandatory clause coverage across the contract estate. The role is usually at the senior manager or director level rather than at the analyst level, with a dotted-line relationship to the operational risk or CISO function. This dotted-line structure works because it gives the procurement specialist both operational authority and visibility into the risk function. In the UK, it also provides the required coverage to meet the SS1/21³ requirements set by the Bank of England (on operational resilience for banks and building societies). The smaller companies do not have such a luxury at all.

When the compliance or legal team sets the wrong bar, the organisation gets it wrong too: the “send me your SOC 2, and we’re done” workflow is now a liability, not a control.

And trying not to forget about lovers of security questionnaires, or more “advanced” platforms, which are the same problem in a SaaS subscription wrapper. No, you are not that different, and you have the same issues as everyone else.

The checkbox culture and this compliance theatre don’t help anybody. Organisations will not be more resilient, suppliers will not invest beyond the bare minimum, regulators will not meet their noble objectives, and the public will suffer.

The procurement criteria didn’t change in any meaningful way. DORA added clauses to the contract template and added a register to maintain. It didn’t change how the financial entities select, qualify, or oversee suppliers. The decision criteria are the same as those in the EBA 2019 Outsourcing Guidelines: price, fit, incumbent inertia, and relationship, with a checkbox layer bolted on top.

A financial entity, regardless of its size, won’t push back on a Microsoft or AWS DORA addendum (because there’s no negotiating power and the legal cost-to-impact ratio is hopeless), but it also won’t do anything substantive with its smaller critical suppliers. The pattern is:

Large hyperscaler: accept the standard addendum, file it, move on. This means the financial entity will have to sign up to terms drafted to protect the hyperscaler, and its ability to push back on incident notification timelines, audit cooperation and liability is essentially zero.
Mid-size critical supplier (core banking vendor, claims platform, specialist data provider): send a questionnaire, get answers back, file them, move on. In the best-case scenario, the questionnaire will be answered by the supplier’s engineering team rather than by anyone with operational accountability, but still, no independent verification, generic evidence and a lot of hope.
Long tail of non-critical: tick the Article 30 generic clauses into the MSA template, move on. This also means the contractual obligations exist on paper, but the supplier doesn’t have a DORA programme to implement them, and no one on either side has read the relevant clauses since signing.

As a result, outsourced entities have a higher CIF density, unmanageable concentration, and lack a real exit strategy.

How to address this challenge?

The answer is audit, real, with high blood pressure, sleepless nights and nightmares after. The audit with boots-on-site, sample-tested controls, evidence of recovery testing, and walked-through incident playbooks, which isn’t happening yet.

Neither is a pooled audit, because it requires a coordinator and a willing supplier, and a financial entity won’t fund the coordinator alone and isn’t large enough to compel a supplier to participate.

This should be addressed by proper (not a paper-ticking exercise) third-party assurance, with independent third-party reports, and driven by a similar pattern of CCTP supervisory cooperation. The financial entity can accept SOC 2 Type II / ISO 27001 reports, but they need to be carefully mapped to the specific financial entity’s scope of service, rather than accepting a generic corporate-level certificate. The pooled audits are still a good approach, if you can agree on one, but still require the scope design to meet the specific financial entity’s service.

Well, it is definitely an unpopular opinion and unlikely to happen until someone suffers material harm due to a lack of resilience or negligence. Yes, the chances of this happening in the financial industry are much lower than in the health or energy sectors. However, if a major bank does not survive an incident and its customers lose money, the impact will be severe. The financial part will look minor as the government will pay, and the financial entity will pay fines which they cannot recoup from the supplier. The regulator will be all over you, waving their hands around and showing your DORA compliance annual report, which someone proudly signed off on.

This someone will definitely have sleepless nights, probably will lose his job, and is unlikely to find another one. The compliance team will put the finger on the procurement team, mainly because they can’t blame the legal department.

Unfortunately, it will be too late, again.

The supplier knows this. The bank knows this. The regulator probably knows this too, but isn’t sanctioning it yet. There are also no known cases where a legal clause prevented a hacker from breaking into a system, probably because the message hasn’t come through yet.

DORA specifically demands real actions with real impact, and procurement functions that don’t adapt will become the single biggest source of their employer’s regulatory exposure. The practical reality is that DORA fundamentally changes TPRM and procurement activities, meaning that ‘assurance theatre’ wrapped around legacy procurement criteria is no longer acceptable. The artefacts exist (RoI, addenda, questionnaires, and exit strategies on paper), but the underlying supplier oversight discipline hasn’t shifted. That gap is what supervisors will eventually start probing, and the question is when and how punitively.

Please reach out to the team to address those issues pragmatically.

Ready to discuss your DORA compliance challenges?

Our team of experienced consultants is here to help.

Get in Touch