7. DORA, MNB, GDPR: sourcing in regulated industries

Regulatory expectations in sourcing

In the financial sector and other regulated industries, regulatory expectations for sourcing processes set specific requirements for supplier selection, risk assessment, and documentation.

DORA: managing ICT suppliers

The Digital Operational Resilience Act (DORA) applies from January 2025 in the EU financial sector. For sourcing, this means that for every ICT supplier:

  • Risk assessment is mandatory before contract, documented
  • Security practices and business continuity must be assessed
  • Records must be kept of all ICT service providers
  • Exit strategy must be documented already in the sourcing phase

Fluenta One Sourcing supports these requirements: DORA-specific criteria can be built into the questionnaire, the evaluation matrix can weight risk factors, and every decision is documented and traceable.

MNB expectations

The Hungarian National Bank's Recommendation No. 7/2020 applies to domestic financial institutions. The essence:

  • Risk analysis must be performed for all external service providers—not just critical ones
  • Board approval is required for strategic outsourcing
  • Risk assessments must be reviewed annually

Other regulations

Regulation
Scope
Sourcing relevance
EBA guidelines (GL/2019/02)
EU credit institutions
Outsourcing rules
NIS2
Critical infrastructure
Supply chain security
GDPR
Personal data processing
Data processor contracts

Fluenta One supports these as well: data handling is GDPR-compliant, the audit log is immutable, and version tracking ensures complete traceability.

Documentation and traceability

The foundation of regulatory compliance is traceability. Fluenta One's tracking log records:

  • Who did what in the system and when
  • Every version of every document
  • Every decision and its justification
  • All communication

The log is immutable: it cannot be deleted or modified retroactively.

Version tracking

If tender conditions change—new specification, modified deadline, supplemented questionnaire—the system records the change, and participants receive notification. This is particularly important in disputed situations: if a supplier claims they submitted a proposal based on different conditions, version tracking clearly shows what was in effect at the time of proposal submission.