DORA and the Supply Chain Reckoning: Rethinking Third-Party Risk for a Resilient Financial Sector

Written By Contextual Solutions

By Anne Leslie Cloud Risk & Controls Leader Europe

The Digital Operational Resilience Act (DORA) is more than a regulatory milestone—it’s a mirror reflecting the financial sector’s digital dependencies. Fully applicable across the EU since January 2025, DORA is forcing institutions to confront an uncomfortable truth: the resilience of their supply chains is only as strong as the weakest link they barely see.

Operational resilience has never been just a technology issue—it’s a core business capability. DORA makes that crystal clear: you can outsource a service, but you can’t outsource the risk. Nowhere is that more obvious than in its treatment of ICT third parties. These aren’t peripheral vendors; they’re embedded in your operating model. When they stumble, you stumble. That’s the reality DORA puts front and centre.

The Challenge: Complexity, Contracts, and Concentration

Third-party risk management under DORA is proving to be one of the most demanding aspects of implementation. Financial entities are expected to:

  • Map ICT dependencies, including subcontractors and “nth parties” buried deep in the stack. 

  • Refresh contracts to reflect obligations around audit rights, exit strategies, and resilience measures. 

  • Keep an eye on concentration risk—avoiding over-reliance on a single provider or small cluster. 

  • Prepare for the direct oversight of critical ICT providers by European Supervisory Authorities (ESAs). 

None of this is straightforward. Many firms are still working to gain meaningful visibility into complex supply chains. For global providers, subcontractor transparency can be challenging. For smaller firms, the resource burden of contract remediation is significant. And for everyone, the risk of non-compliance is real—especially given that some technical standards landed late in the process.

Vendors Are Adapting—But at Different Speeds

DORA is also changing the tone of conversations with vendors. For years, large technology providers have operated from a position of strength, setting the terms of engagement. Now, with regulatory obligations flowing through to their services, we’re seeing a shift:

  • More openness to contractual dialogue—audit rights, exit clauses, and resilience commitments are now part of the conversation. 

  • Investment in compliance artefacts—from standardised reporting packs to resilience testing evidence. 

  • Early signs of shared testing—critical providers are beginning to engage in sector-wide exercises, recognising that resilience is a shared outcome. 

Not every provider is moving at the same pace. Some are approaching this as a compliance exercise, while others are leaning in—embedding transparency and resilience into their operating model and making it easier for clients to demonstrate compliance without friction.

Here’s the truth: DORA doesn’t require your ICT provider to be a joy to work with—that’s optional. But in a market where trust and transparency influence buying decisions, being easy to do business with isn’t just good manners; it’s a competitive advantage.

Take IBM Cloud for Financial Services as an example. It’s not just about offering infrastructure; it’s about embedding controls, contractual clarity, and resilience testing into the platform so clients can operationalise compliance without reinventing the wheel. And it’s not happening in isolation—the IBM Financial Services Cloud Council, which brings together leading banks, insurers, and fintechs, has been instrumental in shaping these capabilities. That kind of collaborative governance is what leaning in looks like: helping clients meet regulatory expectations while enabling them to innovate with confidence.

From Fragmentation to Collaboration

The real opportunity lies in moving beyond bilateral negotiations towards collective solutions. DORA sets the stage, but it doesn’t prescribe the playbook for collaboration. That’s where industry can lead.

The UK’s Cross Market Operational Resilience Group (CMORG) offers a glimpse of what’s possible. By bringing together banks, insurers, market infrastructures, and regulators, CMORG has created a forum for co-designing resilience capabilities—co-ordinated incident response, shared threat intelligence, and joint testing scenarios.

An EU equivalent could do the same: harmonise expectations, reduce duplication, and build trust between financial entities and critical ICT providers. Systemic risk crosses borders; resilience strategies need to do the same.

What Good Might Look Like

There’s no single blueprint, but a few themes are emerging across the industry:

  • End-to-end visibility—not just your direct vendors, but their subcontractors and dependencies. 

  • Contractual clarity—language that makes resilience obligations real, not aspirational. 

  • Risk-based oversight—proportionality matters; focus where the impact is greatest. 

  • Scenario testing with suppliers—moving beyond tabletop drills to exercises that reflect real-world complexity. 

  • Collaborative governance—leaning into forums and mechanisms that let the sector learn faster together. 

Looking Ahead

DORA is a wake-up call, but also an opportunity. It challenges us to confront systemic risks embedded in digital supply chains—and to do so in a way that builds confidence, not just compliance.

The real question: will we keep managing third-party risk in silos, or start acting like the interconnected ecosystem we already are? Resilience isn’t just a regulatory requirement—it’s a shared responsibility, and for those who get it right, a competitive advantage.

Contextual Solutions
Next

Europe's Push for Digital Sovereignty: The Launch of a MiCAR-Compliant Euro Stablecoin by Nine Major Banks