We are fast approaching a year since the Digital Operational Resilience Act (DORA) entered into force, and the financial sector, well ahead of the January 2025 implementation deadline, has been busy aligning its practices and processes to meet the stringent mandates of the new regulation. While many financial entities are on track to achieve and demonstrate compliance with DORA’s requirements for information and communication technology ( ICT) risk management, incident reporting, and digital operational resilience testing, a critical question remains: are enhanced, albeit individual, compliance efforts enough to achieve genuine operational resilience?
The systemic view: Beyond individual resilience
Harmonising rules and building on existing practices to strengthen individual firms’ operational resilience are an important, yet only one aspect of DORA. The regulation is not merely an updated compliance checklist; regulators are seeking to achieve a far more profound objective: identifying and tackling systemic and concentration risks to the entire financial ecosystem. The lack of Union-level rules and national mandates had previously meant financial supervisors struggled to acquire a good understanding of ICT third-party dependencies and monitor risks arising from their concentration.
DORA’s ultimate aim is to gather extensive, granular information—including details on service level agreements—from financial entities regarding their third, fourth, and subsequent parties. This comprehensive data is intended to enable regulators to map the extended supply chain ecosystem of the wider financial sector and better understand intricate dependencies. Ultimately, this allows them to identify systemic risks, single points of failure, and security bottlenecks that affect the sector as a whole.
This bird’s-eye view is essential because an incident at a single, widely-used service provider can have a wide-reaching impact on many organisations simultaneously—a systemic risk event. For example, a DDoS attack on a payment processor could disrupt payment processing for numerous financial firms. Furthermore, a security breach further down the supply chain, such as a ransomware attack at a fourth-party SaaS provider, can simultaneously disrupt multiple suppliers which in turn provide services to one or more financial entities. The lack of visibility into such existing dependencies in extended supply chains hinders effective preparedness for potential risk scenarios.
Moving from auditing to collaborating with suppliers
This holistic, sectoral approach is crucial to truly bolster operational resilience, not just for the entire financial sector but, by extension, for individual firms. The lack of visibility into supply chain dependencies beyond third-parties is a critical weakness. This is where enhanced collaboration—both with suppliers and industry peers— becomes essential.
While leveraging existing TPRM processes to identify concentration risks is a starting point, focusing solely on one-to-one client-supplier relationships is incomplete. A crucial element is building a more collaborative, less adversarial relationship with suppliers’ security teams. A “collaborate, don’t audit” approach acknowledges that both financial entities and their suppliers share the objective of avoiding and responding well to incidents. Good relationships with suppliers help financial firms gain more accurate information, improve security defences, and deal with incidents more effectively.
Increased supply chain visibility: The key to sectoral and individual resilience
To gain the necessary visibility into fourth-, fifth-, and nth-party risks, firms must understand these downstream interactions and dependencies, particularly for critical services. Understanding these deeper supply chain connections is vital to securing the weakest link and informing decisions.
Systemic concentration risks can only be effectively identified through a comprehensive analysis of the supply chains across the entire sector; however,this is impossible for individual firms to achieve alone. This is where peer collaboration provides unique benefits. Through enhanced collaboration and the sharing of granular data—such as on suppliers, control assessments, and criticality ratings—between TPRM teams, a comprehensive mapping of risks across the broader financial services sector can emerge. This allows financial institutions to gain a deeper understanding of supplier relationships and assess the wide-scale operational impact of a disruption at a critical ICT third party. They can then collaboratively triage, prioritise, and develop targeted mitigation strategies for these risks.
Similar to the established sharing of threat intelligence, enhanced peer collaboration around supplier intelligence would allow TPRM teams to identify potential risks they were previously unaware of, gaining enhanced visibility into both individual and systemic risks. This collective effort to map the supply chain goes above and beyond what DORA may explicitly require, but would directly enhance an organisation’s own operational resilience and aid regulators in their ultimate aim of identifying systemic risks facing the entire sector.
While achieving individual compliance with mandates under regulations like DORA lays the groundwork for resilience, achieving a truly robust and resilient financial ecosystem requires a cultural shift towards collaboration throughout the industry. It is only through this enhanced collaboration that the broader, systemic vision of DORA—identifying single points of failure and securing the entire financial ecosystem—can be realised, strengthening not just the resilience of the entire financial sector, but in turn the operational resilience of every participating firm.
Justin Kuruvilla
Justin Kuruvilla is Chief Cyber Security Strategist at Risk Ledger. Prior to joining Rick Ledger, Justin supported the US Government in cyber security, working as a technical director for cyber security operations at the US Department of Defense (DoD), which included a secondment to the UK National Cyber Security Centre. Most recently, he advised senior executives of top global corporations and investment firms on enhancing their management of cyber risk.
