By Justin Kuruvilla, Chief Cyber Security Strategist at Risk Ledger
When the Digital Operational Resilience Act (DORA) was introduced, much of the initial focus naturally centred on compliance. Financial institutions moved quickly to align internal processes and governance frameworks with the new rules, ensuring they met regulatory expectations. But DORA was never just about ticking boxes. At its core, it represents a shift in mindset, from safeguarding individual firms to protecting the stability of the entire financial ecosystem. Regulators are seeking to uncover and address the systemic risks that arise from deep interconnections and shared dependencies across the sector. True resilience will come not from isolated compliance efforts, but from collective visibility, collaboration and trust across the whole industry.
The next phase of resilience
Harmonising rules and building on existing practices to strengthen individual firms’ operational resilience are an important, yet only one aspect of DORA. The regulation is not merely an updated compliance checklist; regulators are seeking to achieve a far more profound objective: identifying and tackling systemic concentration risks to the entire financial ecosystem. The lack of Union-level rules and national mandates had previously meant financial supervisors struggled to acquire a good understanding of ICT third-party dependencies and monitor risks arising from their concentration.
DORA’s ultimate aim is to gather extensive, granular information—including details on service level agreements—from financial entities regarding their third, fourth, and subsequent parties. This comprehensive data is intended to enable regulators to map the extended supply chain ecosystem of the wider financial sector and better understand intricate dependencies. Ultimately, this allows them to identify systemic risks, single points of failure, and security bottlenecks that affect the sector as a whole.
This bird’s-eye view is essential because an incident at a single, widely-used service provider can have a wide-reaching impact on many organisations simultaneously—a systemic risk event. For example, a DDoS attack on a payment processor could disrupt payment processing for numerous financial firms. Furthermore, a security breach further down the supply chain, such as a ransomware attack at a fourth-party SaaS provider, can simultaneously disrupt multiple suppliers which in turn provide services to one or more financial entities. The lack of visibility into such existing dependencies in extended supply chains hinders effective preparedness for potential risk scenarios.
From audits to active supplier collaboration
This holistic, sectoral approach is crucial to truly bolster operational resilience, not just for the entire financial sector but, by extension, for individual firms. The lack of visibility into supply chain dependencies beyond third-parties is a critical weakness. This is where enhanced collaboration—both with suppliers and industry peers— becomes essential.
While leveraging existing TPRM processes to identify concentration risks is a starting point, focusing solely on one-to-one client-supplier relationships is incomplete. A crucial element is building a more collaborative, less adversarial relationship with suppliers’ security teams. A “collaborate, don’t audit” approach acknowledges that both financial entities and their suppliers share the objective of avoiding and responding well to incidents. Good relationships with suppliers help financial firms gain more accurate information, improve security defences, and deal with incidents more effectively.
Enhancing supply chain visibility to strengthen resilience
To gain the necessary visibility into fourth-, fifth-, and nth-party risks, firms must understand these downstream interactions and dependencies, particularly for critical services. Understanding these deeper supply chain connections is vital to securing the weakest link and informing decisions.
Systemic concentration risks can only be effectively identified through a comprehensive analysis of the supply chains across the entire sector; however, this is impossible for individual firms to achieve alone. This is where peer collaboration provides unique benefits. Through enhanced collaboration and the sharing of granular data—such as on suppliers, control assessments, and criticality ratings—between TPRM teams, a comprehensive mapping of risks across the broader financial services sector can emerge. This allows financial institutions to gain a deeper understanding of supplier relationships and assess the wide-scale operational impact of a disruption at a critical ICT third party. They can then collaboratively triage, prioritise, and develop targeted mitigation strategies for these risks.
Like the established sharing of threat intelligence, enhanced peer collaboration around supplier intelligence would allow TPRM teams to identify potential risks they were previously unaware of, gaining enhanced visibility into both individual and systemic risks. This collective effort to map the supply chain goes above and beyond what DORA may explicitly require, but would directly enhance an organisation’s own operational resilience and aid regulators in their ultimate aim of identifying systemic risks facing the entire sector.
As the financial sector moves beyond compliance checklists toward true operational resilience, DORA offers a catalyst for a more connected and transparent ecosystem. The regulation’s intent reaches far beyond risk mitigation; it encourages a shared responsibility model where visibility, collaboration and trust between firms, suppliers and regulators become standard practice. Building this collective resilience will not only safeguard against systemic shocks but also foster a stronger, more agile financial sector that can continue to evolve with technological and market change.