Defending DORA: New approaches to securing financial services
"Through collaboration, financial entities can go beyond compliance and join forces to create a stronger, more resilient supply chain."
As digital transformation in financial services gains pace, organisations must look to strengthen their cyber defences to reduce potential threats and risks. Dependence on critical third-party providers is a particular challenge in the finance sector, increasing the risk of supply-chain attacks.
The Digital Operational Resilience Act (DORA) is an EU regulation aimed at strengthening the financial sector’s ability to handle disruptions and threats. With supply chains becoming more interconnected and the threat of cyberattacks on suppliers increasing, the regulation champions a collaborative approach to cyber security.
DORA and similar regulations address the ongoing challenges faced by the financial services sector while promoting a forward-thinking approach to cybersecurity built around key values of transparency and collaboration.
Rather than being just a regulatory tick box, DORA collects data from financial organisations and their suppliers, allowing for regulators to map supply chain dependencies across the system and help them identify system risks that individual entities might not see. Since its inception at the beginning of this year, DORA has already helped to create cybersecurity governance that balances both security and resilience.
With DORA guiding the way, organisations can shift from simply reacting to cyber threats to a more proactive approach. By putting robust measures in place to detect and address risks as early as possible, organisations can protect their assets while also building a stronger relationship with their partners and suppliers.
The gaps in conventional practices
Traditional third-party risk management (TPRM) approaches are often manual, static, and point-in-time - providing only a snapshot of a supplier’s security posture at the time of assessment. With reviews occurring annually or less frequently, organisations lack real-time visibility into emerging risks. DORA addresses this gap by mandating continuous monitoring capabilities, enabling financial entities to obtain more accurate and timely risk assessments of their suppliers.
Addressing traditional limitations in TPRM will enable a fundamental goal of DORA – “uncover systemic concentration risks that could threaten the stability of the financial sector”. Regulators require financial entities to submit Registers of Information that capture a variety of operational details, including critical business functions outsourced across the supply chain (to the best of their ability). Supervisory authorities hope this information will allow them to identify systemic risks at the fourth-party level and beyond.
However, simply complying with this requirement and waiting for regulatory insights is a reactive approach. It is unclear when regulators will complete this analysis and communicate their findings. Meanwhile, financial entities remain exposed to risks that exist beyond their direct visibility of third-party relationships. Proactively identifying and mitigating these risks is essential and collaboration is the only way to accomplish this.
Mitigating unseen threats
To effectively manage these risks, financial entities must proactively uncover hidden dependencies within their supply chains to identify previously unaccounted risks. A narrow focus on direct suppliers is no longer sufficient – systemic risks can ripple across the sector, impacting stability and resilience. By assessing the broader implications of disruptions, organisations can gain a more comprehensive view of potential vulnerabilities.
Additionally, scenario planning is essential. Financial institutions must evaluate how cyber threats, operational failures, or disruptions from third and fourth-party suppliers could impact their business. These proactive strategies not only enhance resilience but also position firms to respond swiftly to emerging threats.
Mapping critical suppliers and assessing their interdependencies can reveal hidden systemic risks, enabling informed decision-making. This may involve restructuring supplier relationships to mitigate exposure or a determination that a risk may be aligned with the risk tolerance of the board. True resilience requires more than just regulatory compliance, it demands proactive collaboration across the entire financial sector. By collectively mapping supply chains and sharing risk intelligence, financial institutions can anticipate threats before regulators do.
Strength in collaboration
Eurocrats have been on a regulatory spree for many years now. In addition to DORA, the Network and Information Systems Directive 2 (NIS2) Directive to enhance security in 18 critical sectors was transposed into national law in October 2024. The PSD3/PSR1 are also in the pipeline. These rules follow up on the PSD2, the directive that created open banking in Europe, and will modernise EU payment services on an unclear implementation timeline.
Combining supply chain data from multiple financial entities helps uncover concentration risks that might be overlooked when analysed separately. By integrating supply chain maps, businesses can pinpoint dependencies that expose them to significant risk. Similarly, assessing concentration risks at an industry level helps prevent excessive reliance on a single supplier, reducing the likelihood of widespread disruptions.
A collaborative approach plays a key role in strengthening risk management. Sharing risk signals allows peers to detect supplier issues others may have missed, encouraging the exchange of best practices and coordinated mitigation efforts. Peer-to-peer intelligence sharing further enables early detection of risks before they escalate. By taking an industry-wide approach to operational resilience planning, organisations can gain a broader perspective, moving beyond isolated assessments to ensure stronger, more effective risk management.
Adopting this proactive strategy aligns with the objective of financial entities with advanced cyber risk management programmes, bringing hidden risks to light and allowing organisations to anticipate and address potential disruptions before they happen. Through collaboration, financial entities can go beyond DORA compliance and join forces to create a stronger, more resilient supply chain.
Justin Kuruvilla is Chief Cyber Security Strategist at Risk Ledger
Have you got a story or insights to share? Get in touch and let us know.
