In 2024, 77% of EU banks ranked IT and cyber among their most critical emerging risks, and nearly 70% identified technology weaknesses, especially around digital supply chains, as top obstacles to resilience. At the same time, from January 2023 to June 2024, ENISA recorded 488 publicly reported cyber incidents affecting Europe’s finance sector, nearly half of which targeted banks. Supply‑chain attacks were identified as one of the prime threat vectors during this period.
These incidents, ranging from cloud outages and data centre downtime to third-party software failures, have exposed just how fragile digital supply chains in financial services can be.
Recognising this, the EU’s Digital Operational Resilience Act (DORA) came into full effect in January 2025, placing financial institutions under stricter obligations to monitor, manage, and withstand ICT disruptions, especially those originating outside their own infrastructure.
In this two-part blog series, we explore what DORA means for third-party oversight in practice: starting with how the regulation is reshaping accountability, who it applies to, and why July 2025 marks a critical turning point for financial institutions across the UK, EU, and beyond.
What is DORA, Really?
Passed by the European Union in 2022 and fully applicable since January 17, 2025, the Digital Operational Resilience Act (DORA) is a regulatory framework aimed at strengthening the financial sector’s ability to withstand ICT-related disruptions.
It applies to more than 22,000 financial entities across the EU, including banks, insurers, investment firms, crypto providers, and payment processors, as well as to third-party ICT service providers that support them.
DORA is distinct in that it doesn’t just ask firms to secure their systems; it requires them to prove they can remain operational in the face of digital incidents. Whether the source of disruption is internal or external, DORA holds the financial institution ultimately accountable. It also harmonises existing digital risk frameworks across EU member states, creating a unified standard that applies across borders.
The regulation sets out detailed requirements around:
- Risk management of ICT systems
- Incident detection, reporting, and response
- Testing digital operational resilience through simulations
- Information sharing on cyber threats
- Oversight of third-party ICT providers, including direct supervision of those deemed critical by the European Supervisory Authorities (ESAs)
Where previous regulations treated outsourcing as a shared responsibility, DORA formalises the idea that you can’t outsource your risk, only the service.
Why It Matters Now (And Why July 2025 is a Turning Point)
With DORA officially becoming applicable in January 2025, the regulatory expectations are no longer theoretical. As of July, several EU financial regulators have moved beyond awareness campaigns and into the early stages of active supervision and enforcement.
For financial institutions, this means that demonstrating intent is no longer enough. Authorities are now looking for evidence of implementation, from operational resilience testing to complete third-party risk registers and contractual clauses aligned to DORA’s standards.
In parallel, the European Supervisory Authorities (ESAs) are in the process of identifying and designating critical ICT third-party service providers. Once a vendor is labelled “critical,” it will come under direct regulatory oversight, including data access rights, audit obligations, and mandatory incident reporting. These designations are expected to intensify in the second half of 2025, raising the bar for both providers and the financial institutions that depend on them.
July also marks the start of the first major review cycles for firms’ ICT frameworks under DORA. Institutions that took a wait-and-see approach are now under pressure to catch up, while those already ahead must shift from planning to demonstrable, traceable action.
Who’s on the Hook? EU, UK, and Beyond
Although DORA is an EU regulation, its effects are being felt far beyond EU borders.
It applies directly to a broad spectrum of financial firms and their technology providers operating within the EU. But its indirect scope extends to any institution doing business with, or through, the EU financial system, including those headquartered in the UK or US.
For UK firms post-Brexit, this creates a regulatory tightrope. While not formally bound by DORA, they’re still expected to align with its standards when offering services to EU clients or engaging EU-based vendors. That includes revisiting outsourcing contracts, reporting mechanisms, and resilience strategies to match EU expectations.
Likewise, global technology vendors with EU-regulated customers are under growing pressure to meet DORA-driven demands, whether or not they operate inside the EU themselves.
In effect, DORA is setting a new operational baseline for digital risk management, with third-party oversight emerging as one of its most immediate and complex challenges.
Why Third-Party Oversight is DORA’s Hardest Pillar
Among DORA’s five core requirements, third-party ICT risk management is widely seen as the most demanding, and the least mature across the industry. While many financial firms have cybersecurity protocols and incident reporting frameworks in place, far fewer have robust systems for continuously monitoring and evaluating their external vendors.
What makes this pillar especially challenging is its ongoing nature. DORA doesn’t just require firms to vet suppliers at onboarding; it mandates ongoing risk assessment, contractual clarity, and real-time accountability for the entire lifecycle of the service. That includes everything from data residency and subcontracting chains to audit rights and business continuity alignment.
The expectations extend in both directions. Financial institutions must prove they have visibility and control over their external tech stack. At the same time, vendors, especially those deemed high-risk, must provide the kind of transparency and traceability that many are not currently equipped to offer.
All of this is complicated further by fragmented tooling and limited automation. Many institutions still rely on spreadsheets or siloed systems to manage vendor risk, making real-time monitoring and DORA-aligned documentation a logistical burden. Platforms like FD Ryze are emerging to bridge this gap, bringing together continuous monitoring, contract traceability, and AI-powered audit trails into a single, unified view.
As regulators begin evaluating how well firms have implemented this pillar, the gap between policy and practice is where the greatest exposure, and scrutiny, lies.
What This Means for Your Organization and What Comes Next
DORA doesn’t just rewrite the rulebook; it redefines how operational resilience is managed in real-time. With third-party oversight now a top enforcement priority, firms must shift from static checklists to living, auditable ecosystems of vendor management.
That means:
- Moving from periodic audits to continuous monitoring
- Refocusing vendor contracts on scenario testing and SLA thresholds
- Upgrading tools and processes to capture granular, real-time data
- Investing in oversight models that can flag, trace, simulate, and report disruptions, including those from suppliers outside your walls
In Part 2 of this series, we’ll explore how organizations can begin to address these evolving oversight requirements. One of the most promising enablers is Agentic AI, technology that can independently monitor third-party performance, run failure simulations, initiate escalations, and create regulatory-ready evidence in real time.
It’s the next step in turning compliance into capability and risk into readiness.
