This blog post was sponsored by Cisco ThousandEyes.
The Digital Operational Resilience Act (DORA) which entered into force on January 17, 2025, requires financial entities operating in the European Economic Area to acknowledge that they must implement tighter supply chain monitoring and validate digital operational resilience for application architecture components that are beyond their direct control.
More than 20,000 financial organizations -- along with their ICT third-party providers of critical or important functions -- are mandated to cooperate in order to mitigate the systemic risk arising from digital transformation. In the ecosystem-driven digital economy, financial entities leverage multiple platforms and providers to address growing consumer expectations for real-time services and multi-channel communication. Financial entities operate under time and competitive pressures to deliver effective digital services, addressing customer expectations through leveraging a complex and composite augmented architecture, with a large system of partners, supply chains, connections, APIs, and integrations that must function properly together. The close interactions and dependencies among these providers create systemic risks that the European regulator is addressing with new regulations.
With the advent of DORA, the European regulator introduces a concrete response to the growing risks associated with digitalization. Technological interdependencies are needed for financial organizations to remain competitive and deliver business value as part of a future-proofed digital strategy, providing the ability to innovate, scale operations, and improve efficiencies. However, these interdependencies create a systemic risk for the financial sector with potentially significant repercussions for the whole European economy. By now all financial entities and ICT third-party service providers must be aware of the key DORA requirements established to mitigate systemic risk, which can be grouped under five pillars.
Financial entities must also define clear exit strategies to mitigate systemic risk in case of major service disruptions or issues with an existing ICT partner.
DORA introduces regulatory harmonization, standardizing the digital operational resilience requirements across different financial sectors throughout the European Union, including banks, insurance companies, investment firms, other financial institutions, and their ICT service providers. DORA overcomes the fragmentation across national legislations by eliminating regulatory discrepancies between member states since it is a directly applicable regulation instead of a community directive. This approach simplifies the regulatory landscape, increasing efficiency and predictability for businesses and overcoming regulatory fragmentation across member states.
The importance of tighter monitoring of ICT third-party service providers
Managing ICT third-party service providers represents the major innovation introduced by DORA, and it is one of the more challenging areas of the Act, calling for a stricter monitoring and troubleshooting on all ICT components, even those beyond the direct control of the individual financial entity. Collaboration between financial entities and their ICT partners is key to mitigating the systemic risk. While many DORA requirements are familiar to large institutions, especially significant banks subject to the European Central Bank’s Single Supervisory Mechanism, their impact is extensive.
An IDC survey run in October 2024 -- three months ahead of the deadline -- found that many institutions weren’t ready for DORA. The IDC survey revealed that 1 out of 3 financial entities identified ICT third-party risk management as a major hurdle, and only 48% anticipated having a clear map of critical functions and support for ICT providers in place by January 2025. This data highlights the urgency to close the regulatory gaps, build a resilience strategy, and implement enhanced controls.
Procurement will become a major function even beyond the onboarding phase of ICT third-party partners. It will support ICT governance and risk management functions in the review and integration of specific clauses in existing and future contracts. This is needed to keep a register of all ICT service providers.
Financial organizations must modernize their procurement processes while keeping in mind that the evaluation of ICT service providers is not a one-off exercise at the time of selection but an ongoing necessity.
A comprehensive monitoring system of all the internal and external components is of paramount importance to help financial entities’ achieve digital operational resilience, monitoring the availability, integrity, and connectivity of all ICT system dependencies. DORA requires a methodological shift, deploying monitoring solutions to detect service disruptions, define system health indicators, and generate early warnings for discrepancies. Hundreds if not thousands of digital services, APIs, and network components must all function together to ensure the promised availability, prevent major disruptions, and deliver the expected customer experience.
Digital operational resilience addresses both cybersecurity and IT performance, allowing for quick identification of issues and collaborative action to address root causes of service deterioration. A closer monitoring of the infrastructure allows financial entities to be more efficient and effective in timely troubleshooting of ICT issues, ensuring promised service levels. It’s not just about compliance but also about maintaining customer satisfaction, brand reputation, and operational efficiency in an ecosystem-driven digitally transformed world.
Conclusion
DORA requires closer collaboration and strict continuous monitoring of ICT third parties to achieve resilience, prevent disruptions, and ensure operational efficiency. Financial entities should look for reliable partners to help them innovate and deliver on promises to customers and stakeholders, always in compliance with evolving regulations.
Message from the Sponsor
Cisco ThousandEyes delivers assurance for user digital experience for any user, to any application or cloud, across any network. To find out more about how Cisco ThousandEyes can form part of your planning for DORA, you can read our whitepaper or refer to our website.