Why strong foundations build real resilience

Why DORA changed the rules

In financial services, third-party ICT providers are now the nervous system of the industry. Cloud hosting, data storage, cyber defence, payments infrastructure – entire institutions depend on services they do not control. For years, firms focused on efficiency, scalability and cost reduction. Outsourcing flourished.

But as reliance grew, so did the risks. Concentration of critical services in the hands of a small number of providers has created systemic vulnerabilities. Several high-profile outages, alongside increasing cyber threats, have shown how a single failure can cascade across multiple firms, even entire markets.

The Digital Operational Resilience Act (DORA) is the European Union’s response. Its scope is wide, including ICT risk management, incident reporting, digital operational testing, information sharing – and ICT third-party risk management. Each element strengthens the others. Within this wider framework, third-party risk management plays a crucial role, ensuring firms understand and manage the risks of entrusting critical services to external providers.

At the heart of this sits third-party due diligence – as the foundation of resilience. In the DORA era, due diligence is the process that ensures firms know exactly who they are dealing with, what risks they are accepting and how they will respond when, not if, disruption occurs.

What third-party due diligence really means under DORA

DORA makes one principle explicit, that financial entities cannot outsource accountability. Even when services are delivered externally, ultimate responsibility rests with the financial institution.

That’s why due diligence is not just about whether a provider can deliver. It’s about how they deliver, where they deliver from and what happens if they fail.

The regulation sets out clear expectations for firms assessing ICT third-party providers:

• Overall risk profile and complexity
  Evaluate the scale, scope and complexity of a provider’s operations. A small vendor supporting a niche function presents different risks to a hyperscale cloud provider underpinning payments systems.

• Type of services
  Understand not just what is being outsourced, but the implications of those services, including how data is processed, stored and protected.

• Location of services and data
  Where services are delivered from, and where data is stored, matters for compliance and resilience. Providers outside the EU may be under different supervisory regimes – creating potential gaps.

• Nature of data shared
  Not all data is created equal. Personally identifiable information, client assets or transaction data carry different obligations. The provider’s controls must match the sensitivity of the data.

• Group affiliation and supervision
  Providers may be part of larger corporate groups, or subject to regulatory oversight elsewhere. Firms must know who ultimately controls the provider and whether that strengthens or weakens resilience.

• Concentration and transferability
  Perhaps the most critical. If a provider controls too much of the market, systemic risk emerges. Firms must also assess whether services can be transferred to another provider if needed – no easy task where proprietary technologies are involved.

In short, due diligence is about understanding dependencies. If left unchecked, those dependencies can turn a local failure into a systemic crisis.

Why third-party due diligence fails in practice

If the principles are clear, why do firms still fall short? In my experience, three issues recur:

1. Due diligence as a procurement formality
Too often, it’s treated as a one-off questionnaire at onboarding. Once the vendor is signed, the file is closed. But risk profiles evolve, technologies change and new vulnerabilities emerge. Due diligence must be a living process.

2. Over-reliance on certifications
ISO certificates, audit reports and external assurances can provide useful evidence of controls, but they are not enough on their own. DORA makes clear that responsibility for oversight cannot be outsourced to a certificate. Certifications should be one data point, validated by independent testing and ongoing review.

3. Blind spots around concentration risk
Firms tend to assess providers individually but fail to step back and look systemically. How many critical services rely on the same three or four hyperscale cloud providers? This is where hidden vulnerabilities lurk.

The consequences of getting it wrong

The impact of poor due diligence is no longer theoretical:

• A major European bank suffered disruption when its outsourced data centre provider experienced a fire. Services across multiple jurisdictions were knocked offline for days.

• Cloud outages at hyperscale providers have temporarily halted trading systems, payment processing, and retail banking apps across several institutions at once.

• Cyber incidents at smaller vendors have been used as stepping stones to attack larger institutions – classic supply chain exposures.

These aren’t isolated stories. They show that resilience cannot be assumed. It must be evidenced, tested and continuously validated.

Building a culture of third-party due diligence

So what does strong third-party due diligence look like under DORA? Four things stand out:

• It is proactive, not reactive.
  Firms integrate due diligence into procurement, strategy and governance, not just compliance checks.

• It is dynamic.
  Risk profiles change, so assessments must be revisited. Annual reviews, updated questionnaires and independent audits keep oversight live.

• It is multi-disciplinary.
  Legal, compliance, risk, IT and business units all contribute. DORA makes boards accountable, so oversight must reach the top table.

• It is embedded in the lifecycle.
  Due diligence isn’t just onboarding. It informs contract terms, performance management and exit planning.

Practical steps for leaders

For boards and senior executives, the challenge is to turn regulatory text into operational reality. That means asking:

• Have we mapped all third-party relationships, and do we know which are critical?

• Do we have a structured due diligence framework aligned to DORA?

• Are we monitoring systemic concentration risk, not just individual providers?

• Do we have workable exit strategies for our most critical vendors?

• Is the board actively engaged, or is this still treated as back-office admin?

If any answer is unclear, resilience is already weakened.

Due diligence as strategic advantage

Compliance can feel like a burden. Another set of requirements to satisfy. But reframed, third-party due diligence is an opportunity:

• It clarifies dependencies.

• It builds stronger partnerships with providers.

• It anticipates risks rather than reacting to them.

• It demonstrates to regulators, clients and investors that resilience is a capability, not an aspiration.

In today’s market, resilience is reputation, and reputation is value.

The foundation of resilience

DORA has shifted the conversation about ICT third-party risk. It is no longer enough to trust, assume or hope. Firms must evidence, test and govern.

Due diligence sits at the heart of that shift. Done well, it prevents surprises, limits disruption and strengthens confidence. Done poorly, it leaves firms exposed to operational, regulatory and reputational damage.

In the DORA era, due diligence is a strategy, not just compliance. It is resilience, and it is the responsibility of every financial entity that entrusts critical services to others.