UK Finance explores how financial organizations must effectively move beyond traditional third-party oversight to meet the expectations set by the EU’s Digital Operational Resilience Act (DORA). Authored by Craig Oliver and Karan Chao of PA Consulting, the update now argues that DORA fundamentally changes the relationship between financial entities and their critical ICT third-party service providers (CTPPs).
DORA introduces now reportedly direct sector-level supervision by the European Supervisory Authorities (ESAs) over designated CTPPs.
This addresses longstanding challenges such as heavy reliance on a small number of large technology providers, limited individual leverage over hyperscalers, and the risk of widespread disruption from concentrated dependencies.
While this oversight reduces the burden on firms to assure every supplier in isolation, it does not remove their accountability.
Financial entities remain fully responsible for managing risks to their operations and must still demonstrate that critical services can withstand and recover from ICT disruptions.
The central message is that resilience is no longer a unilateral obligation managed through arm’s-length contracts and documentation. Instead, it has become a shared responsibility.
Suppliers should be viewed as collaborators in building operational resilience rather than simply vendors delivering a service.
This collaborative approach is essential because many vulnerabilities only become visible when testing and planning cross organizational boundaries.
To help firms adapt effectively, the authors outline four practical actions that organizations should now be undertaking:
First, strengthen transparency with key suppliers. Firms need to clearly explain which services are critical, how impact tolerances have been set, and what assumptions underpin those tolerances.
Without this context, CTPPs cannot design appropriate resilience measures or align their own recovery objectives with their clients’ needs.
Second, align contracts and governance arrangements with the new oversight regime.
This means embedding clearer rights of access to data and information, updating escalation and decision-making processes, and ensuring contractual terms cover subcontractor arrangements in line with DORA expectations.
Governance structures must support rapid, coordinated responses when incidents occur.
Third, move from isolated testing to joint resilience exercises. Multi-party scenario testing, coordinated failover drills, and collaborative incident simulations are now required to provide credible evidence of end-to-end resilience.
According to insights from UK Finance, regulators will now expect demonstrable proof that the entire chain — not just individual components — can maintain critical functions during disruption.
Fourth, actively support suppliers on their own compliance journey.
Many CTPPs are still maturing their approaches.
Sharing lessons from earlier regulatory requirements, highlighting common vulnerabilities, and clarifying expectations around testing and impact tolerances can accelerate progress across the ecosystem and reduce collective risk.
The blog warns that the consequences of falling short extend well beyond regulatory findings.
Public disclosures, remediation costs, damage to customer confidence, and loss of competitive positioning are all realistic outcomes.
Conversely, organizations that treat their critical providers as genuine resilience partners are better placed to withstand supervisory scrutiny, strengthen trust, and differentiate themselves in an increasingly transparent environment.
DORA marks the end of purely compliance-driven, documentation-heavy third-party risk management for critical services.
Success now depends on building genuine collaboration that delivers practical, demonstrable resilience across organizational boundaries The UK Finance update has now indicated that firms that respond effectively to this shift will be far better positioned as the regulatory focus on operational resilience continues to intensify.