How Critical Third-Party Providers should respond to DORA
Tags
The Digital Operational Resilience Act (DORA) marks a fundamental shift in how Critical Third-Party Providers (CTPPs) are monitored across Europe. For CTPP designated suppliers, regulatory scrutiny is no longer indirect or mediated by the financial services organisations they serve, but by the regulator. Success for CTPPs under DORA will be determined not only by the quality of documentation, but by the ability to demonstrate operational resilience in practice.
DORA marks a new centralised oversight regime for European Supervisory Authorities (ESAs) to directly examine and scrutinise CTPPs. This replaces the previous approach which relied on financial services organisations’ own assurance procedures to supervise their suppliers, causing significantly varied outcomes.
Due to their systemic importance and the financial sector’s dependency on their services, under DORA, CTPPs are subject to an annual cycle of regulatory oversight and engagement, including:
- On-site inspections and deep-dive audits conducted by Joint Examination Teams made up of representatives from ESAs and local supervisory bodies
- Regulator-led resilience testing focused on operational performance
- Mandatory remediation plans funded by the CTPP
- Public disclosure of material non-compliance, with reputational and commercial consequences.
Since DORA was introduced in 2025, 19 suppliers have been designated as a CTPP, and this list could grow. Crucially, the cost to ensure DORA oversight sits with CTPP themselves, not the organisations they serve or ESAs. This means ESAs are not financially constrained to expand the list of suppliers designated if required, particularly as systemic dependencies shift and evolve over time.
While DORA is an EU-wide oversight framework, HM Treasury is establishing a parallel regime to designate Critical Third Parties (CTPs) in the UK. Although similarly aligned in intent and likely to capture many of the same suppliers, the EU and UK frameworks remain legally and operationally distinct. Suppliers operating across both jurisdictions must manage similar but separate obligations under EU and UK oversight, with UK regulators playing an active role in joint examinations. Together, these regimes create a coordinated, cross-border supervisory model, demanding operational transparency.
Shifting from compliance to resilience
A core driver behind these regulatory changes is the structural imbalance between financial services firms, in favour of their ICT suppliers. Until DORA, many firms lacked leverage over hyperscale providers. Regulators are now stepping in to provide sector-level oversight on behalf of the industry, instead of relying on assurances from firms that their suppliers meet their standards for operational resilience. With major high-profile incidents in recent years such as the CrowdStrike outage and disruptions at M&S and Jaguar Land Rover, there’s a growing awareness of how a single third-party failure can drive mass disruption, affecting organisations, their customers, and signalling systemic over-dependency risks for financial services.
DORA oversight legislation is therefore about tackling this systemic concentration risk that financial services’ increasing dependence on a small set of ICT providers brings. By testing where they can withstand, respond to, and recover from disruption in live conditions, firms will be able to uphold greater resilience and avoid major risky disruptions to service.
Regulators will assess how a CTPP’s resilience holds up under pressure, during incidents, failovers, and complex recovery scenarios. Suppliers that treat DORA simply as a time-bound compliance programme, risk being caught unprepared. They cannot rely on self-attested or static control frameworks.
Designing CTPP services for success
DORA oversight is not just a regulatory tick box exercise, it examines resilience as a standing capability embedded into day-to-day operations. CTPPs that will perform best under DORA will design resilience directly into their services right from inception and maintain this resilience lens throughout a service lifecycle. To do so:
- Implement a resilience-led operating model that integrates governance, processes, artefacts, and testing into business-as-usual operations. Processes should be regularly tested and applied consistently across services, including those for change management, subcontractor oversight, exit readiness, and concentration risk
- Align to your client impact tolerances, where suppliers have a clear understanding of how their services support critical functions, or the degree of harm their failure could cause
- Establish clear executive ownership of resilience outcomes, supported by authority, resource, and technical capability
- Enforce consistent regulatory engagement models, enabling confident interaction with multiple supervisory authorities
- Carry out evidence-based testing, demonstrating the ability to deliver services through disruption, not merely design controls.
DORA not only raises baseline expectations it creates an opportunity for all CTPPs to leverage operational resilience as a commercial differentiator. Oversight findings will increasingly influence commercial outcomes, including client confidence, contracting decisions, and long-term revenue. Those that demonstrate regulatory maturity and operational credibility under pressure will be better positioned to compete across European and UK markets.
Explore more