DORA: Operational resilience, third-party risk, and what’s next for banks?

How does the EU Digital Operational Resilience Act (DORA) impact banks’ operational resilience and third-party risk management?

Fox Ahmed, Global Head Cybersecurity and Technology Regulatory Risk at BNP Paribas, breaks down the key pillars of DORA, including:

• stronger ICT risk frameworks
• the identification of important business services and mapping internal and external dependencies
• deeper third- and fourth-party supply chain oversight
• concentration risk management
• faster incident reporting to limit sector-wide contagion
• more rigorous resilience testing such as threat-led penetration testing and severe-but-plausible tabletop exercises with greater board accountability

The discussion highlights a cultural shift from preventative controls to response and recovery readiness, including the ability to switch suppliers during third-party outages.

Understanding the Digital Operational Resilience Act (DORA)

DORA has introduced a paradigm shift in how financial institutions approach resilience. Traditionally reliant on internal technological frameworks, banks have embarked on a digital transformation journey over the last decade. This transformation involves transitioning from on-premise systems to leveraging third-party cloud services, expanding their technological ecosystems.

The core of DORA is built on several pillars, with a significant focus on Information Communication Technology (ICT) risk frameworks. Financial institutions are now tasked with comprehensively understanding their business services and mapping dependencies. This understanding extends beyond internal systems to also encompass the third-party providers essential to their operations.

Navigating third-party risks and new norms in reporting

A crucial aspect of DORA is the emphasis on managing third-party risks. Financial institutions are now required to grasp the intricacies of their supply chains, including third-party and fourth-party providers. This oversight is vital for understanding concentration risks and ensuring timely incident reporting.

Regulators are keen on recognising localised issues within financial firms and preventing their spread across the sector. To this end, they have introduced stringent measures for incident reporting, threat-led penetration testing, and tabletop exercises. The goal is to enable organisations to respond effectively to incidents like cyber-attacks, ensuring swift recovery from IT disruptions.

Cultural shift and increased accountability

The implementation of DORA is driving a cultural shift within financial institutions. Regular resilience testing has become a staple, moving beyond traditional tabletop exercises to incorporate extensive scenarios. Crisis management now involves a wider array of stakeholders, including board members, legal departments, HR, and compliance teams. This inclusivity is fostering a more unified approach to incident recovery and resilience.

Preparing for emerging risks in a digital-first world

While DORA focuses on current operational resiliency, the financial sector must also prepare for future challenges. The rise of artificial intelligence (AI) brings both opportunities and risks. As Fox Ahmed noted, AI does not necessarily introduce new risks, but rather elevates existing ones. It's vital for financial institutions to adopt AI ethically within the stringent regulatory environment they operate in.

Traditional banks face heightened competition from agile, digital-first banks. This compels them to innovate continuously, leveraging AI and blockchain technologies while working collaboratively with regulators to navigate these advancements. The introduction of sandbox environments allows banks to test new technologies safely, fostering a cooperative dialogue with regulators and peers alike.

Conclusion

As the financial services sector stands at the crossroads of regulation and technology, the emphasis on resilience is more pronounced than ever. Regulations like DORA provide a framework for banks to navigate the complexities of digital transformation securely and responsibly. The road ahead will involve balancing technological innovation with ethical practices, all while fostering collaboration between regulators and financial institutions.

With these strategies in place, the financial sector can move forward confidently, prepared to handle both current and future challenges in an increasingly digital world.

Learn about the latest trends in risk management practices from leading practitioners and experts at RiskMinds International. Save the date – 16-19 November 2026, London!