DORA and Third-Party Risks: Are Your ICT Providers Ready?
- Shane Hermans
- Mar 26
- 2 min read

Why your supply chain could be your greatest compliance liability
In my advisory experience—both as a financial services executive and a cybersecurity strategist—the weakest link is rarely internal. It’s the third-party provider sitting just outside your firewall. Under the Digital Operational Resilience Act (DORA), the risks that your ICT partners carry are now risks you own.
DORA’s third-party risk mandates represent a watershed moment for how financial institutions manage their digital ecosystems. If your ICT provider isn’t DORA-ready, neither are you.
DORA: The Scope of the Challenge
DORA introduces stringent requirements around third-party risk management:
Financial entities must maintain detailed registers of all ICT service providers.
Institutions must actively assess and monitor provider resilience—not once, but continuously.
Contracts must include explicit clauses for ICT risk controls, incident reporting obligations, and resilience testing rights.
In practice, this means institutions must now embed regulatory requirements directly into vendor selection, onboarding, and performance review processes.
The Chain Reaction of Non-Compliance
Here’s where many firms underestimate the stakes. If a third-party ICT provider experiences a disruption or fails to meet resilience expectations:
The financial institution is directly liable to regulators.
ICT incidents originating from third parties must be reported in the same accelerated timelines as internal incidents.
Supervisory authorities may intervene—not just at the provider level but across the financial institution’s operations.
The days of informal vendor oversight or passive risk registers are over.
Redefining Supplier Due Diligence
I’ve seen leading institutions shift from annual supplier reviews to continuous monitoring models—embedding DORA resilience criteria into both procurement and daily oversight.
Key steps include:
Implementing tiered supplier risk classifications based on criticality to ICT operations.
Conducting threat-led penetration tests involving critical third-party ICT providers.
Rewriting Service Level Agreements (SLAs) to include resilience metrics aligned with DORA standards.
At HiveMind Global, we work with organizations to operationalize this due diligence—not just in procurement, but across ongoing supplier risk management programs. Explore how we can help you strengthen your third-party frameworks with HiveMind Global
Collaborative Resilience: A New Paradigm
What’s compelling about DORA is that it fosters an ecosystem-wide shift. Financial institutions and ICT providers must now act as co-defenders of digital operational resilience.
This will require fostering deeper partnerships, increasing transparency, and creating contractual models that reward resilience—not just cost efficiency.
Time to Vet Your Providers
If your ICT providers can’t demonstrate DORA-readiness today, your institution is already carrying hidden regulatory exposure.
The smartest institutions are already re-assessing their provider ecosystems—and taking corrective action before the clock runs out.
Discover how we can support compliance requirements at HiveMind Global and connect with us on LinkedIn.
Comments