Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
On January 17, 2025, the Digital Operational Resilience Act (DORA) came into effect across the European Union. While DORA is a European regulation, its impact will be felt far beyond the EU’s borders. That’s because any organisation doing business with the EU’s 22,000+ financial entities regardless of where they’re based will need to take notice.
For third parties, partners, and suppliers that support or interact with regulated EU financial institutions, DORA is a wake-up call. The law's reach and requirements are already shaping how the global financial ecosystem thinks about risk, resilience, and security, particularly when it comes to the supply chain.
Why DORA matters
The EU is one of the largest financial centres in the world. It's home to many G-SIBs (Globally Systemically Important Banks) like Deutsche Bank, Santander, and BNP Paribas. A failure in one of these institutions wouldn’t just affect Europe, it would send shockwaves through global markets.
The Euro is the world’s second most-held reserve currency, accounting for around 20% of global foreign exchange reserves. So, when European regulators say they're building systemic resilience into their financial sector, it’s not just a regional concern, it’s a global one.
DORA was designed with this reality in mind. Its authors state that the high level of interconnectedness across financial entities and their IT systems creates a systemic vulnerability. A localised cyberattack could spread rapidly across the financial system by disrupting markets, undermining confidence, and threatening financial stability.
Third-party risk is the new frontline
The supply chain is front and centre in DORA’s scope. That’s because modern attacks often don’t target financial institutions directly—they go through the back door: third-party vendors.
According to the 2025 Verizon Data Breach Investigations Report, 30% of breaches now originate from third parties. DORA recognises this and mandates that financial organisations tighten controls across the full ecosystem from internal teams to external suppliers.
To comply, EU-based financial organisations will need to implement robust risk management frameworks, conduct regular testing, and prove their ability to detect, respond to, and recover from threats. These evaluations won’t just stop at their own infrastructure, they’ll extend deep into their supply chains.
Executive accountability and continuous improvement
DORA doesn’t just stop at technology because it brings people into the equation too. The regulation places clear responsibility on executives and board members for cyber resilience. That personal accountability is designed to ensure that security and risk are not just IT issues, but strategic priorities.
Organisations must now document their testing efforts, maintain clear audit trails, and continuously assess and improve their resilience. This creates a security culture that is proactive, not reactive.
Why third parties can’t afford to ignore DORA
One of the most impactful parts of DORA is its indirect reach. While third parties such as software providers, cloud vendors, or IT support firms aren’t regulated directly by the EU, their clients are. And those clients are responsible for ensuring the security of their suppliers.
That means vendors working with EU financial organisations must meet higher expectations around:
• IT and cybersecurity resilience
• Incident reporting and communication
• Contractual obligations for service continuity and security
In some cases, the regulation even grants the EU oversight powers over “critical” third-party providers, such as major cloud service providers that underpin core financial infrastructure.
The message is clear: if you want to do business with a DORA-regulated entity, you need to be DORA-ready yourself.
DORA: Europe’s GDPR for digital resilience?
DORA’s global impact follows a familiar pattern. When GDPR came into force in 2018, it transformed how companies across the world handled personal data. That’s because GDPR focused on protecting EU citizens’ data, regardless of where a company was based.
DORA works in a similar way, but instead of focusing on data privacy, it shifts the burden to operational resilience. Regulated financial institutions must ensure their suppliers meet their security standards—so if you’re in their supply chain, your security posture now affects their compliance.
Put simply: DORA turns compliance into a global business requirement. Companies outside the EU may not be regulated directly, but they’ll feel the commercial pressure to align. In competitive bids, DORA-readiness will increasingly become a differentiator.
The Brussels Effect in action
This dynamic is often referred to as the “Brussels Effect”—when European regulations become de facto global standards because of the EU’s market power and strong regulatory frameworks.
Large multinational companies that operate in many jurisdictions often choose to comply with the most stringent regulations, like DORA, because it simplifies their global compliance strategy. As a result, Europe’s standards start to shape business practices worldwide.
And with financial services being one of the most interconnected and highly regulated industries, DORA is likely to drive a global shift in how third-party risk is managed.
What suppliers and partners can do now
If you’re a technology provider, service vendor, or software supplier working with the financial sector, especially in Europe, it’s time to prepare for DORA. Here are a few steps to get started:
1. Assess your current security and resilience posture – Understand how well your systems would stand up to DORA-aligned scrutiny.
2. Review your contracts and SLAs – Make sure they include clear commitments around service continuity, incident response, and security standards.
3. Engage proactively with clients – Demonstrate that you’re aware of DORA and are taking steps to support their compliance journey.
4. Invest in automation and monitoring – These will be key to supporting the continuous testing and reporting that DORA requires.
A timely and necessary shift
The financial sector touches nearly every corner of the global economy. A serious incident, whether caused by cyberattack or supplier failure, can cascade across borders in seconds. DORA is a timely response to this risk.
While European regulators can’t compel a US or Asia-based company to follow DORA directly, they can make it a requirement for doing business with the EU. That’s powerful, and it’s already changing behaviour. In an interconnected world, resilience is only as strong as the weakest link. DORA raises the bar for everyone, and that’s a good thing.
