Why Third-Party Risk Is Peaking on the Banking Agenda 

Application modernisation, cloud migration, and open-banking APIs have left even the most conservative banks dependent on dozens, sometimes hundreds, of external technology partners. Every new connection expands the digital attack surface, and the headlines show why that matters: ransomware‐crippled core processors, exposed cloud buckets, and weeks-long payment outages. Supervisors have responded by tightening expectations, and the most forceful of those responses is the EU’s Digital Operational Resilience Act (DORA), which took effect on 17 January 2025. 

The New Risk Landscape 

Until recently, the chief compliance pain came from ticking boxes: collect an SOC 2, send an annual questionnaire, and file it away. DORA breaks that pattern. The regulation demands continuous oversight of every information-communication-technology (ICT) supplier. It allows regulators to enter a cloud provider’s data centre, inspect logs and test controls, and determine whether the bank has contractual access. Article 30 hard-codes contractual provisions such as 24-hour incident notification, unrestricted audit rights, and detailed exit plans.

Globally active banks face a dual pressure. Even if only one business line serves EU customers, DORA applies group-wide practices to the third parties that underpin that service. Meanwhile, non-EU supervisors increasingly reference DORA’s vocabulary when assessing operational resilience, so aligning early makes strategic sense. 

Everyday Challenges Inside the Bank 

• Fragmented ownership. Procurement owns contracts, security teams own testing, and compliance owns policy, yet vendors sit across all three. Misaligned incentives mean critical findings often linger. 

• Opaque inventories. Business units add SaaS tools faster than risk teams can register them. DORA’s Article 28 requirement for a “live ICT third-party register” becomes impossible without a reliable inventory of who processes which data.

• Contract fatigue. Negotiating audit rights, data-location guarantees, and 24-hour incident clauses with hyperscale providers is slow and expensive. Many banks accept watered-down terms to meet launch deadlines, storing regulatory debt for later.

• Siloed monitoring. Security operations may detect a vendor breach days before it reaches risk managers because tooling is not integrated with TPRM workflows.

From Problem to Process – A Modern Cyber-TPRM Lifecycle 

Banks that are coping well with DORA have rebuilt their vendor-risk process around four data-driven practices:

• Discovery and classification. Automated discovery tools scan DNS, certificate transparency logs, and cloud footprints to reveal “shadow” suppliers. Assets are matched to business processes and criticality scores, so the DORA register is always current. 

• Contract templating. Legal teams work from a library that already embeds Article 30 language. Negotiations focus only on deviations, accelerating onboarding while keeping clauses strong.

• Continuous control telemetry. External attack-surface scanners look for open ports, weak DNS (missing DMARC), and misconfigured storage every 24 hours. In parallel, breach-intelligence feeds watch dark-web markets for leaked credentials tied to suppliers. Each signal lands in a shared dashboard, not a spreadsheet.

• Workflow-centred remediation. Findings generate tickets with predefined SLAs. Risk owners, not generic inboxes, receive the task, and escalation paths end at the board’s operational-resilience committee.

Solutions such as the Genesis Platform weave those feeds into a single risk score for each supplier, link every finding to the right DORA article, and archive evidence in case a supervisor requests it.

DORA Spotlight – What Absolutely Must Change 

DORA’s third-party chapter (Articles 28–30) reshapes three areas:

• The live ICT vendor register. Banks must keep an up-to-date inventory of all ICT contracts, noting the functions they support, the data they process, and their criticality. National supervisors will collect that register by 30 April 2025.

• Continuous performance and security monitoring. Quarterly surveys or annual attestations do not qualify. Evidence must demonstrate that key risk indicators, availability, latency, and vulnerability backlog are monitored in real time and that alerts prompt prompt action.

• Contractual minimums. Article 30 makes unrestricted audit and testing rights non-negotiable. Banks must also guarantee incident notice “without undue delay and not later than 24 hours.” Where global cloud providers resist, DORA allows alternative assurance only if equally robust, often meaning additional TLPT exercises.

Next Steps for 2025 

• Compare your current supplier inventory to DORA’s Article 28 register requirements: are shadow vendors or sub-processors missing?

• Review master service agreements for the 24-hour incident clause and unrestricted audit wording; flag gaps for renegotiation.

• Pilot continuous attack-surface scanning on a subset of critical vendors; integrate findings into your existing ticketing platform.

When data flows smoothly, scale the model across the portfolio, freeing risk specialists to focus on interpretation rather than collection.

A Day-in-the-Life Example 

A core-banking fintech quietly launches compute resources in a second European cloud region. The change slips past contract managers but not the bank’s external scanner, which, by design, tests every supplier domain nightly. It discovers an open object storage bucket and a missing DMARC record within the new region.

Genesis ingests the alert, maps it to DORA Article 15 and Article 30(h), then opens a remediation ticket with a five-day SLA. The vendor receives prescriptive guidance, the risk owner sees countdown metrics, and screenshots are sealed in an evidence vault. When supervisors review the bank’s resilience file months later, every step is timestamped and searchable.

Quantifying the ROI for Risk & Compliance Leaders 

• Time saved – Automated evidence collection can cut vendor onboarding from 30 days to <7 days. 

• Fewer audit findings – Continuous controls testing reduces surprise observations, lowering remediation consulting costs.

• Capital relief – Strong operational-resilience metrics support lower capital add-ons under ICAAP/SREP reviews.

Competitive Edge 

Regulators will only tighten expectations, and customers increasingly judge banks on operational resilience. Embedding continuous, data-rich TPRM, built internally or enabled by a specialist platform like Genesis Platform, lets banks shift the conversation from box-ticking to strategic advantage. The sooner risk teams modernise their toolset, the sooner the board can sleep at night.