Third-Party Risk: DORA Makes Accountability Absolute
Nearly a year after DORA came into full effect, the financial sector is grappling with one of its most profound principles: you can outsource the function, but you can never outsource the accountability.
Article 28 of DORA¹ elevates this from a regulatory guideline² to a binding legal obligation. For boards, the message is clear: if your third-party provider fails, it is your failure.
⚖️ THE NEW ACCOUNTABILITY FRAMEWORK
DORA doesn't just restate old principles; it creates a new framework for enforcement. Article 28(1) requires financial entities to "manage ICT third-party risk as an integral component of their ICT risk management framework." This isn't about vendor management; it's about integrated risk ownership.
This is reinforced by the requirement for a board-approved "strategy on ICT third-party risk"³. The management body is now explicitly on the hook for understanding and governing the risks associated with every single ICT provider, from the largest cloud hyperscalers to the smallest niche software vendors.
🌐 THE JURISDICTIONAL QUAGMIRE
The practical challenges are immense, especially for global institutions. A recent report highlights the growing concern among risk managers about the EU's jurisdictional reach over US-based cloud providers⁴. While EU subsidiaries are clearly in scope, the extent to which EU regulators can enforce DORA's provisions on their parent companies or non-EU vendors remains a contentious issue.
This creates a complex web of contractual and operational challenges. Firms are now in the midst of a massive contract remediation effort to insert DORA-mandated clauses into all ICT agreements⁵, a process that is proving to be far more than a simple box-ticking exercise.
❓ THE CRITICAL QUESTION FOR 2026
As we enter the second year of DORA, the focus is shifting from theoretical compliance to demonstrable evidence of control. Regulators will no longer be asking if you have a third-party risk policy; they will be demanding to see the board minutes, risk assessments, and exit strategies that prove you are actively governing your vendors.
The critical question for 2026 is: has your board fully accepted that the operational resilience of your institution is now directly tied to the resilience of your least-prepared vendor?
References
¹ Regulation (EU) 2022/2554 (DORA) ² EBA Guidelines on outsourcing (EBA/GL/2019/02); ECB Guide on outsourcing; OCC Bulletin 2013-29 ³ DORA, Article 28(2) ⁴ Risk.net, "Risk managers question US reach of Dora third-party list" (Jan 2026) ⁵ Stephenson Harwood, "Getting your contracts remediated for DORA" (Aug 2024)
This article was originally published on LinkedIn.
View on LinkedIn →Related Topics:
Gavin Ignatius Persaud
Solicitor | Fintech Law Specialist
Gavin is a specialist solicitor with over 25 years of experience in financial technology regulation, digital assets law, and emerging technology compliance. He advises premier financial institutions and innovative technology companies on complex regulatory matters across 33 jurisdictions.
Qualifications: PhD (Cryptocurrency & Stablecoin Policy), LLM (Commercial Law), Solicitor of England & Wales
Experience: £750M+ transaction value | 33 jurisdictions | Trusted adviser to Morgan Stanley, American Express, Visa, Citibank, and leading fintech innovators
Essential insights on Digital Operational Resilience Act implementation and compliance