Relying on external providers for vital digital operations does not mean you shed the risks that come with those relationships. The Digital Operational Resilience Act (DORA), particularly Article 28, enshrines the principle that accountability for outsourced IT and digital services always stays with your organization. No matter how critical the vendor, the responsibility is yours—no exceptions and no passing the blame down the supply chain.
Article 28: Responsibility Never Leaves Your Door
Under DORA, even when your business leans on outside partners for essential ICT capabilities, the weight of compliance, resilience, and operational stability remains firmly on your shoulders. Regulators want assurance that companies perform due diligence, manage third-party risk as part of their broader technology risk program, and never use outsourcing as a way to deflect scrutiny. If your key supplier falters, the cost—whether legal, reputational, or operational—comes directly to you.
What Makes a Contract “Clear” Under DORA?
DORA expects organizations to strike agreements that leave nothing open to doubt. This means contracts should leave no ambiguity about the services provided, performance standards, security requirements, and the process for handling incidents or regulatory inspections. Every critical aspect, from subcontracting to data management and how a relationship can be unwound, is spelled out. Treat contracts as living documents—update them as your environment and risks evolve.
- Spell out all functions and any allowed subcontracting—requiring consent or advance notice.
- Set measurable objectives with built-in remedies if those targets aren’t met.
- Mandate prompt disclosure of any incidents affecting data or service quality.
- Define how the business recovers if the partnership ends and ensure secure transfer or deletion of your data.
Ongoing Risk Reviews: Not Just a One-Off Task
Risk management under DORA is a continuous, proactive discipline. Initial assessments are not enough; reviews must be embedded into the life cycle of every vendor relationship. This means scrutinizing key metrics, reassessing SLAs and control evidence, and holding partners accountable with both internal checks and external audits.
- Review incident reports and risk registers at least yearly—or more often if the vendor is critical.
- Schedule unannounced spot-checks and independent assessments.
- Use automated tools for flagging emerging compliance and operational risks.
Complete Visibility: Knowing the Whole Chain
True resilience means you don’t just trust your main vendor but understand everyone on whom their delivery depends. DORA calls for total transparency—requiring disclosure and ongoing monitoring of all subcontractors touching critical processes.
- Insist on a current, detailed directory of all subcontractors.
- Extend your right to audit down the supply chain for accountability at every link.
- Apply your compliance and resilience expectations to subcontractors via binding flow-down clauses.
Board Oversight: Risk Is a Leadership Issue
Managing vendor risk under DORA isn’t just an IT or compliance job—it’s a board-level mandate. Senior management must receive regular, plain-language reports on key vendor exposures, concentration issues, and the effectiveness of risk mitigation steps. The board should help set, review, and refresh risk strategy in the context of both regulatory change and evolving business demands.
- Risk oversight frameworks must reflect the real-world importance of every third-party relationship.
- Regular updates and dashboards should provide an honest appraisal of external dependencies.
- Strategic decisions about risk appetite and vendor reliance flow outward from the board, not just upwards from operations.
Board Oversight: Risk Is a Leadership Issue
Managing vendor risk under DORA isn’t just an IT or compliance job—it’s a board-level mandate. Senior management must receive regular, plain-language reports on key vendor exposures, concentration issues, and the effectiveness of risk mitigation steps. The board should help set, review, and refresh risk strategy in the context of both regulatory change and evolving business demands.
- Risk oversight frameworks must reflect the real-world importance of every third-party relationship.
- Regular updates and dashboards should provide an honest appraisal of external dependencies.
- Strategic decisions about risk appetite and vendor reliance flow outward from the board, not just upwards from operations.
Board Oversight: Risk Is a Leadership Issue
Managing vendor risk under DORA isn’t just an IT or compliance job—it’s a board-level mandate. Senior management must receive regular, plain-language reports on key vendor exposures, concentration issues, and the effectiveness of risk mitigation steps. The board should help set, review, and refresh risk strategy in the context of both regulatory change and evolving business demands.
- Risk oversight frameworks must reflect the real-world importance of every third-party relationship.
- Regular updates and dashboards should provide an honest appraisal of external dependencies.
- Strategic decisions about risk appetite and vendor reliance flow outward from the board, not just upwards from operations.
Trust—But Make Them Prove It
Blind confidence in suppliers can be costly. DORA expects organizations to build trust, but that trust is grounded in ongoing evidence. Rigorous testing and contingency planning are essential, as is reserving the right to escalate if standards aren’t met.
- Routinely test business continuity plans, cyber resilience, and backup/restoration processes.
- Insist on open cooperation from all vendors during audits and regulatory queries.
- Document results and improvements for every test, keeping a clear trail for auditors and stakeholders.
Outsourcing doesn’t outsource risk—it magnifies its importance and visibility
Under Article 28, you can’t point fingers if things go wrong. This regulatory principle ensures customers, partners, and authorities know that while tasks may travel, responsibility does not.
Looking to stay DORA-compliant and protect your business from third-party failures?
Partner with Laati for expert Third Party Risk Assessment services. Our team ensures you know exactly where your risks lie—across all vendors, contracts, and supply chains—giving you confidence that your business remains resilient, ready, and regulator-approved.Let’s face it: when a vendor drops the ball, the consequences land at your door. Don’t leave your reputation or compliance to chance. Reach out today to schedule a tailored assessment and discover how we help you identify, manage, and report third-party risks—so you can focus on growing your business safely and securely. Your risks remain your responsibility; our expertise keeps them managed and under control.
