As the clock ticks down to the EU’s 17 January 2025 Digital Operational Resilience Act (DORA) deadline, suppliers face a unique opportunity to redefine their role. This isn’t just about compliance—it’s about fostering transparency, breaking silos, and becoming true partners in resilience.
Far from being too late, now is the perfect time to get started. This is just the beginning of a long operational resilience marathon, where the steps taken today will shape tomorrow’s success. By embracing collaboration and continuous improvement, suppliers can not only meet regulations but also build stronger customer relationships and gain a lasting competitive edge.
The Transparency Imperative
At the heart of this transformation lies the need for unprecedented transparency. As Anne Leslie, an industry expert in cybersecurity and AI for IBM Cloud in EMEA, explained on RegCast Season 5: Episode 5 – Deadline DORA – the supply chain countdown, “If you can’t protect anything that you can’t see or that you don’t know about, visibility, who’s in your supply chain, internally and externally, and trying to be really clear about where you have to have those touch points” is crucial.
Suppliers must take a hard look at their internal and external supply chains, mapping out dependencies and potential points of failure. As Monica Sasso emphasized, “When you have it all written down, it’s the dependencies – that’s where we see clients ask for help.”
This level of visibility is not just about compliance; it’s about building resilience. As Anne pointed out, “If our supply chain currently involves a guy called Kevin who happens to have a really key skill, and Kevin happens to not be there, we have to know that there’s a Kevin in the supply chain. No, it doesn’t necessarily look great on paper but denying that he’s there isn’t going to help us.”
Bridging the Silo Gap
Achieving this level of transparency requires breaking down the traditional silos within supplier organizations. As Monica, observed, “The silos are still there, and the three lines of defense model needs to be rethought.” This won’t be easy as the traditional ‘stay in your swim lane’ model is ingrained in the approach to managing risk.
Suppliers must foster cross-functional collaboration, bringing together risk, compliance, and IT teams to develop a shared understanding of operational resilience. This is where interpersonal skills come in and suppliers being brave enough to say, ‘No, we need to speak to your chief risk officer.’ or ‘please, can we speak to somebody in compliance?’ because we want to have a broader conversation.
Building a Resilient Foundation
Underpinning this collaborative approach is the need for suppliers to establish a solid foundation for operational resilience. As Anne emphasized, “We have to be honest about ourselves, about all of the legacy dust that we’ve acquired that needs a good sweep out, and taking this as an opportunity not to name and shame and blame people for the things they didn’t do in the past, acknowledging that it is as it is, and then trying to make it better.”
This honesty and willingness to embrace change are critical. As Monica Sasso noted, “This is where it starts to get interesting. I don’t think many are yet having these difficult conversations that challenge traditional practices.”
The Supplier’s Opportunity
While the operational resilience landscape may seem daunting, suppliers should reframe this challenge as a chance to strengthen their customer relationships and position themselves as trusted partners in resilience.
As Anne pointed out, “If you’re in an organization that enjoys and revels in taking pot shots at people, they’re not going to want to do this. The organizations that get good at this are the ones where they’re more focused on getting better for today’s customer needs, as opposed to blaming the people of the past for what they didn’t do, or the things that broke or the investments that didn’t quite hit the mark.”
Suppliers that embrace this mindset of continuous improvement and collaboration will find themselves at a distinct advantage. As Monica Sasso emphasized, “This is where we need to get better together with our clients and customers by being bold enough and have the open conversations which don’t generally happen today.”
By proactively engaging with their customers’ risk, compliance, and IT teams, suppliers can demonstrate their commitment to being a true partner in resilience. As Anne noted, “If a provider amends something in a contract to align with DORA, it’s not necessarily a concession. The mindset can be “I’m doing it intentionally because by making this change, I am making it easier for my client to consume more of my technology and services. This is often lost in adversarial contract negotiations.”
This shift from an adversarial to a collaborative mindset can be a game-changer. As PJ Di Giammarino, Founder and CEO of industry think-tank JWG observed, “Many of these conversations are not peer to peer today, but rather ‘sign my addendum within 10 days’ or wear the risk.” Suppliers that can navigate the DORA landscape with transparency and common goals will be the ones that thrive in 2025.
Highlighting the Competitive Advantage
In a world where operational resilience is paramount, being a “delightful” supplier to work with can provide a significant competitive edge.
As PJ stated, “The regulation doesn’t say you need to work with the industry to define an OpRes approach that meets business needs, but the entire sector is going to have to move to standard OpRes models.” Ultimately, everyone wins if we have global standards by business flow (e.g. sell-side to buy-side OTC derivatives products traded on a venue).
Anne adds “I firmly believe that enlightened technology providers will recognize the onerous and complex nature of third-party risk management and become more vested in their clients’ success.” The urgency and detailed DORA regulation provides a great motivator to work collaboratively to meet the needs of the entire supply chain.”
Suppliers that can demonstrate this level of commitment and transparency will be the ones that their customers turn to in times of crisis. As Monica Sasso pointed out, “When a 19th of July 2024 CrowdStrike incident happens again, it’s not just the banks that are under the microscope.”
By aligning their operations and mindset with the principles of operational resilience, suppliers can position themselves as trusted partners, rather than mere vendors. This shift in perception can open the door to deeper, more strategic relationships that benefit both parties and keep regulators on the sidelines.
Becoming a Trusted Partner in Resilience
To solidify their role as trusted partners in resilience, suppliers must go beyond simply meeting compliance requirements. They need to proactively engage with their customers, offering insights, expertise, and innovative solutions that enhance overall operational resilience.
As Anne suggested, “I’ve been trying to help colleagues and customers understand that DORA says that you have to achieve certain target outcomes. It might be prescriptive in telling you what it expects to be achieved but it will never tell you how to get there and that you need to be delightful to do business with. Each organization has latitude to determine its own course and its own posture on these topics.”
Suppliers can leverage their unique position and expertise to help their customers navigate the complexities of operational resilience. This may involve collaborating on the development of industry-wide standards, sharing best practices, or even co-creating innovative solutions that address the specific needs of their customers
Listen to the experts in RegCast Season 5
Episode 5 – The Supply Chain Countdown
Show notes here; Spotify here; and Apple here
Conclusion
The countdown to 2025 marks more than just a compliance deadline; it signifies a pivotal moment for suppliers to redefine their roles in the operational resilience ecosystem. This shift requires more than just meeting regulatory checklists—it calls for suppliers to adopt a mindset of transparency, collaboration, and continuous improvement. By doing so, they not only align with evolving regulatory demands but also forge deeper, more strategic partnerships with their customers.
“This isn’t a legal thing. This isn’t just ‘no, this is a new way to put this stuff in the addendum, and I’m done,'” warned Monica Sasso, Red Hat’s Global Financial Services Digital Transformation Lead. “This is the beginning of a new way of operating and existing, and it’s not a tick box activity.”
The journey ahead may be challenging, but it is also rich with opportunity. Suppliers that embrace transparency, bridge internal silos, and actively engage with their customers’ resilience strategies will set themselves apart as trusted partners. In doing so, they stand to gain a competitive edge, strengthen customer relationships, and build a reputation as leaders in operational resilience.
The future of operational resilience isn’t about isolated efforts; it’s about a united, ecosystem-wide commitment to safeguarding services and navigating risks together. Suppliers who seize this moment with purpose and innovation will not just comply with regulations—they will thrive in the new era of resilience.
By transforming from vendors to valued partners, suppliers can turn this regulatory challenge into a strategic advantage, positioning themselves as essential allies in the evolving resilience landscape. As the clock ticks closer to 2025, the time for action is now.
Upgrade your OpRes with RegDelta
RegTech is at the forefront of better, faster, cheaper, and safer OpRes solutions for 2025 change programmes.
JWG’s OpRes RegDelta enables evergreen linkage with your policies, procedures, and contracts, boosted by our LLM partners, which your teams can interrogate, saving time in spotting and closing your gaps.
Learn how in our new 2-minute video.
Want to arrange a demo? Please contact Corrina.stokes@jwg-it.eu.
Learn more
We’ve come a long way since we published ‘DORA’s data problems begin in 400 days – already back of the pack?‘ here in July 2023! Discover how DORA differentiates itself from other directives and what it means for regulators, firms and suppliers alike in JWG’s research:
- DeFi RegTech Opportunities: 2025 here
- Scaling OpRes Mountain: The New Risk Frontier: here
- Navigating OpRes storms in 2025 here
- ‘EU vs. UK OpRes: Ready, Set, Resilient’ here
- ‘Winning the OpRes Marathon’ here
- ‘Taming the DORA dragon’ here for background
- RegTech Newsletter: here
- RegCast Season 5: Winning the OpRes Marathon here