Subject: Proactive third-party cybersecurity monitoring in the financial sector under DORA
Title: Cybersecurity risk management in outsourcing: a proactive approach to third-party monitoring under DORA
Abstract:
In today’s digital landscape, organizations increasingly rely on third-party service providers for critical IT functions. While this dependence enhances operational efficiency, it also introduces significant cybersecurity risks. In response to the rise in cyber-attacks and the need for stronger digital resilience in the financial sector, the European Union introduced the Digital Operational Resilience Act (DORA), which from January 17, 2025, mandates all financial entities and third-party ICT providers to strengthen their IT security and ensure resilience against cyber threats. Although DORA outlines key responsibilities for third-party risk management, it lacks concrete guidance on how financial entities should monitor their outsourcing partners, leaving a gap that neither academic literature nor current industry practices have yet adequately addressed. This study addresses that gap by identifying practical barriers to effective third-party monitoring and proposing structured, forward-looking steps for improving oversight in line with DORA. Using a qualitative methodology, the research integrates a literature review with semi-structured interviews conducted with experts in DORA, cybersecurity, and third-party risk management, offering both theoretical and practical insights. Findings reveal that while financial entities recognize the need for proactive monitoring, many lack the internal capacity and organizational readiness to implement it, as many are still in the process of establishing baseline compliance. To move toward proactive monitoring, financial entities should start by developing a comprehensive inventory of all third-party relationships, classifying them by criticality, and strengthening internal capabilities. Establishing regular evaluations and KPI-driven service-level reporting provides a strong foundation for oversight, which could later be enhanced through advanced technologies such as AI.
Key words: Digital Operational Resilience Act, compliance, cybersecurity, third-party risk management, proactive monitoring