Financial entities are still moving towards application after the DORA (Digital Operational Resilience Act) implementation a year ago. A Censuswide survey revealed that 96% of institutions are struggling to adapt to the operational resilience act. While some organizations are standing out by building resilience early on, there is a bigger story behind these efforts, and that is what this article will unpack as you read on.

DORA: Are Firms Ready?

Information and Communications Technology (ICT) is the core of the DORA (Digital Operational Resilience Act), and financial organizations are building systems to govern ICT disruptions. But the following issues have been identified so far:

Reliance on Non-Compliant Vendors

Vendor ecosystems are poorly governed, leading to multiple disconnected sourcing, selection, and ongoing monitoring systems. Especially for non-critical vendors, this means a gap in oversight, boundaries, or ownership.

In several cases, the operating model itself leads to non-compliance with outdated processes and siloed decision-making, slowing the shift towards DORA regulation and supplier governance.

To eliminate shadow dependencies, companies can strengthen governance using Third-Party & ICT Resilience (TPRO), API-first enterprise integration, and technology optimization with VE3 services.

Inadequate Resilience Testing & Limited Scenario Coverage

Many firms still rely on basic continuity checks, resulting in missed end-to-end failover tests and crisis simulations.

Fragmented Mapping of Critical Functions & Dependencies

DORA act requires clear mapping of critical services and all their dependencies, but most firms still operate with outdated architecture views revealing gaps in understanding how core services rely on external providers.

With robust lineage, semantic layers and event hubs, organizations can finally access the real time system visibility required for reliable dependency mapping. If you’re exploring how to strengthen this capability, we’re always open to conversation.

Unclear Impact Tolerances & Weak Governance Ownership

While DORA mandates impact tolerances for critical functions, many firms have yet to embed them into decision-making. Tolerances often exist on paper but are not tied to real system performance or investment priorities.

In recent payment system incidents, where even backup systems collapsed, highlight the missing layer of accountability for tolerances, recovery times, and resilience oversight.

How Front-Runner Institutions Remedied Their Deepest DORA Weaknesses

Rebuilding End-to-End Resilience Testing

Many institutions discovered that their continuity checks were validating isolated systems while overlooking dependencies across payments, identity, fraud, and card-switching layers. These are the exact areas that tend to collapse during live incidents.

How Institutions Can Strengthen This Area:

• End-to-end journey rehearsals can help validate complete customer pathways, not just single systems.

• Fault injection and synthetic load across interconnected services to replicate real outage behavior.

• Automated execution of playbooks tied to incident tooling.

• A scenario library including region failures, degraded interbank networks, latency spikes, and third-party slowdowns.

Firms adopting this approach see faster failover, smoother operational coordination, and audit-ready evidence of severe-but-plausible testing. Boards receive clearer scorecards directly linked to impact tolerances.

Fixing Mapping Chaos

Multiple cloud and provider disruptions revealed a common weakness across financial organizations of limited visibility into upstream, downstream, and third-party dependencies.

Systems labelled “non-critical” were often found to play hidden roles that triggered wide blast-radius effects during platform degradation.

How Institutions Can Strengthen This Area:

• Discovering automated dependency using service-mesh telemetry, distributed tracing, and system interface logs

• Creating a "critical services" catalogue ranking systems based on real customer impact rather than internal assumptions

• Third-party dependency mapping to uncover shadow integrations, vendor APIs, and indirect service chains

• Business-process-to-technology linking to ensure every process has a fully mapped architectural footprint.

Impact Tolerances to Decisions

Many firms continue to operate with unverified RTO (Recovery Time Objective) and RPO (Recovery Point Objective) values. You might have observed how stated tolerances often lack evidence, leading to confusion, misaligned expectations, and regulatory scrutiny.

How Institutions Can Strengthen This Area:

• Layered tolerances separating customer-facing limits, technical thresholds, and operational fallback windows

• Chaos and degradation testing for core systems, databases, message buses, and identity layers

• Performance stress testing for ML (Machine Learning) models and API-driven services under constrained compute

• Traceable governance linking tolerances to testing, monitoring, and board-level approval.

• Gen AI/ML enablement with model ops, paired with event-driven monitoring, ensures AI-driven payments, fraud, and risk engines withstand degraded conditions.

Cleaning Up Vendor Chaos

Fragmented sourcing systems, inconsistent contract language, and poorly understood ICT dependencies remain widespread.

How Institutions Can Strengthen This Area:

• A unified Third-Party Resilience framework covering onboarding, monitoring, continuity, and exit

• Consistent contractual standards offering incident transparency, resilience testing rights, and portability

• Finance Operations and ERP visibility supporting stronger vendor lifecycle management

• Automated cyber and operational intelligence to detect risk shifts in critical vendors

• Joint resilience tests with providers to validate end-to-end recoverability and data-portability pathways

This leads to reduction in vendor sprawl, uncovering hidden dependencies, and regulator-ready profiles of third-party resilience.

Multi-Cloud Recoverability

Region-level and provider-level outages highlighted how many firms still rely on single-cloud or single-region architectures for their most critical journeys. This creates operational exposure and material concentration risk.

How Institutions Can Strengthen This Area:

• Active regional design for onboarding, payments, authentication, and fraud services

• Secondary cloud pathways for analytics, decisioning, or identity workloads

• Message-broker abstraction layers allowing services to operate across cloud-native messaging ecosystems

• Drift detection and configuration baselines to keep multi-cloud environments aligned and stable

With this, the availability improves across customer-critical journeys, concentration risk decreases, and institutions achieve smoother regulatory outcomes. Multi-cloud routing ensures continuity even during severe provider outages.

How VE3 Solutions Specifically Align to:

1. Third-Party Risk & ICT Resilience

Fragmented vendor governance and hidden dependencies don’t have to limit operational resilience. With unified visibility and automated intelligence, organizations can coordinate across their ecosystem and see how risks and recoverability measures interact in real time.

2. Mapping, Lineage & Registers of Information

Static diagrams become living representations of systems, processes, and data flows. Understanding dependencies and how information moves across the enterprise and its partners allows firms to anticipate ripple effects before they occur.

3. Testing, Automation & Scenario Coverage

VE3 enables severe-but-plausible testing aligned to real operational failures. 

• End-to-end journey testing across payments, fraud, identity, and servicing 

• Fault injection and degradation testing 

• Automated playbooks integrated with incident tooling 

• Scenario libraries covering cloud, region, network, and vendor failures 

4. Impact Tolerances Embedded into Decisions

Recovery objectives, operational limits, and governance decisions become part of day-to-day processes. By making tolerances observable and measurable using VE3 solutions, organizations can act confidently under pressure without relying on static guidelines.

5. Multi-Cloud & Concentration Risk Reduction

VE3 reduces concentration risk by enabling "recoverable, portable architectures" across providers and regions. Dependence on a single provider or region doesn’t have to be a vulnerability. Resilient architectures and cross-cloud portability allow critical services and analytics to continue uninterrupted, even when unexpected disruptions occur.

Conclusion

In a voluntary 2024 "dry run" for the registers of information under the Digital Operational Resilience Act (DORA), almost 1,000 financial entities submitted data on their ICT third-party arrangements. Yet only 6.5% of those submitted registers passed all 116 data-quality checks.

It is a tangible indicator that many firms remain far from the baseline needed for full regulatory compliance.

If you're assessing how to close these resilience gaps through stronger integration, lineage, and third-party resilience practices, VE3 supports institutions in establishing these foundations without heavy disruption. A conversation can often clarify what's achievable faster than expected.

Get in touch now.