January 17, 2025 marks a milestone for the EU’s Digital Operational Resilience Act (DORA), as financial entities across the EU must now fully comply with its requirements. While no longer in the EU, UK financials still need to comply for any cross border activity. Once again, Brexit doesn’t really mean Brexit when it comes to GRC!
But while DORA aims to bolster operational resilience, it hasn’t yet convinced senior cybersecurity professionals that their weakest link—supply chain security—is any stronger. A recent study by Green Raven Limited, conducted in partnership with Censuswide, reveals insights into the state of supply chain cybersecurity. Despite the extensive preparations financial entities have made for DORA, confidence in the resilience of supply chains remains tepid at best.
The Numbers Don’t Lie
The research surveyed 200 senior cybersecurity professionals, including 21 from the financial sector, all representing UK organisations with over 1,000 employees. The findings are clear:
- 44% of all respondents acknowledged their supply chain is the weakest part of their cybersecurity.
- In the financial sector, the figure was 43%, virtually identical to the broader sample.
1.png)
Source: Censuswide 2025
What’s concerning is that even after preparing for DORA, so many still see their supply chains as the weakest link. This raises an important question: if supply chain security isn’t their greatest concern, what is? Could it mean some financial organisations have addressed supply chain risks effectively during their DORA preparations, or does it indicate other areas of cybersecurity are more precarious? On the other hand, 87% of the UK businesses surveyed said they were compliant by October 17th for the related EU NIST 2 deadline.
Supply Chain Risk: Still Top of Mind
For banks and other financial institutions, Third-Party Risk Management (TPRM) has long been a priority, and DORA’s provisions specifically mandate enhanced oversight of ICT suppliers. Yet Green Raven’s research found that an even higher proportion—53% of senior cyber professionals working in supply chain-related roles—identified supply chains as their weakest link.
This doesn’t necessarily mean these organisations lack confidence in their overall cybersecurity posture. Rather, it underscores the complex, multifaceted risks supply chains pose—risks that remain a dominant concern, even with frameworks like DORA in place.
The Takeaway
DORA compliance is a step forward for operational resilience, but it’s clear the journey is far from over. Supply chains remain a critical vulnerability, and addressing this requires more than ticking regulatory boxes—it demands proactive, continuous oversight and investment in robust monitoring solutions.
As financial organisations adapt to DORA, the real question isn’t whether compliance alone will reduce risk, but whether these efforts will translate into a stronger, more resilient supply chain.
The bottom line for all business, UK or otherwise, is that being compliant doesn’t protect you from a cyberattack. It just means that the minimum legal requirements have been met, and a penalty may be avoided (but not guaranteed). Finally, compliance legislation is always playing catch up with current cyberattack methods and trends and is often years behind once it finally becomes law.
More on this from KuppingerCole
Software Supply Chain Security: Are You Importing Problems?
A Pragmatic View of Software Supply Chain Security
From SolarWinds to Zero Trust: Rethinking Supply Chain Security
Smart Sourcing: The Key to Secure Supply Chains