Banks, insurers, and financial institutions are facing unprecedented cyber pressure. With the DORA regulation coming into force in January 2025, the NIS2 directive, and the growing wave of supply chain attacks, CISOs in the financial world are looking for benchmarks, methodologies, and peers to build collective responses. This is precisely the mission of the Forum des Compétences, which Board of Cyber will soon be joining for its plenary session.
Forum des Compétences: an expert community serving finance and insurance
Founded by and for information systems security (ISS) professionals and business continuity plan (BCP) specialists, the Forum des Compétences is the leading association dedicated to cybersecurity within the French financial sector. Its mission: to bring together cybersecurity teams in order to build shared practices, pool real-world feedback, and collectively raise the cyber maturity level of member organizations.
Working groups structured around the most critical challenges
The Forum des Compétences runs several permanent working groups, whose outputs lead to practical publications and recommendations:
- Cyber rating and third-party assessment: building supplier evaluation programs, selecting frameworks, and engaging vendors in the process
- Network and Information Security (NIS2) directives: transposition, operational implications, and compliance
- Security functions outsourceable to the Cloud: governance, data sovereignty, and conditions for secure adoption
- BCP and the impact of extreme attacks: business continuity in the face of major crisis scenarios
- Cyber awareness: effectiveness of training programs and employee engagement
- Regulation (DORA, NIS2, Solvency II): anticipating regulatory changes and adaptive strategies
These collective efforts result in publications and annual symposiums. In December 2025, the plenary session focused on post-quantum cryptography and its implications for the resilience of financial systems — a testament to the Forum's ability to anticipate upcoming technological shifts.
Why Board of Cyber is joining this plenary session
Board of Cyber, specializing in third-party cyber risk management (TPRM / TPCRM) and cyber rating of suppliers, shares with the Forum des Compétences the conviction that cyber resilience cannot be achieved in isolation. In a highly interconnected financial ecosystem — where every entity relies on dozens or even hundreds of ICT service providers — assessing the cyber posture of third parties has become a top strategic priority.
This participation follows naturally from our ongoing engagement with CISOs in the financial sector and our joint work with CESIN, formalized in the TPRM Observatory 2025. According to this observatory, 82% of respondents consider third-party cyber risk to be important or very important. Yet third-party risk management programs remain too often manual, fragmented, and difficult to scale.
Forum des Compétences member institutions, including Groupe Crédit Agricole and AXA France, have shared their experience managing third-party cyber risk in our Cyber Voices series. Their testimonials concretely illustrate the challenges the Forum addresses collectively with its members.
TPRM challenges at the heart of the financial sector's concerns
DORA mandates formalized management of ICT provider risk
Since January 17, 2025, the DORA regulation requires all European financial entities to structure their management of ICT service provider risk. This includes maintaining an information register, revising contractual clauses, conducting audits, and implementing exit strategies for critical providers.
These requirements are not theoretical: they demand dedicated resources, appropriate tools, and cross-functional governance involving CISO, legal, and procurement teams. The Forum des Compétences plenary is an opportunity to share real-world feedback from its members and compare the approaches adopted by major French financial institutions.
Cyber rating of third parties: from good intentions to industrialization
Assessing a supplier's cyber maturity cannot rely solely on their declarations. This is one of the key lessons Board of Cyber shares with CISOs: self-reported data (questionnaires, self-assessments) must be supplemented with factual evidence from continuous external monitoring. Open ports, expired certificates, unpatched vulnerabilities, presence of data on the dark web — these are objective signals that make it possible to qualify a supplier's actual risk, independently of what they claim.
When the supplier perimeter exceeds a few dozen third parties, the challenge becomes one of scale. How do you assess 500 suppliers with a team of two or three people? How do you prioritize in-depth audits for the vendors that truly warrant them? The answers lie in a structured TPRM approach, supported by tools capable of automating the collection, scoring, and tracking of remediation plans.
What Board of Cyber brings to the discussion
Our participation in the Forum des Compétences plenary is driven by a commitment to sharing expertise. Financial sector practitioners need concrete feedback, comparative data, and proven methodologies.
Board of Cyber contributes to these discussions:
- The findings of the TPRM Observatory 2025, conducted with CESIN among more than 170 CISOs, CIOs, and CTOs
- An operational perspective on third-party cyber rating, drawn from deploying our solutions across organizations of all sizes and sectors
- Concrete cases of TPRM industrialization, from 50 to more than 1,000 suppliers assessed
- Our expertise on the articulation between regulation (DORA, NIS2) and third-party risk management practices
Our Security Rating and Trust HQ solutions were designed precisely to meet the constraints of CISO teams in the financial sector: high volumes, stringent regulatory requirements, and the need for structured reporting to supervisory authorities.
Further reading
- How to approach a Third Party Risk Management project
- 7 methods for assessing your suppliers' cyber risk
- DORA: understanding the European regulation on digital operational resilience
- TPRM Observatory 2025
- The 10 mistakes that undermine your TPRM strategy
- Webinar - Third-party cyber risk management (TPCRM)
