Forced supplier exit: when “just terminate the contract” stops being realistic 

• by Olivia Lawlor-Blackburn
• Advent IM Blog

There’s a phrase in DORA that sounds like it belongs in a Cold War handbook rather than a compliance framework: forced supplier exit. 

It has the energy of someone slamming a big red button. The nuclear option. The “right, that’s it” moment. 

But when you sit with it for five minutes, you realise it isn’t actually dramatic at all. It’s painfully practical. It’s what happens when an organisation finally admits something most of us already know, but don’t like saying out loud: 

You can’t always fix a supplier. 

Sometimes you have to leave them behind. 

And the uncomfortable part isn’t the decision. It’s whether you can survive the decision. 

Because “forced supplier exit” isn’t really about terminating a contract. That’s the easy bit, at least legally. Forced exit is about being able to say: 

“We’re ending this relationship because you’ve failed materially on security or privacy… and we can do it without our service collapsing.” 

That last clause is what makes it such a powerful concept. 

Most organisations can walk away from a supplier on paper. But in the real world, suppliers aren’t sitting politely outside the business like a removable accessory. They’re inside the bloodstream. They host the data, manage the devices, support the networks, run the tooling, integrate into workflows, and sometimes hold the keys — literally, through identity and privileged access, or indirectly through operational knowledge you can’t quickly replace. 

They aren’t “external”. They’re part of the system. 

Which is why supplier failure so often stops being a procurement issue and becomes a resilience problem. 

What tends to happen is this: the supplier messes up once, and everyone is irritated but optimistic. There’s a meeting. There’s a corrective plan. There are words like “lessons learned” and “strengthened controls” and “renewed commitment” sprinkled across the minutes like parmesan. 

Then it happens again. 

And again. 

Not necessarily in the same way each time, but the pattern is familiar: patching that slips, access that’s too broad, incidents that are reported late or thinly, mysterious subcontractors appearing like plot twists, and a persistent inability to show evidence that the basics are under control. 

At this point, a strange sort of inertia sets in. 

You know it’s not good. They know it’s not good. Everyone has that quiet feeling that you’re tolerating something you shouldn’t. But the supplier stays anyway, because leaving feels worse than staying. 

It’s rarely because organisations don’t care about security or privacy. It’s because organisations are coupled to suppliers in ways they didn’t fully appreciate at the start. Integrations are tight. Data exports aren’t clean. Documentation is patchy. Processes have been built around the supplier’s quirks. The supplier’s engineers know the system better than your own team does. The contract contains exit clauses, but the reality contains dependencies. 

So the organisation becomes trapped in a situation where the supplier keeps failing and the customer keeps “managing” it, because the alternative looks like operational chaos. 

That’s the moment DORA is quietly pointing at. 

Forced supplier exit isn’t a threat. It’s a test of maturity. 

It asks: have you built your organisation to withstand disappointment? 

Because the fact is, suppliers will let you down sometimes. That’s not cynicism; it’s life. The question is whether you have designed your services, your governance, and your contracts in a way that allows you to respond like adults, rather than like hostages. 

Outside finance, the same problem is everywhere — and arguably in more complex forms. Defence supply chains, critical national infrastructure, local authorities, education, healthcare, MSPs, hosting, SaaS platforms, CCTV providers, OT maintenance partners… these relationships are not peripheral. They are deeply embedded in operational reality. 

In government and defence, the stakes often shift from “business risk” into “assurance and trustworthiness”. A supplier that repeatedly fails isn’t just a nuisance; it becomes a programme risk. Confidence erodes, and exit can look like termination, exclusion from frameworks, or removal from future tenders. Sometimes the exit happens in stages: access is stripped first, new work is frozen, and the supplier is slowly moved out of the environment because the risk has become too great to tolerate. 

In CNI and OT-heavy environments, exit can’t always be fast. You’re not swapping out a SaaS contract; you’re dealing with physical systems and uptime requirements. But forced exit still exists there — it just looks different. Sometimes it means containment first: cutting unsafe remote access, enforcing hard separation, rebuilding control of credentials, insisting on proper documentation, and bringing in a replacement provider in a controlled way. The “exit” is less a dramatic departure and more a structured decoupling. It’s still the same principle: when a supplier repeatedly proves unsafe, the organisation must be able to move away without causing a second emergency. 

In healthcare, education, and local authorities, the driver can be privacy, safeguarding, and public trust. The failures might not always be spectacular, but repeated weak handling of sensitive data eventually becomes unacceptable. At that point, staying is no longer “pragmatic”. It becomes negligent. Exit is harder because continuity matters and records integrity matters, but the core question is the same: can you remove a supplier that can’t meet the standard, without breaking the service you’re responsible for? 

And in the world of data centres, hosting and MSPs, the forced exit reality check is painfully simple. Could you extract your data cleanly? Could you keep your logs and evidence? Do you control your keys and identity or do they? Could you move without losing observability, auditability, and operational control? If the answer is “not really”, then you’re not resilient — you’re dependent. 

Suppliers can sense when you can’t leave. It changes the relationship. 

You don’t need to be confrontational to acknowledge that. It’s just economics and psychology. If a supplier knows you’re trapped, they have less incentive to improve. If they know you can walk away, they have to take security and privacy seriously in order to keep the work. That’s not cruelty. That’s accountability. 

So what does “forced exit readiness” look like in practice, without turning every contract into a novel? 

It starts with clarity. You need to define what “material failure” means in your environment. Not as a vague feeling, but as thresholds and patterns you can point to. Repeated failure to patch critical vulnerabilities. Failure to notify incidents on time. Refusal or inability to provide evidence. Unauthorised subcontractors. Recurring resilience failures. Material privacy breach followed by weak corrective action. These aren’t “bad days”. They’re signals that a supplier may not be safe to keep. 

Then you need containment. The ability to reduce blast radius before you exit. This is what stops supplier problems becoming an all-or-nothing dilemma. Can you revoke privileged access quickly? Can you separate the supplier from the systems they touch? Can you ensure logging and monitoring aren’t entirely under supplier control? Can you keep identity and encryption strategies portable enough that a migration doesn’t become a black hole? 

Then you need contractual reality. Data export guarantees. Transition support. Evidence requirements. Audit rights. Control over subprocessors. Termination rights tied to material security and privacy failings. These don’t make you resilient on their own, but they stop you being delayed and obstructed when you need to act. 

And then there’s the bit most organisations skip because everyone is busy: rehearsal. 

Not a big theatrical exercise. Just a practical scenario: 

“Supplier X has repeatedly failed on security and cannot evidence remediation. We must exit in 30 days. What breaks first?” 

If nobody can answer that without panic, then you don’t really have an exit plan. You have a hope. 

That’s why the phrase “forced supplier exit” matters so much. It doesn’t invite drama. It invites honesty. 

It asks whether your organisation is structured to cope with supplier failure as a normal part of the modern ecosystem — not as a freak event that happens to other people. 

Because resilience is not how well you operate when everything behaves. 

Resilience is how well you respond when something you depended on turns out not to deserve the trust you gave it. 

And the organisations that will do best in the next few years won’t just be the ones with neat procurement processes and polished supplier scorecards. 

They’ll be the ones who can walk away calmly. 

Not out of spite. 

Out of maturity. 

The board-level “so what?” (the bit that matters in minutes) 

If a supplier holds sensitive data, has privileged access, or supports a critical service, then the ability to exit them safely is not a procurement detail. It’s a resilience control. 

The questions boards and senior leaders should be asking aren’t only “Are they secure?” but: 

Do we have clear thresholds for unacceptable supplier behaviour?
Could we contain the risk quickly if we needed to?
Do we have contractual and technical portability?
Have we rehearsed what leaving looks like? 

Because the day you discover you need to exit is never the day you have time to invent the process. 

• Ellie Hurst, Advent IM