On the morning of November 18, 2025, chaos rippled across the digital world. Zoom meetings couldn’t connect, design teams couldn’t access their Figma files, and financial services and public transit systems experienced failures. Maybe you felt this too, when Spotify stopped playing music, Doordash wouldn’t place your order, and ChatGPT wasn’t responding to your inquiries as to why your meal delivery app wasn’t working.
The culprit? A single configuration bug in Cloudflare's Bot Management system. For several hours, one of the internet's most critical infrastructure providers experienced a cascading failure that brought down large swaths of the web.
If you’re an organization relying on a third-party that went down due to Cloudflare, you very well know the scary truth: You didn't choose Cloudflare, but you felt the impact because your third-party vendor did.
When you integrate a third-party service, you're making a conscious choice. You review their SLAs and security certifications, and you feel pretty good about their uptime guarantees.
But what about the vendors your vendors depend on? These "fourth parties" (and fifth, and sixth...) form an invisible web of dependencies that many organizations never map, let alone plan for.
Consider what happened when Cloudflare's Bot Management feature file became corrupted:
Each layer amplified the impact. A bug in one system cascaded through four or more layers of dependencies in minutes. And if you’re that trading firm relying on Coinbase who relies on Cloudflare, then you’re suddenly tangled in that invisible web.
When software like Cloudflare experience issues, the impact is massive precisely because it's become infrastructure for the infrastructure.
And this concentration risk is no longer just a theoretical concern - it's catching regulatory attention. The European Union's Digital Operational Resilience Act (DORA) includes specific requirements around subcontracting and the entire chain of ICT dependencies, which you can read more about (here). The recently adopted Regulatory Technical Standards (RTS) on subcontracting make this explicit: financial entities must assess risks along the entire subcontracting chain, maintain visibility into which services can be subcontracted and under what conditions, and ensure they can identify the full chain of ICT subcontractors supporting critical functions.
What's striking about DORA's subcontracting RTS is that they recognize exactly what the November 18 Cloudflare outage demonstrated: your vendor's dependencies are your problem. The RTS require financial entities to assess whether their ICT service providers' contractual arrangements with subcontractors allow the financial entity to comply with its own obligations. In other words, you can't just trust your vendor to manage their vendors—you need visibility and contractual protections that extend down the entire chain.
While DORA applies specifically to EU financial entities, the principles it embodies are universal: if you depend on a service, you need to understand and plan for the dependencies that service has on others - just because you don’t use a vendor doesn’t mean your vendor doesn’t use that vendor.
If you're responsible for your organization's reliability, availability, or risk management, here are some questions you could ask yourself:
The November 18 Cloudflare outage isn't an anomaly. It's a warning. We’ll likely see more of these incidents as organizations consolidate around fewer infrastructure providers and as the complexity and scale of these systems grow.
The question, then, isn't whether your fourth-party dependencies will fail. The question is whether you'll be ready when they do.
Have questions about mapping your fourth-party dependencies or building resilience against cascade failures? Want to share your own experiences with dependency chain outages? Contact Clarative to see how our platform can help you achieve comprehensive supply chain visibility.
