top of page
Search

The Digital Operational Resilience Act (DORA) takes effect

  • Writer: Neil Mathieson
    Neil Mathieson
  • Jan 17
  • 5 min read

Updated: 6 days ago

Impacts 20,000 EU financial institutions and their global ICT suppliers.

Close-up of a silver CCTV camera with circular LED lights. Bright background creates a secure, modern feel. No visible text.
Increased surveillance for financial services firms and their ICT providers.

Take-Aways

  • New regulation applies to 20,000+ financial institutions in the EU and their third-party ICT suppliers regardless of location.

  • DORA seek to improve digital operational resilience in the financial sector by creating requirements for the security of ICT networks and systems.

  • Regulatory standard is higher and more prescriptive - increased requirements in risk management, testing, incident management, reporting, information and vendor management.

  • Some exemptions apply and DORA is proportionate, but market participants must ascertain their status and readiness.



What is the Digital Operational Resilience Act?

On 17th January 2025, The Digital Operational Resilience Act (DORA) became mandatory. The regulation seeks to improve operational risk and business continuity relating to ICT in EU financial services.


With 70+ pages and hundreds of requirements, DORA represents a significantly higher regulatory standard than before, especially for small FinTechs who fall in scope for the first time.



Why is the Digital Operational Resilience Act required?

Financial services in Europe have undergone massive digitalisation in the past two decades, as financial institutions have embraced cost, service and data benefits (push) and consumers the anywhere, anytime, personalised service (pull). In parallel, many ICT services were outsourced to 3rd party providers around the world. Operational risk increased.


Regulation of ICT in EU financial services has also become fragmented. Different sectors have different requirements – NIST, MiFID E, PSD2, MiCA, etc. At a country level, local authorities often interpret and implement EU regulation differently. Such inconsistency create uncertainty for regulators, and increased complexity and cost for financial institutions.



What is Digital Operational Resilience?

Digital operational resilience is defined as “the ability of an entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by information and communication technology (ICT) third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which an entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.



Why does Digital Operational Resilience matter?

  1. Operational resilience sends a strong message to regulators and cyber criminals.


  2. Operational resilience reduces outages that damage revenues and brand trust.


  3. Many financial institutions hold capital in operational risk reserves, this could be optimised.


  4. Regulatory enforcement is expensive and damages trust.

 

With strong linkages to financial outcomes, many CTOs and CIOs will view DORA as an opportunity to review their technology stack and optimise for risk, cost, performance and scalability.



What is the scope of the Digital Operational Resilience Act?

  1. Setting requirements applicable to financial entities in relation to:

1

2

3

ICT risk management

Reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities

Reporting of major operational or security payment-related incidents to the competent authorities

4

5

6

Digital operational resilience testing

Information and intelligence sharing in relation to cyber threats and vulnerabilities

Measures for the sound management of ICT third-party risk

  1. Setting requirements for the contractual arrangements between financial entities and ICT third-party service providers.


  2. Settling rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers.


  3. Setting rules on co-operation among competent authorities, and rules on supervision and enforcement by competent authorities.

 

Although many requirements in DORA align to established frameworks it is important to review.



Who is affected by the Digital Operational Resilience Act?

DORA applies to a wide range of ‘financial entities’ registered in the EU:


  • credit institutions

  • payment institutions

  • electronic money institutions

  • account information service providers

  • investment firms

  • crypto-asset service providers 

  • central securities depositories

  • central counterparties

  • trading venues

  • trade repositories

  • managers of alternative investment funds

  • management companies

  • data reporting service providers

  • insurance and reinsurance undertakings

  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries

  • institutions for occupational retirement provision

  • credit rating agencies

  • administrators of critical benchmarks

  • crowdfunding service providers

  • securitisation repositories

 

DORA applies to both in-house and 3rd party ICT providers regardless of their location, including:


  • Core banking systems

  • Credit scoring systems

  • Treasury management systems

  • Payment gateways

  • Hosting providers

  • IT Outsourcing providers.



Proportionality in the Digital Operational Resilience Act

Financial entities are required to implement DORA using the principle of proportionality, meaning they consider their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.



DORA Checklist for Financial Institutions

  1. Understand applicability of DORA to your entity by checking local regulatory guidance. Confirm proportionality.


  2. Confirm requirements, bearing in mind DORA involves increased requirements and applies to internal and external ICT arrangements.


  3. Undertake gap analysis of current ICT frameworks versus DORA requirement.


  4. Realign ICT plans, frameworks and operations to comply. Update policies and procedures.


  5. Renegotiation contracts with ICT providers as necessary.


  6. Conduct ongoing risk identification, management, and reporting processes. 


  7. Perform periodic resilience testing, including threat-led penetration testing for larger entities. 


  8. Manage ICT risks associated with third-party providers, including their compliance with contractual obligations.



DORA checklist for ICT Providers

  1. Ensure your register of contractual arrangements with clients is up to date.


  2. Understand if your clients are in scope for DORA, certain exemptions can apply.


  3. Confirm your classification under DORA. Critical Third-Party providers (CTPPs) fall under direct supervision of by European Supervisory Authorities (ESAs) who can conduct inspections, enforce compliance, and impose fines. Non-critical providers are not directly supervised but must comply with contractual obligations which may be amended due to DORA. 


  4. Review current operation versus DORA requirements in risk management, testing, incident management, reporting, information sharing and vendor management.


  5. Speak to all clients about how they interpret DORA and what technological and non-technological changes will arise. Make this cross-functional as DORA creates legal and commercial considerations.


  6. Prepare for increased scrutiny of risk framework

    • do we have adequate governance (roles, responsibilities, accountability)?

    • do we maintain adequate documentation (policy, process, technical)?

    • does risk framework cover ICT and non-technical factors?

    • is risk framework regularly updated?

    • is risk assessment effective?

    • do we have supplier risks?

    • are security measures robust (encryption protocols, vulnerability management, access control)?

    • is testing regular?

    • do we fix vulnerabilities?

    • have we a tested approach to incident response (classification, process, procedure, SLAs)?

    • have we a tested approach to remedying?

    • do we report transparently?


7. Implement required changes to demonstrate compliance to higher standard, ongoing management, and ability to respond and recover.



How we help with the Digital Operational Resilience Act

We provide expert advice to help financial institutions and IT companies understand FinTech strategy, regulation and technology. We can help you navigate DORA; create structures to withstand, respond and recover from disruptions; and find technology partners to improve your approach.


Contact Us to arrange an introductory call or subscribe for news updates on regulation.



 


DORA References

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance): https://eur-lex.europa.eu/eli/reg/2022/2554/oj




Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page