Scroll Top
19th Ave New York, NY 95822, USA
Join Now
3783376
AI Data Protecton Software March 4, 2025

Understanding the Digital Operational Resilience Act

The European Union’s Digital Operational Resilience Act (DORA) is a regulation designed to strengthen the digital resilience of financial institutions across the EU. As financial services become more dependent on digital systems, the operational resilience of these systems is paramount. DORA aims to protect the integrity of the EU financial markets by ensuring that financial institutions have robust ICT systems in place and can recover swiftly from disruptions. While DORA specifically targets the EU financial sector, its effects ripple across the global economy, presenting new opportunities, challenges, and considerations for both EU and non-EU entities, particularly for third-party ICT service providers.

What is DORA?

The Digital Operational Resilience Act is a comprehensive piece of legislation introduced by the European Commission to enforce operational resilience across EU financial institutions. It focuses primarily on:

  • Ensuring ICT systems are reliable, secure, and resilient.
  • Creating incident reporting frameworks for ICT disruptions.
  • Establishing risk management processes for third-party ICT service providers.
  • Enforcing continuous monitoring and regular testing of systems to identify and mitigate vulnerabilities.

For the first time, DORA creates binding requirements for the management and oversight of ICT risks across the entire financial services value chain. The regulation covers a wide range of financial entities, from banks and insurers to payment service providers and investment institutions.

Who does DORA apply to?

DORA applies to almost all financial institutions operating in the EU, including:

  • Banks and building societies
  • Insurance companies and pension funds
  • Investment firms and stock exchanges
  • Payment service providers (e.g. fintech firms, e-money institutions)
  • Crypto-asset service providers
  • Credit rating agencies
  • Third-party ICT service providers (e.g. cloud computing, cybersecurity providers, data centres) that support the financial sector with IT services.

What are the main requirements of DORA?

DORA is the first regulation to create a single, unified framework for digital resilience across all financial institutions in the EU. However, many of its core principles already existed in previous EU regulations and industry standards (e.g. NIS, NIS2, Cyber Resilience Act, and PSD2).

The main requirements of DORA are heavily operational and technical. While there are some governance and compliance aspects, the core of DORA is about ensuring that financial institutions have strong IT systems and risk management processes in place.

  • ICT Risk Management

Under DORA, financial institutions must adopt a risk-based approach to managing their ICT infrastructure, ensuring that they have sufficient resources and plans in place to prevent, respond to, and recover from ICT-related disruptions.

  • Third-Party Risk Management

A major part of DORA revolves around third-party ICT service providers. Many financial institutions rely on cloud providers, managed services, and other third-party suppliers to run their core services. DORA requires that financial institutions:

(i) Assess and monitor the operational resilience of third-party ICT providers.

(ii) Establish contractual obligations to ensure third-party compliance with DORA’s resilience standards.

(iii) Report significant disruptions in third-party services to EU regulators and relevant stakeholders.

  • Incident Reporting and Transparency

DORA establishes stringent incident reporting obligations. Financial institutions must notify relevant authorities of an ICT incident, such as a data breach, cyberattack, or major system failure. This requirement promotes transparency and ensures that regulators can intervene quickly to prevent further damage. Furthermore, institutions must conduct post-incident reviews to identify weaknesses and ensure that lessons learned are applied to future resilience efforts.

  • Testing and Auditing

To ensure that financial institutions can endure and recover from ICT-related disruptions, DORA mandates regular resilience testing of ICT systems. Financial institutions must conduct stress tests, vulnerability assessments, and penetration testing to identify potential weaknesses before they lead to operational failures. Independent auditing is also required to ensure ongoing compliance with the resilience standards.

What ICT service providers are concerned?

The regulation focuses on ensuring that financial institutions manage the risks associated with their ICT systems, including those provided by third-party service providers. The scope includes:

  • Critical ICT service providers (those designated as critical by the European Supervisory Authorities);
  • ICT service providers that support critical or important functions for financial institutions.

Considerations for ICT Service Providers Under DORA

  • Jurisdictional Requirements for Critical Providers

While DORA does not outright require ICT service providers to be based exclusively in Europe, DORA sets out rules that require financial institutions to assess and manage the geographic risks associated with their ICT service providers. The aim is to avoid dependence on providers that might be outside the EU where the legal and regulatory oversight could be more difficult to enforce in the event of an issue.

  • Third-Party Risk Management

Financial institutions are required to perform risk assessments on third-party providers, including assessing the legal, regulatory, and geographical risks they face. This means that if a financial institution relies on an ICT service provider outside the EU, it must ensure that the provider complies with relevant EU regulations (including DORA) and can be subject to adequate oversight and enforcement in case of operational disruptions or security incidents.

  • Impact on Non-EU ICT Providers

When financial institutions use non-EU ICT service providers, they are required to evaluate the potential risks to their operational resilience and compliance. For example:

  • Financial institutions must have backup plans or alternative providers in place in case a non-EU provider faces disruption or regulatory challenges.
  • Financial institution must ensure that service agreements with non-EU providers are enforceable under EU law, particularly when dealing with security or incident-related issues.

Conclusion

The Digital Operational Resilience Act (DORA) is a crucial step in ensuring the EU’s financial markets can withstand the challenges posed by an increasingly digital and interconnected world. For financial institutions, DORA offers a structured approach to protecting their ICT systems and managing third-party risks. For service providers, especially those offering critical ICT services, it creates both opportunities and challenges in the form of new compliance requirements and market access issues.

As DORA continues to unfold, financial institutions, third-party providers, and legal experts must remain vigilant in their efforts to meet the regulation’s evolving demands. For more detailed information on how DORA may affect your business or to explore compliance strategies, feel free to book a free call with our lawyers.

Image by vectorjuice on Freepik

Anna Levitina

Partner

anna.levitina@loganpartners.com

More about Anna

Read other articles written by Anna Levitina

What is a data processing agreement and when do you need one?

Consent to personal data processing under the GDPR: what it is, why you need it and how to obtain it

 

The reform of the UK’s data protection regime: what to expect?

Anna Levitina / About Author
Anna is a software and technology lawyer, with expertise in data protection and privacy law and works as a Partner at Logan & Partners.
More posts by Anna Levitina