Streamline DORA Compliance

The Digital Operational Resilience Act (DORA) regulation officially applies from January 17, 2025. Organizations must maintain continuous compliance with DORA’s requirements, which involve various forms of Information and Communication Technology (ICT). Organizations are expected to incorporate DORA’s principles into their operations on an ongoing basis, not as a one-time certification but as part of their regular compliance and risk management processes. Periodic audits or reviews may be conducted by regulators to ensure adherence.

DORA is built around five key pillars that financial entities must adhere to for strengthening their operational resilience. These pillars are:

1. ICT Risk Management.

2. ICT Incident Reporting.

3. Digital Operational Resilience Testing.

4. Third-Party Risk Management of ICT providers.

5. Information Sharing and Governance.

These five pillars collectively aim to ensure that financial institutions and their ICT providers can prevent, respond to, and recover from ICT-related disruptions effectively, safeguarding financial stability across the EU.

The main requirements of DORA are the five key pillars:

1. ICT Risk Management.

2. ICT Incident Reporting.

3. Digital Operational Resilience Testing.

4. Third-Party Risk Management of ICT providers.

5. Information Sharing and Governance.

DORA compliance is mandatory for entities operating in the financial sector, including both financial institutions and third-party ICT service providers.

Financial institutions:

• Banks and Credit Institutions

• Investment Firms

• Payment Institutions

• Electronic Money Institutions (EMIs)

• Insurance and Reinsurance Companies

• Pension Funds

• Crypto Asset Service Providers (CASPs)

• Central Counterparties (CCPs)

• Stock Exchanges and Trading Venues

• Fund Managers (including UCITS and AIFMs)

• Credit Rating Agencies

• Audit Firms (serving financial institutions)

Third-Party ICT Service Providers - Providers offering critical ICT services to financial entities, such as:

• Cloud service providers

• Software vendors

• Data analytics and infrastructure services

• Cybersecurity providers

While DORA casts a wide net, certain entities or scenarios might be exempt or subject to limited requirements:

1. Small and Micro Enterprises: Some micro or small financial institutions may have proportionate obligations under DORA. These exemptions are based on criteria such as size, turnover, and the scope of ICT activities. The exact thresholds for reduced obligations depend on the regulatory guidance provided by EU Member States.

2. Non-EU Entities: Entities based outside the EU but operating within it via third-party partnerships or subsidiaries may be indirectly subject to DORA via contractual obligations with EU financial entities.

3. Non-Critical ICT Providers: ICT service providers that are not deemed critical by EU authorities may not be directly subject to DORA but may still face compliance obligations indirectly through contracts with regulated entities.

General Rule for Exemptions

Exemptions are rare, as DORA aims to standardize and strengthen resilience across the financial sector. However, proportionality will apply, meaning smaller or less critical entities might face lighter compliance burdens compared to large or systemically important institutions.

How Entities Should Approach DORA:

Even if formally exempt, organizations should consider aligning with DORA principles to remain competitive and reliable in the EU financial ecosystem. Critical ICT providers must prepare for direct oversight by European Supervisory Authorities (ESAs). In essence, DORA applies broadly, with only specific exceptions for small, non-critical entities. Compliance is essential for operating within the EU financial services landscape.