DORA overview: Legal provisions for financial entities and ICT third-party providers
(article by Maria Katsioti – Associate and Andreas Papastathis – Junior Partner published on Lexology, March 17, 2025)
Digital Operational Resilience Act (DORA): Strengthening Financial Sector Resilience
The Digital Operational Resilience Act (DORA), adopted by the European Union in November 2022, aims to enhance the operational resilience of financial entities by establishing robust ICT risk management frameworks. This legislation applies to entities within the banking, investment, and insurance sectors and their ICT third-party service providers. As of January 17, 2025, all entities under its scope are required to comply with specific obligations to ensure their digital resilience and contribute to the EU’s financial stability.
Scope of DORA
DORA applies to a wide range of financial entities, including credit institutions, payment institutions, investment firms, crypto-asset service providers, and insurance intermediaries, among others. ICT third-party service providers such as cloud computing and data analytics service providers are also covered under DORA’s scope if they offer critical ICT services to financial entities. The European Supervisory Authorities (ESAs) will finalize the designation of critical ICT providers by the end of 2025, which will add further compliance requirements for these providers.
Key Obligations for Financial Entities
The core obligations of DORA are categorized into five pillars:
- ICT Risk Management: Financial entities must establish governance frameworks to ensure data availability, integrity, confidentiality, and technological resilience. This includes thorough documentation of ICT functions and regular risk assessments.
- ICT Incident Management & Reporting: Entities must implement measures to detect, manage, and report ICT-related incidents to the appropriate authorities. Reporting must occur within strict timeframes, ensuring transparency and accountability.
- Digital Operational Resilience Testing: Entities must regularly test their ICT systems to detect vulnerabilities. Larger entities are required to undergo advanced testing every three years based on Threat-Led Penetration Testing (TLPT).
- ICT Third-Party Risk Management: Financial entities must establish contractual agreements with ICT providers to define rights, responsibilities, and service terms. This includes compliance with GDPR when applicable.
- Information Sharing: Financial entities are encouraged to exchange cyber threat information within trusted networks to strengthen resilience.
Competent Authorities and Implementation
Competent authorities, alongside European Supervisory Authorities, have the power to enforce compliance, issue penalties, and provide guidance on ICT risk management. The European Commission will review the regulation by January 17, 2028.
Relation to NIS II
The NIS II Directive, which also aims to enhance cybersecurity, overlaps with DORA for certain financial entities. However, DORA is considered the primary regulation for those entities, covering reporting, risk management, and enforcement procedures.
DORA, NIS II, and GDPR collectively form the EU’s broader strategy to enhance cybersecurity and resilience across critical sectors, ensuring that financial entities can withstand and recover from digital disruptions effectively.
Read the full article here: pdf.
DORA overview: Legal provisions for financial entities and ICT third-party providers – Lexology