On 17 January 2025, the Digital Operational Resilience Act (DORA) – takes effect across the EU. DORA is designed to streamline ICT (Information and Communication Technology) risk management, introducing sweeping changes for both EU financial entities and ICT service providers, including those based outside the EU.
By addressing digital resilience through a unified regulatory framework, DORA aims to replace the previously fragmented approach with consistent standards across the financial services sector. DORA may initially seem like just another compliance burden — particularly since non-compliance can result in substantial fines. Yet, DORA presents strategic opportunities that can enhance client trust and operational stability. |
This article highlights key obligations under DORA and outlines practical steps for ICT providers and financial entities in the EU and UK to leverage compliance for commercial gain.
Harmonisation of ICT Risk Rules and Guidance Across the EU
DORA’s objectives parallel the Single Rulebook in financial risk management, standardising ICT resilience across banks, insurance providers, crypto-asset firms, and other financial entities, in the wake of the financial crisis of 2008. Digital operational resilience had been left out of the Single Rulebook, and as a result during the intervening years, a patchwork of regulation and guidance evolved, which left room for gaps and divergence to emerge. Measures varied according to sector and at national level.
This uniformity addresses challenges and inconsistencies faced by entities managing cross-jurisdictional contracts for ICT services, with the extent of resilience measures depending largely on the relative bargaining power of the ICT service provider and the customer. Additionally, a customer might have negotiated different resilience with each ICT service provider, creating difficulties in enforcing consistent contractual obligations across all providers.
The European Systemic Risk Board (ESRB) highlighted, in its 2020 report, that ICT system high level of interdependencies within the financial sector across markets and infrastructures, create potential systemic vulnerabilities. An incident affecting one entity could rapidly spread through the network, with ripple effects potentially leading to a loss of confidence, trust and even runs on liquidity. By harmonising the rules, DORA will promote and enforce best practice across ICT providers and their customers, helping to mitigate systemic risks.
ICT Risk Management with more standardisation and more certainty
With all players adhering to common standards, ICT risk management becomes easier, fostering predictability and reducing complexity in vendor relationships across borders.
DORA will apply broadly across different types of entity in the financial sector, covering banks, insurance companies, crypto-asset providers, electronic money institutions, investment firms, credit rating agencies, central securities depositaries, trading venues, reinsurance intermediaries, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers. This wide reaching coverage demands a unified approach to ICT risk management, despite significant differences between entities. With all parties, whether vendors or customers, held to the same standards, adopting compliance measures is streamlined, and consistent across the industry, where everyone is treated alike.
Operational Synergies with Other EU Digital Regulations
DORA’s approach emerges from the EU’s commitment to cohesive digital regulation in the last decade reflecting principles seen in the General Data Protection Regulation (GDPR) and the Network and Information Services Directive (NIS2). The protection of data, including personal data, is one element of DORA’s requirements, and digital operational resilience goes hand in hand with the cybersecurity measures to be implemented under the NIS2. The principles of proportionality and subsidiarity, core pillars of EU legislation, guide Dora’s scope focusing on essential resilience without overwhelming. micro-businesses or low-risk entities which are out of scope.
DORA Compliance: A Competitive Advantage
Another key aim of standardisation at an EU level is to promote competition within the single market by creating a more level playing field. DORA’s extra-territorial reach applies equally to non-EU financial entities and ICT service providers serving EU financial clients, positioning compliance as essential for market access. Non-compliant providers risk losing opportunities within the EU’s financial services market.
Facilitating Information Sharing and Collaboration
DORA introduces a novel focus on information sharing among financial entities and supervisory authorities, encouraging early warning systems and better preparedness. Historically, cybersecurity incidents were often kept confidential to avoid reputational damage. The ethos of DORA emphasises transparency while minimising administrative burden. By promoting sharing information, DORA fosters better awareness and insight, accelerating the development of innovative tools and defences to combat novel and emerging threats. By requiring firms to report to their competent financial supervisors only who can then relay relevant information to non-financial public authorities (such as the national data protection authorities), DORA helps manage compliance without increasing the overall reporting burden. DORA helps manage compliance without increasing the overall reporting burden.
DORA also encourages the European Supervisory Authorities (ESAs) – namely, the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority - in collaboration with the European Central Bank and the European Union Agency for Cybersecurity, to explore establishing a centralised EU hub for incident reports, further streamlining oversight and information flow.
By establishing a structured process for incident reporting aligned with DORA’s requirements, ICT providers can differentiate their services by offering customers robust reporting and risk-sharing protocols, thereby fostering trust and reinforcing their value as proactive partners in risk management.
Streamlined Contracting for Efficient Negotiations
DORA mandates minimum requirements under Article 30 for agreements between ICT service providers and financial entities, further refined by the regulatory technical standards published by the ESAs in January and July 2024. By shifting from a principles based approach to detailed requirements, DORA reduces variances in contracts, promoting greater conformity of contract terms. This mirrors the improvements seen with GDPR’s data processing requirements under article 28, where clear contractual expectations streamlined vendor agreements across the industry.
In the coming years, we expect to see the development of DORA-compliant standard contractual clauses (SCCs). For decades, EU SCCs have been successfully used for transfers of personal data from the EEA to restricted countries, and have been adopted by jurisdictions such as the UK and Switzerland (with minor amendments to fit within their own legal systems) and have inspired similar model clauses in other regions. This is for instance the case of the Model Contractual Clauses developed by the Ibero-American Data Protection Network, and the Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses. The EU and ASEAN have even developed joint guidance on the use of SCCs for data transfers with the aim of assisting companies operating in both regions to meet their compliance obligations. This harmonisation could just serve as a model for digital operational resilience, streamlining compliance and strengthening defences against global threat actors.
Key Takeaways
DORA's implementation may initially appear burdensome, especially for non-EU ICT providers. Yet, by integrating standardised practices for digital resilience, businesses can benefit from streamlined contracts, improved risk management, and increased trust with financial clients.
By embracing DORA, financial entities and ICT providers can not only meet regulatory requirements but also enhance operational resilience, build trust, and strengthen their market positions. Compliance is not only a legal necessity but a strategic opportunity to create a stable, secure, and competitive digital financial environment in Europe. For UK providers, early adoption of DORA standards can also serve as an alignment strategy with EU clients, reinforcing long-term business relationships.