The European DORA regulation (Digital Operational Resilience Act) has applied since January 2025. Unlike a directive, it applies directly, without national transposition. Moreover, its scope goes well beyond banks. It also covers insurers, asset managers, payment institutions and investment firms. By extension, it reaches their digital service providers too. Here is what the DORA regulation actually requires.
The five pillars of the DORA regulation
The DORA regulation rests on five blocks. First, ICT risk management and governance: a documented framework, approved by the management body, which stays ultimately accountable. Second, incident management: classification, notification of major incidents to the regulator within strict deadlines, and lessons learned. Third, operational resilience testing, from regular reviews up to threat-led penetration testing (TLPT) for the most significant entities. Fourth, third-party risk management, the most structuring pillar in daily practice. Fifth, information sharing between peers, which the text encourages.
The real subject: your providers
The DORA regulation asks a lot about providers. Every financial entity must keep a register of information. This register lists all contracts with ICT providers. It also embeds precise contractual clauses: audit rights, security, exit and reversibility, data location. Finally, it assesses each provider’s criticality. Providers deemed critical at European level then fall under direct supervisory oversight. The practical consequence is clear. Even without being a financial entity, an ICT provider to the sector inherits DORA by contractual ripple effect.
DORA and M&A deals
One point deserves the attention of funds and executive teams. In an acquisition or divestiture touching the financial sector, the target’s DORA framework belongs in the due diligence scope. Moreover, the register of information must survive the separation or the integration. Indeed, a carve-out that dismembers a shared ICT contract without recontracting it creates a non-compliance on Day 1.
Where to start?
Start with the register of information and the provider map. Indeed, that exercise reveals the real gap. Then run a gap analysis across the five pillars. It leads to a prioritized action plan. As with NIS2, a well-built foundation serves several compliances at once. In practice, DORA, NIS2 and ISO 27001 overlap substantially.
The takeaway
The DORA regulation shifts the question. It moves from is your IT secure to would your business survive a digital failure, including at your providers. Thus, it is a question of resilience, and therefore of governance. And it runs as a program.