New Obligations for ICT Providers and Financial Players: the EU’s New Digital Operational Resilience Act

Most of us are familiar with Dora the Explorer; the enthusiastic cartoon character who always seems ready for an adventure. Well, the EU is bringing us its own “DORA” – the Digital Operational Resilience Act (Regulation EU 2022/2554) and it’s not exactly child’s play. This new regulation is set to impose serious obligations on financial services players, with many provisions starting to apply from January 17, 2025. As the application date rapidly approaches, this blogpost provides an overview of what DORA entails, why it matters, and the key steps to start preparing for compliance.

What Is DORA

On December 27, 2022, DORA was published in the Official Journal of the European Union. This new regulation is a cornerstone of the EU’s digital finance strategy and aims to strengthen the operational resilience of the European financial sector in a rapidly evolving cyber threat landscape. In today’s interconnected world, banks, investors, payment institutions, and other financial entities are increasingly reliant on ICT-systems. DORA aims to introduce requirements to ensure that these systems remain secure and resilient.

Scope of Application

DORA applies to a wide range of financial sector entities, extending well beyond traditional banking. This includes investment firms, alternative investment fund managers, crypto-asset service providers and insurance companies, among others. This wide list of DORA-regulated entities means that a lot of players in the investment landscape, such as VCs and PE firms, will be subject to DORA’s hefty cybersecurity requirements.

Under Article 5 of DORA, the regulation also places responsibility for compliance firmly on the management body of each covered organization. The same article also obliges members of the management body to keep up to date with sufficient knowledge and skills to understand and assess ICT risks, through regular specific trainings. Further, one member of senior management must be designated as the person responsible for ensuring adherence to DORA – which will in practice be the CTO, CIO, or another senior figure with oversight of ICT systems and risk management.

Additionally, ICT third-party service providers that are deemed “critical” by regulators will be subject to direct oversight (for which those critical service providers might be charged an oversight fee). This should prevent systemic risk from spreading through technology partners upon which financial entities heavily rely. However, you don’t need to worry about figuring out if you are an ICT provider that is regarded “critical” under DORA. The European Supervisory Authorities (“ESAs”) will handle those qualifications.

Core Requirements

DORA’s obligations can be divided into four categories: ICT risk management, ICT-related incident management, digital operational resilience testing, and management of ICT third-party risk. A short overview of some of these obligations highlight their far-reaching nature:

  • Major incident reporting: Organizations must report ICT disruptions and cyberattacks to regulators, detailing the nature and impact of the incident along with remedial actions. Picture your payment processing system grinding to a halt due to ransomware: DORA demands quick, detailed notifications.
  • Digital operational resilience testing: Certain organizations must regularly conduct digital operational resilience testing, which may include threat-led penetration testing (TLPT) or “red teaming.” Think of it as inviting authorized hackers to try to penetrate your systems, exposing vulnerabilities before real cybercriminals do. DORA also requires regular audits of ICT systems to verify compliance and ensure that resilience measures are effective.
  • Third-party providers: If you outsource data processing or critical IT infrastructure to a cloud or other ICT provider, DORA forces you to keep your guard up. You can’t shrug off liability with a simple “it’s their fault.” Article 30(1) of DORArequires financial entities to assess and mitigate risks stemming from their reliance on third-party ICT providers. This means:
    • Stricter contractual requirements: Financial entities will demand stricter service level agreements (SLAs) that include detailed provisions on security, data protection, and operational continuity.
    • Enhanced due diligence: ICT providers may need to undergo rigorous assessments, including audits and reporting obligations, to demonstrate compliance with DORA’s standards.

Even more demanding standards apply under Article 30(2) for providers supporting critical or important functions, meaning those providers must also adjust their general terms and conditions (“GTCs”) to align with the new requirements.

Regulatory Technical Standards

To turn DORA’s high-level principles into detailed rules, the ESAs are developing regulatory technical standards and other implementing measures. These standards will clarify how to handle incident reporting, ICT risk management, testing requirements, and will serve as binding technical guidelines once finalized, providing concrete “dos and don’ts” for meeting DORA obligations.

Next Steps

While all of this may sound daunting, it doesn’t have to be if you start planning now:

  • Make sure your board and senior management understand their DORA responsibilities. Identify which member of senior management (often a CTO or CIO) will be the main contact and ensure they have the authority and resources to enact necessary changes.
  • Check whether your existing cybersecurity and operational resilience strategies align with DORA’s proportional requirements. Consider the size and complexity of your business to anticipate how strictly each article will apply.
  • If you rely on external ICT providers, you will need to adjust your contracts and ask for revisions to the providers’ GTCs, so that they include provisions on performance, incident reporting, monitoring, and exit strategies.
  • If you are an ICT provider offering services to clients covered by DORA, you may need to conduct a compliance gap analysis to determine whether your operational, security, and contractual frameworks align with DORA’s standards, particularly if your services are deemed critical to those clients.For those subject to advanced testing such as TLPT, prepare to allocate the necessary budget and resources. You may need specialized teams or external experts to safely test for weaknesses. Periodic audits of ICT systems will also be essential to prove ongoing compliance.
  • As the ESAs finalize the regulatory technical standards, be ready to adapt your approach. Policy changes at the EU level can happen quickly, so staying informed can help you avoid last-minute scrambles.

The Bottom Line

DORA may have a playful acronym, but it carries a serious regulatory punch. Failure to comply could lead to more than a warning from your national regulator – fines and reputational hits are on the table. At the same time, proactive compliance can serve as a trust signal in an increasingly competitive and security-conscious marketplace. With January 17, 2025, just around the corner, organizations should be finalizing their plans to avoid an early disadvantage.


If you’re wondering how DORA will apply to your organization, or if you’re already knee-deep in planning and could use expert advice, Cresco’s Innovation Lawyers are here to help. Our team keeps a close eye on EU regulatory developments and can guide you through the intricacies of DORA – no map, compass, or talking backpack required.

Olivier Van Raemdonck, Managing Partner

Ward Verwaeren, Managing Associate

Aida Kaloci, Associate

Axel Desmet, Associate

Team

Axel Desmet
Associate
Ward Verwaeren
Managing Associate
Aida Kaloci
Associate
Olivier Van Raemdonck
Managing Partner

Expertises

innovation
privacy & security