The EU Digital Operational Resilience Act (DORA) took effect on January 17. 2025, marking a significant milestone in the EU’s push to bolster digital operational resilience in the financial services sector.

Given its increasing reliance on technology, the financial services sector has become more vulnerable to various information communication and technology (ICT)-related risks, including cyberattacks, ICT failures and disruptions caused by ICT third-party service providers (TPPs). DORA aims to address such risks and provide a unified framework for managing digital operational resilience across the sector.

DORA implementation by firms

Many firms have spent months, and likely years, preparing for DORA’s implementation, but the work for firms does not end now. While much has been done to prepare for this regulatory overhaul, the effective management of digital operational risks and ongoing compliance with DORA requires continued efforts, monitoring and adaptability from market participants.

Notably, a Censuswide survey commissioned by Orange Cyberdefense (Survey) sought views from 200 Chief Information Security Officers and senior security decision-makers from financial services firms with more than 1,000 employees in the UK (Respondents). Although DORA does not directly apply to UK firms, the Respondents surveyed were actually involved in DORA-related preparations due to the scale of their business lines within the EU.

According to the Survey, over 40% of Respondents were set to miss the deadline on January 17, 2025. Respondents to the Survey highlighted various challenges to DORA compliance including a lack of prioritization from the wider organization, inadequate skills and knowledge, and insufficient visibility over supply chains and TPPs more generally. To overcome these challenges, the Survey notes that the vast majority of Respondents either employ, or plan to employ, external support to assist with their DORA compliance.

Key next steps for firms

Despite DORA coming into effect, many financial entities and TPPs are still working towards DORA compliance. Financial entities must continue to manage third-party related risks by, among other things, conducting risk assessments and due diligence before engaging TPPs, documenting relationships with mandatory contractual terms, and monitoring TPPs as well as their underlying supply chains.

Registers of information

DORA requires financial entities to establish and maintain registers of information related to their ICT services. These registers aim to help financial entities track their compliance with DORA but also to provide regulators with transparency into financial entities’ ICT management efforts and the related ICT supply chains.

The deadline for the first submission of registers of information by national competent authorities (NCAs) to the European Supervisory Authorities (ESAs) is April 30, 2025. To ensure timely submission of the registers to the ESAs, we expect NCAs to engage with financial entities to request their registers. This may have an indirect impact on TPPs as financial entities may request TPPs’ assistance to complete certain parts of the registers.

As part of ongoing compliance, financial entities must keep the information in their registers current to reflect changes to existing relationships and the establishment of new relationships with TPPs.

Mandatory contractual provisions

When implementing the specific requirements for contractual arrangements on the use of ICT services, some financial entities and their TPPs have faced difficulties agreeing the standard form to document these requirements. 

Both parties generally prefer to use their own template. If they have not already completed the task, financial entities must continue negotiating DORA-compliant contractual arrangements with TPPs to ensure such arrangements include the minimum contractual provisions required by the regulation.

TPPs supporting “critical or important” functions

There is a heighted compliance burden for TPPs supporting “critical or important functions” to financial entities, however it can be difficult to determine when to classify a TPP as such. This assessment is complex, and depends on a number of factors, including the impact and time sensitivity of disruption to the services being provided.

The lack of clarity in DORA and the limited guidance from the ESAs in this area gives financial entities a considerable amount of discretion, but also inevitably leaves room for uncertainty on interpretation over the proper criteria and process for categorisation. The risk is therefore that some TPPs are designated by their financial entities as supporting “critical or important” functions and subject to increased obligations, whereas TPPs of a nearly identical service are not. The situation becomes even more complex where other financial entities that engage the same TPP do not make such a classification.

Organizational considerations

There are various challenges that financial entities face in integrating compliance with existing requirements and internal systems, while managing resourcing constraints. Financial entities may need to enhance legacy ICT systems and infrastructure or integrate them with new systems to assist with the implementation of DORA’s requirements. They should also engage across internal departments to avoid siloed efforts, miscommunication and/or gaps in compliance implementation, and ensure that the organisation is appropriately staffed to deal with ongoing DORA obligations.

Technical standards and guidance

Financial entities should monitor the adoption of the remaining technical standards on the subcontracting of ICT services and threat-led penetration testing as well as the publication of other DORA-related materials such as the highly anticipated guidance on the scope of ICT services under DORA.

Designation of “critical” TPPs

DORA seeks to promote the convergence of supervisory approaches to ICT third-party risk in the financial sector by making so-called “critical” TPPs subject to a new EU oversight framework. Despite the similar terminology, a “critical” TPP is not the same as a TPP that supports a “critical or important function” to a financial entity.  DORA establishes a specialised regulatory and supervisory framework for the former. 

Specifically, the ESAs must identify the TPPs that are “critical” for financial entities in terms of such TPPs’ potential systemic impact on the EU financial sector as a whole. Each designated critical TPP will have one of the ESAs as its lead overseer for DORA compliance. The ESAs are also required to publish and update annually the list of critical TPPs at the EU level.

Those TPPs designated as critical will be subject to more stringent oversight, including enhanced due diligence and resilience testing. Critical TPPs that are located in a third country will be required to establish a presence in the EU for purposes of DORA-related supervision and oversight.

The ESAs are expected to make the first designations of critical TPPs in the second half of 2025. Financial entities should monitor such designations and determine any impact that they may have on them where they utilise such a provider. 

Non-compliance

Non-compliance with DORA can lead to significant consequences including substantial fines. DORA requires NCAs to enforce compliance through a wide range of powers including on-site inspections, administrative penalties, and remedial measures. This regulatory enforcement can extend to public disclosure of violations, further heightening reputational risks.

National laws of a given EU Member State will determine the exact type and amount of fines to be imposed for non-compliance with DORA, with each Member State having the option to implement criminal penalties for non-compliance. DORA provides that TPPs designated as “critical” may face daily fines for up to six months, calculated at 1% of their average daily worldwide turnover in the preceding business year.

Concluding remarks

With DORA now in effect, the EU’s financial sector is entering a new phase of operational resilience obligations, where firms must shift from preparation to action. While some firms have made significant strides in address DORA compliance, others still have a way to go before they are DORA compliant. It is crucial for both financial entities and TPPs to be proactive in addressing DORA compliance.