EU DORA: What Financial Firms and FinTechs Must Know
- Regulation applies to 20,000 financial institutions in the EU from 17.01.2025.
- Third-party ICT suppliers also in scope, regardless of location.
- EU DORA creates new requirements for the security and resilience of ICT networks and systems.
- 5 pillars of EU DORA have higher and more prescriptive requirements than previously.
- Some exemptions apply and EU DORA is applied proportionately.
What is EU DORA?
The EU Digital Operational Resilience Act (EU DORA) became mandatory on 17.01.2025 and seeks to improve operational risk and business continuity in EU financial services.
With 70+ pages and hundreds of requirements, EU DORA creates a higher regulatory standard for managing information and communication technology (ICT), especially for FinTechs in scope for the first time.
Why does EU DORA matter?
Digital financial services have increased, driven by innovation, efficiency, and client demands, reaching 99% in locations such as Estonia.
In parallel, ICT-related risks have also increased significantly:
- Cyber-attacks and ransomware
- System outages and data breaches
- Failures at outsourced ICT providers
- Operational disruptions with cross-border impact
As risks increase, so financial systems and transactions require greater protection and resilience to remain trustworthy.
Who does EU DORA apply to?
- credit institutions
- payment institutions
- electronic money institutions
- account information service providers
- investment firms
- crypto-asset service providers
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- institutions for occupational retirement provision
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- securitisation repositories
FinTechs such as core banking, payments, hosting and ICT solution providers are also in scope.
5 pillars of DORA?
The requirements of EU DORA are assessed using five pillars:
ICT Risk Management
What governance, systems, tools, and processes are used to identify, protect, detect, and recover from ICT-related risks.
Incident Reporting
Regulated entities must notify their national competent authorities of major ICT-related incidents and cyber threats.
Digital Operational Reslience Testing
Regular, advanced testing to ensure security, improve resilience and recovery procedures.
3rd Party Risk Management
Development of frameworks to identify and mitigate risks arising from 3rd party suppliers of ICT.
Information Sharing
Voluntary sharing of data about cyber threats and vulnerabilities to enhance system defences.
Proportionality in EU DORA
Financial entities and technology providers are required to implement EU DORA using the principle of proportionality, meaning they consider their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
