DORA Compliance: A Strategic Guide for Financial Services Leaders

The Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025. If your financial services organization operates in the EU, or serves EU customers, this regulation now governs how you manage ICT risks, respond to incidents, and oversee third-party providers.

This is not another checkbox compliance exercise. DORA represents the EU's most determined attempt to prevent systemic failures in financial services caused by technology disruptions.

DORA's extraterritorial reach means that US financial services companies and their technology providers cannot ignore this regulation simply because they are headquartered outside Europe. If you serve EU financial entities, DORA applies to you. The 2024 CrowdStrike outage, which grounded airlines, shut down payment systems, and disrupted healthcare delivery, provided a preview of what regulators are trying to prevent.

---

Why DORA Matters: The Regulatory Context

DORA applies to virtually all EU financial entities:

Banks and credit institutions

Investment firms

Insurance companies

Payment service providers

Crypto-asset service providers

ICT third-party service providers serving these entities

The regulation imposes direct oversight on "critical ICT third-party providers" (CTPPs), including non-EU technology companies like major cloud providers. This extraterritorial reach means US companies cannot avoid DORA simply by being headquartered outside Europe.

According to the European Supervisory Authorities, penalties for non-compliance can reach up to 2% of annual worldwide turnover for financial entities, and up to €1 million per day for CTPPs.

---

The Five Pillars of DORA

1. ICT Risk Management

Financial entities must implement comprehensive ICT risk management frameworks including:

Business continuity and disaster recovery plans

ICT asset inventory and classification

Vulnerability management programs

Access control and identity management

2. Incident Reporting

Major ICT incidents must be reported to competent authorities within strict timelines:

Initial notification: Within 4 hours of classification

Intermediate report: Within 72 hours

Final report: Within 1 month

3. Digital Operational Resilience Testing

Regular testing requirements include:

Vulnerability assessments and network security reviews

Threat-led penetration testing (TLPT) for significant entities, modeled on TIBER-EU

Recovery testing and tabletop exercises

4. Third-Party Risk Management

DORA mandates detailed oversight of ICT service providers:

Due diligence requirements before contracting

Mandatory contractual provisions

Exit strategies and contingency plans

Subcontracting restrictions

5. Information Sharing

Financial entities are encouraged to share cyber threat intelligence through trusted communities.

---

What US Fintechs Need to Know

If you're a US fintech serving EU customers, DORA affects you in several ways:

EU subsidiaries must comply directly as financial entities

Cloud/SaaS providers may be designated as "critical" and subject to direct supervision

Contracts with EU clients must include DORA-mandated provisions

Incident notification obligations may apply to services supporting EU operations

The Financial Conduct Authority (FCA) and European Central Bank (ECB) have emphasized that "operational resilience is not optional; it is a condition of market access."

---

The Board Brief

Key messages for your board:

DORA is active now. Compliance is not optional for EU market access

Extraterritorial scope. US entities serving EU clients are affected

Penalty exposure: Up to 2% of global turnover

Competitive advantage: DORA compliance signals operational maturity to institutional investors

---

Implementation Roadmap

Scope Assessment: Determine if your organization falls under DORA's scope

Gap Analysis: Compare existing controls against DORA requirements

Third-Party Inventory: Create register of all ICT service providers

Contract Review: Update service agreements with DORA-mandated clauses

Testing Program: Establish resilience testing schedule

Incident Response: Align IR procedures with DORA timelines

---

ICT Risk Management Deep Dive

The ICT risk management pillar deserves special attention because it forms the foundation for all other DORA requirements. Financial entities must establish a governance framework where the management body (board of directors) takes direct responsibility for ICT risk. This means:

Board-level ICT risk committee or explicit inclusion of ICT risk in existing risk committee mandates

Dedicated ICT risk management function that is independent of IT operations and internal audit

Annual ICT risk assessment that identifies all critical functions and maps them to supporting ICT systems

Defined risk appetite for ICT disruptions, expressed in terms the board can act on (maximum acceptable downtime, data loss tolerance, financial impact thresholds)

Organizations that already align to the NIST Cybersecurity Framework or ISO 27001 will find significant overlap. The gap is typically in the governance layer: DORA requires more explicit board involvement than most existing frameworks demand.

Third-Party Risk: The Hidden Challenge

Most organizations underestimate the effort required for DORA's third-party risk management pillar. Building a complete register of ICT providers, assessing concentration risk, and negotiating DORA-compliant contract clauses takes months. Start here if you have not already.

Key questions to answer:

Do you have a complete inventory of all ICT third-party providers?

Have you identified concentration risks (multiple critical functions depending on a single provider)?

Do your contracts include DORA-mandated provisions for audit rights, incident notification, and exit planning?

Have you defined and tested exit strategies for critical providers?

---

How I Help

DORA compliance requires security leadership that understands both the technical requirements and the regulatory landscape. With 20+ years of experience advising financial services organizations, I help fintechs and their technology providers build DORA-aligned programs that protect market access while strengthening operational resilience.

My compliance services include gap assessments, third-party risk programs, and board advisory on regulatory strategy. Whether you need targeted guidance on specific pillars or a full program lead, I can help you build a pragmatic path to compliance.

Schedule a consultation to discuss your DORA compliance strategy.