Home  /  Blog  /  Compliance

DORA, the regulation binding banks and ICT vendors

The DORA Regulation imposes a unified ICT risk management framework on the European financial sector, with direct application from 17 January 2025 and liability extended to third-party technology providers. Compliance is no longer a discretionary requirement of good IT governance, but a legal obligation with sanctions, supervisory and reputational consequences.

Scope of application

The DORA Regulation (Digital Operational Resilience Act, EU 2022/2554) sets uniform ICT security and digital operational resilience requirements for financial entities, and has been fully applicable since 17 January 2025 across all Member States, with no need for national transposition. Being a regulation rather than a directive, its application is immediate and uniform, with no interpretive margin left to domestic legislation.

The subjective scope covers 21 categories of financial entities: banks, insurers, investment firms, payment institutions, fund managers, rating agencies, crypto-asset service providers, and third-party ICT providers designated as critical, such as cloud providers and software vendors serving the financial sector. It also covers market infrastructure entities, including trading venues, trade repositories, central counterparties and data reporting service providers, as well as credit rating agencies, critical benchmark administrators and account information service providers.

A key point for non-European organisations, third-party ICT providers are subject to DORA requirements when they serve EU financial entities, regardless of the provider's legal seat. The applicability criterion is therefore the recipient of the service, not the provider's jurisdiction. A non-EU software house providing a trading platform to a European institution falls within scope, regardless of its own legal seat.

Strategic relevance and risk profile

DORA introduces a point of discontinuity compared to the previous regulatory framework: critical third-party providers are subject to direct oversight by the Lead Overseer designated by the ESAs, marking the first time the European Union has established supervision of this nature at this scale. Compliance responsibility is no longer mediated solely through the financial entity, the technology provider, if classified as critical, answers directly to European supervisory authorities.

The sanctions regime operates on two distinct levels. For critical ICT providers, the regulation allows the lead overseers to impose penalties of up to 1% of average daily worldwide turnover recorded in the previous financial year, applied daily for up to six months until full compliance is achieved. For financial entities, the regulation does not set uniform sanction ceilings: administrative penalties are defined by competent national authorities, in Italy identified as Banca d'Italia, Consob, IVASS and COVIP, with the possibility of restrictive measures and personal liability for management.

Added to this is a structural reputational exposure, article 54 requires competent authorities to publish decisions imposing administrative sanctions on their official websites, including information on the nature of the violation and the identity of those responsible. Public disclosure of non-compliance makes regulatory risk directly observable to clients, counterparties and the market.

The five-pillar compliance framework

The Regulation structures digital operational resilience around five pillars, covering the entire ICT risk lifecycle.

ICT risk management. A documented framework covering identification and documentation of business functions, assets and ICT dependencies, continuous risk assessment, protection and prevention measures, detection capabilities, and response and recovery procedures.

ICT incident reporting. The 4-hour notification requirement demands a tested operational capability for classification and reporting, not merely a documented one. For incidents with systemic potential, authorities coordinate responses through the European Systemic Cyber Incident Coordination Framework (EU-SCICF).

Digital operational resilience testing. Article 23 establishes the obligation to conduct threat-led penetration testing (TLPT) at least every three years, extended to ICT processes supporting critical functions and services, including those outsourced to a service provider.

ICT third-party risk management. This is the most prescriptive pillar. Financial entities are required to maintain a register of information on contractual arrangements with third-party ICT providers and to report new ICT contracts to competent authorities at least annually. The rights and obligations of the parties must be set out in writing, with competent authorities empowered to suspend or terminate non-compliant contracts.

Information sharing on cyber threats. The only non-binding pillar: information sharing is encouraged but not mandatory.

A recurring objection among smaller operators concerns the sustainability of the required obligations. The Regulation provides a structural corrective, the principle of proportionality under article 4 allows smaller entities to apply requirements proportionate to their size, risk profile and complexity, and micro-enterprises and certain smaller categories benefit from a simplified regime. Proportionality modulates the intensity of application, not the existence of the obligation: no entity within scope is exempt.

Timeline and coordination with the NIS2 framework

The Regulation is fully in force. For organisations whose compliance efforts are not yet complete, exposure to sanctions and supervisory risk is already active, not prospective.

For corporate groups operating simultaneously within the financial perimeter and in sectors regulated by the NIS2 Directive, a defined rule of regulatory precedence applies: DORA is a sector-specific regulation for finance and takes precedence over NIS2 under the principle of lex specialis, though a banking group with non-financial subsidiaries may still need to manage both regimes. Since both regulations require risk management, incident notification, management accountability and staff training, the recommended approach is a unified ICT risk governance model, with differentiated regulatory application at the level of each legal entity within the group.

Operational conclusions

Adequacy cannot be assessed based on the formal implementation of required technical measures alone. Three operational indicators define the real state of compliance: whether the register of critical ICT providers is up to date, whether existing contracts include the audit and exit clauses required by the Regulation, and whether a remediation plan has actually been executed following the last TLPT simulation. Uncertainty on even one of these three points constitutes an exposure that is no longer merely technological, but one of direct supervisory scrutiny.

Want to check your DORA compliance status?

Valuemate's Compliance team supports financial entities and ICT providers on risk management, the supplier register and preparation for resilience testing.

Discover the service

← All articles