Glossary · EU Financial Regulation DORA (Digital Operational Resilience Act)
EU regulation establishing operational resilience requirements for financial institutions, in force from January 2025.
## What DORA actually does
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) establishes a unified framework for the operational resilience of European financial institutions. It applies from January 17, 2025, replacing a patchwork of sector-specific guidance with a comprehensive cross-sector regulation.
DORA covers ICT (Information and Communications Technology) risk specifically — the regulation's core insight is that financial stability increasingly depends on technology resilience as much as financial soundness.
## Who DORA applies to
DORA applies to virtually all European financial entities:
- Banks and credit institutions
- Investment firms
- Payment institutions and e-money institutions
- Insurance and reinsurance undertakings
- Pension funds (IORPs)
- Crypto-asset service providers
- Crowdfunding service providers
- Securitisation repositories
- Trading venues, central counterparties, central securities depositories
- Credit rating agencies
- Audit firms (for their financial sector clients)
It also creates new oversight requirements for **critical ICT third-party providers** — meaning major cloud providers (AWS, Microsoft, Google) and other technology vendors that financial institutions depend on.
## The five DORA pillars
DORA establishes requirements across five areas:
### 1. ICT risk management
Financial entities must implement comprehensive risk management frameworks covering identification, protection, detection, response, recovery, and continuous learning. This includes documented governance structures, regular risk assessments, and explicit board-level accountability.
### 2. Incident reporting
Major ICT-related incidents must be reported to authorities according to standardized templates and timelines. Significant cyber threats must also be reported. The reporting obligations are stricter than NIS2's general framework.
### 3. Digital operational resilience testing
Financial entities must conduct regular testing of their digital operational resilience:
- Vulnerability assessments and scans
- Network security assessments
- Penetration testing (annual minimum)
- For significant entities: **threat-led penetration testing (TLPT)** every three years
TLPT is the most demanding form — testing must simulate real-world threat actor capabilities and is conducted by certified providers under regulator supervision.
### 4. Third-party risk management
DORA introduces specific requirements for managing risks from ICT service providers:
- Standardized contract clauses required for ICT outsourcing
- Pre-contractual due diligence on critical providers
- Concentration risk monitoring (avoiding excessive dependence on single providers)
- Contingency planning for provider failures
### 5. Information sharing
Financial entities are encouraged to share cyber threat intelligence among themselves and with authorities through trusted information-sharing arrangements.
## Why DORA changes cloud vendor decisions
The third-party risk management pillar specifically affects cloud and SaaS vendor choices. DORA requires:
**1. Critical ICT third-party providers under direct regulatory oversight.** EU financial supervisors (ESMA, EBA, EIOPA) can now directly oversee cloud providers serving multiple financial institutions. This is unprecedented — direct regulatory authority over technology vendors.
**2. Concentration risk management.** Financial institutions cannot have all their critical infrastructure on a single cloud provider. This pressures multi-cloud strategies, which often means adding EU-resident providers alongside US hyperscalers.
**3. Contractual requirements.** DORA mandates specific clauses in ICT outsourcing contracts. US providers' standard terms typically need amendment to comply.
**4. Geographic considerations.** While DORA doesn't explicitly require EU data residency, the regulatory cooperation expectations work better with EU-resident providers.
## Practical implications for European fintech
For European financial institutions in 2026:
**Option 1: Multi-cloud with EU primary.** Use Hetzner, Scaleway, OVHcloud, or Open Telekom Cloud as primary infrastructure with US hyperscaler as secondary. Reduces concentration risk and improves DORA posture.
**Option 2: Sovereign cloud for sensitive workloads.** Open Telekom Cloud, T-Systems Sovereign Cloud, or French Cloud de Confiance for the most sensitive applications. US hyperscaler for less sensitive workloads.
**Option 3: Negotiate DORA-compliant terms with US providers.** Possible but operationally complex. Major US providers have built DORA-compliant offerings but the specific contract terms still require negotiation.
For European fintech startups, building on EU-resident cloud from the start is operationally simpler than retrofitting compliance. The cost-performance gap (Hetzner/Scaleway vs AWS) makes the choice financially attractive too.
## DORA's broader influence
DORA establishes a regulatory pattern that will likely extend beyond financial services:
- **EU AI Act** uses similar third-party oversight concepts
- **NIS2** has parallel incident reporting structures
- **Future EU Cyber Resilience Act** builds on DORA's third-party risk concepts
For European tech vendors serving multiple regulated sectors, demonstrating DORA-style operational resilience is becoming a competitive feature even outside financial services.
## What 2026 brings
DORA's first full year of enforcement (2025-2026) will define practical compliance expectations. Watch for:
- **First major incident reports** under DORA's new templates
- **Penetration testing programs** ramping up across European financial institutions
- **Critical ICT third-party provider designations** by EU supervisors
- **First enforcement actions** for non-compliance
For European businesses serving financial institutions as vendors, DORA compliance is becoming table stakes for procurement.
Was this helpful?
Thanks for your feedback!