DORA: The New Reality for Financial Cybersecurity

As of 17 January 2025, the Digital Operational Resilience Act (DORA) is now in full effect across the European Union. But make no mistake: DORA's reach extends far beyond EU borders, creating ripple effects that touch financial institutions, technology providers, and service firms worldwide.

More Than Just Another Regulation

DORA represents a fundamental shift in how the financial sector approaches cyber risk. It’s not just about building stronger defences or ticking compliance boxes, it’s about ensuring that financial institutions can withstand, respond to, and recover from technology disruptions while maintaining critical operations. In an era where cyberattacks grow more frequent and sophisticated, resilience has moved from the IT department to the boardroom, and regulators are watching closely.

Part of the EU's broader regulatory sprint that includes NIS2, the Cyber Resilience Act, and the EU AI Act, DORA operates as the specialist framework for financial services. Under the principle of lex specialis, it takes precedence over more general cybersecurity laws when it comes to digital finance.

Who Does DORA Actually Apply To?

A common misconception is that DORA only affects banks. In reality, it applies to 20 types of financial entities, from credit institutions and insurance companies to payment providers, crypto-asset service providers, and market infrastructure operators. 

ICT third-party service providers that deliver critical digital services to these financial entities also fall under DORA's scope.  Additionally, even non-EU technology providers can find themselves subject to DORA requirements if they serve EU financial institutions. This is because EU financial entities must insert DORA-mandated clauses into all contracts with ICT providers, effectively extending the regulation's influence deep into the global supply chain.

For subsidiaries and branches of EU-based financial groups operating outside the EU, group-wide DORA compliance policies will cascade down, ensuring uniform resilience standards across all jurisdictions.

The Third-Party Risk Management Challenge

Among DORA's five core pillars, ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing, the third-party pillar receives special emphasis. Financial institutions must now maintain comprehensive registers of all ICT vendor relationships, conduct rigorous due diligence before engaging providers, and assess concentration risk across the sector.

Contracts must include strict provisions covering service descriptions, security requirements, business continuity planning, subcontracting restrictions, and exit strategies. For critical services, financial entities need monitoring rights, mandatory resilience testing participation, and detailed transition assistance plans.

The message is clear: outsourced ICT services cannot become systemic vulnerabilities for the financial sector.

A Global Standard in the Making

DORA isn't an isolated development. Similar regulations are emerging worldwide, from SEC cybersecurity rules in the United States to new frameworks in Singapore, Brazil, India, Australia, Canada, and Japan. Operational resilience is rapidly becoming a global regulatory standard, not just a European concern. 

This and more will be discussed at the upcoming MFSA Cyber Finance Summit on the 15^th-16^th October, where industry leaders, regulators, and practitioners will decode DORA's requirements, share actionable strategies for compliance, and explore how operational resilience is reshaping the future of financial services. To learn more and secure your tickets, please click here.