Geopolitical

The DORA Regulation: Digital Resilience for EU Financial Services

Simone Nogara

May 2025 · 8 min read

Share

The Digital Operational Resilience Act—Regulation (EU) 2022/2554—fundamentally restructures how European financial entities manage technology risk. It imposes direct governance obligations on management bodies, creates an unprecedented supervisory framework for critical ICT providers, and mandates comprehensive operational resilience testing. For Private Equity firms with financial services portfolio companies, DORA is the new operating environment.

What DORA Is and Why It Exists

DORA^[1] was adopted as part of the European Commission’s Digital Finance Package alongside MiCA^[2]. It entered into force on 16 January 2023 and became applicable on 17 January 2025. As a regulation under Article 114 TFEU, it applies directly in all EU member states without national transposition.

The rationale: European financial services’ deep ICT dependency creates systemic risk. A failure of critical systems or a successful cyber attack on a systemically important institution could propagate through interconnected markets. Prior to DORA, ICT risk management was governed by a fragmented patchwork of sectoral guidelines and national regulations. DORA replaces this with a single, comprehensive framework. The 2020 SolarWinds supply chain compromise, escalating ransomware attacks, and major cloud outages affecting banking systems all contributed to the Commission’s assessment that voluntary approaches were insufficient.

Who Falls Within Scope

DORA applies to over twenty categories of financial entities: credit institutions, investment firms, payment institutions, electronic money institutions, central securities depositories, central counterparties, trading venues, AIFMs, UCITS management companies, insurance and reinsurance undertakings, insurance intermediaries, occupational retirement institutions, credit rating agencies, benchmark administrators, crowdfunding providers, securitisation repositories, and crypto-asset service providers.

For Private Equity firms, any portfolio company with an electronic money licence, payment processing operations, AIFM authorisation, insurance intermediary status, or MiCA authorisation falls within scope—even if it does not consider itself a traditional financial services company. DORA also applies to ICT third-party service providers designated as “critical” by the European Supervisory Authorities (ESAs), creating direct regulatory oversight of major cloud providers serving the financial sector.

The Five Pillars of DORA

Pillar 1: ICT Risk Management Framework. Articles 5–16 require a comprehensive, documented, annually reviewed framework approved by the management body. Article 5(2) places direct responsibility on the board for setting the framework, allocating resources, and maintaining ongoing ICT risk awareness. The framework must cover identification and classification of all ICT-supported functions and assets, continuous monitoring and detection, protection and prevention measures, and response and recovery plans. A three-lines-of-defence model separating ICT risk management from internal audit is mandatory. PE-appointed directors bear direct regulatory responsibility for framework adequacy and must receive regular ICT risk training.

Pillar 2: ICT-Related Incident Management. Articles 17–23 establish harmonised classification, management, and reporting of ICT incidents. The incident response reporting obligations are demanding: initial notification within four hours of classifying an incident as “major,” intermediate report within 72 hours, final report within one month. Major incidents are defined by client impact, duration, geographic spread, data losses, service criticality, and economic impact. This is substantially more demanding than NIS2^[3] or GDPR^[4] breach notification. DORA also introduces voluntary notification of significant cyber threats to encourage collective situational awareness.

Pillar 3: Digital Operational Resilience Testing. Articles 24–27 require a comprehensive testing programme including vulnerability assessments, network security assessments, gap analyses, software composition analyses, and source code reviews. Significant financial entities must additionally conduct threat-led penetration testing (TLPT) following the TIBER-EU^[5] framework at least every three years—controlled adversary simulations against live production systems testing detection, response, and recovery. TLPT requires qualified external testers, competent authority oversight, and management body review of results. For PE-owned entities new to TLPT, preparation including detection maturity, incident response procedures, and internal capacity can be substantial.

Pillar 4: ICT Third-Party Risk Management. Articles 28–44 address risks from ICT service providers—perhaps DORA’s most consequential pillar given the extent of outsourcing to cloud providers. Entities must maintain a register of all ICT provider arrangements, conduct pre-contractual risk assessments, and include specific provisions covering service levels, data processing locations, access and audit rights, incident notification, exit strategies, and termination. The regulation establishes direct oversight of critical ICT third-party providers (CTPPs) by a Lead Overseer from the ESAs, with powers including inspections, recommendations, and penalty payments. For PE-owned entities, this necessitates comprehensive vendor review, contract renegotiation, and exit strategy development.

Pillar 5: Information and Intelligence Sharing. Article 45 encourages financial entities to exchange cyber threat information among themselves and with authorities, providing a legal basis subject to data protection requirements. This recognises that cyber threats are a collective challenge.

DORA and NIS2: Understanding the Interaction

DORA operates as lex specialis relative to NIS2 for financial entities. Where DORA imposes specific requirements—incident reporting, ICT risk management—those take precedence over NIS2’s general requirements. Financial entities compliant with DORA should generally satisfy corresponding NIS2 provisions, avoiding double regulation. However, NIS2 may impose additional requirements in areas DORA does not specifically cover, and interaction varies by member state transposition. PE firms with portfolio companies spanning financial services and other sectors should map both frameworks.

Implementation: Where Firms Should Be Now

DORA became applicable 17 January 2025—all in-scope entities should now be fully compliant. The ESAs have published regulatory and implementing technical standards covering the ICT risk management framework, incident classification and reporting, the ICT third-party register, and TLPT criteria. For entities not yet fully compliant, priority areas: establish the ICT risk management framework with management body approval; implement four-hour incident reporting capability; compile and maintain the ICT third-party register with risk assessments and contract reviews; develop the resilience testing programme and assess TLPT applicability; and engage with information-sharing communities.

Competent authorities across the EU are expected to begin supervisory assessments during 2025, with enforcement actions following material deficiencies. Penalties are determined nationally but must be effective, proportionate, and dissuasive—several member states have indicated alignment with existing financial services penalty regimes.

Implications for PE-Owned Financial Services Companies

Governance requirements mean PE-appointed board members must understand and oversee ICT risk management—a competence not traditionally a selection criterion for non-executive directors. Training and board composition adjustments may be required. Third-party risk management may necessitate significant contract renegotiations, but also creates opportunity to rationalise vendor relationships and strengthen exit strategies. Conduct portfolio-wide ICT third-party risk assessments to identify concentration risks where multiple companies depend on the same critical provider.

Resilience testing, particularly TLPT, represents both cost and value-creation opportunity. The investment drives genuine security improvement demonstrable to prospective acquirers at exit. PE firms that treat DORA compliance as value creation rather than cost will be better positioned to realise returns.

How DORA Changes the Provider Relationship

DORA levels the playing field by mandating specific contractual provisions regardless of bargaining power: access and audit rights (for the entity and its competent authority), mandatory incident notification, data processing location transparency, cooperation during supervisory inspections, and comprehensive exit strategies. These are legal requirements, not aspirational provisions.

For critical ICT providers designated under the oversight framework, the ESAs will have direct supervisory authority for the first time—including on-site inspections, mandatory cooperation, and obligation to comply with Lead Overseer recommendations. Providers unable or unwilling to meet these requirements may find their access to the European financial services market constrained.