As of January 17, 2025, financial entities and their critical information and communication technology (ICT) service providers need to comply with the new cybersecurity requirements in the Digital Operational Resilience Act (DORA). DORA introduces significant operational and ICT security requirements for a wide range of financial market participants, including banks, insurers, trading platforms, as well as for their ICT service providers.

What Is DORA?

DORA is an EU regulation that aims to prevent, and mitigate the impact of, cyber threats on the financial sector. These new obligations are designed to ensure that financial entities and their critical ICT service providers can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA will be supplemented and interpreted by implementing acts (referred to as the “Level 2” rules). The European Supervisory Authorities (ESAs)[1] are responsible for drafting technical standards for complying with the DORA requirements in practice (e.g., contractual requirements for subcontracting, incident reporting, penetration testing). The standards must then be approved by the European Commission. Six sets of technical standards are now in force, including a set of rules to classify ICT-related incidents and cyber threats, and a set of rules to harmonize ICT risk management tools, methods, processes, and security policies for financial entities.

Who Does DORA Apply To?

DORA requirements apply directly to i) financial entities operating in the EU (e.g., credit institutions and payment service providers), and ii) their ICT service providers that are designated as critical by the ESAs (Critical Providers). The ESAs will formally designate Critical Providers, based on a range of criteria e.g., whether the service provider can be easily substituted and whether a disruption to the service provided would have a significant impact on the financial entity. All Critical Providers will need to comply with DORA regardless of where they are established. This marks a significant change as, prior to DORA, ICT service providers were typically only indirectly regulated (e.g., through outsourcing obligations). Critical Providers with no EU establishment must establish a subsidiary in the EU within 12 months of being designated. The first designation of critical providers is expected to occur in the second half of 2025.

What Are the Core Obligations for Financial Entities?

DORA imposes five types of security requirements on financial entities:

  1. ICT risk management. As part of their overall risk management system, financial entities must implement a comprehensive and well-documented ICT risk management framework. This framework should enable them to manage ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience. SMEs benefit from a simplified framework.
  2. Incident management, reporting, and notification. Financial entities must establish processes to detect, classify, and where required, report ICT-related incidents to the relevant national authority. All major ICT-related incidents must be reported but financial entities may voluntarily notify national authorities of significant cyber threats. Financial entities must also record all ICT-related incidents and significant cyber threats. The reporting obligations are detailed in technical standards (such as the threshold for mandatory reporting, content of reports, and timelines for reporting).
  3. Resilience testing. DORA requires financial entities to regularly test their digital operational resilience (i.e., the ability to detect, prevent, respond to, learn, and recover from disruptions in operations that could impact their services). Testing should focus on the risks that are most relevant to the financial entity’s business or services.
  1. Third-party risk management (due diligence and outsourcing). Financial entities can only enter into contracts with ICT third-party service providers that include specific provisions (including on termination) and IT standards.
  2. Threat monitoring. DORA also allows financial entities to exchange cyber threat information among themselves to enhance their digital operational resilience. The sharing must be limited to financial entities and carried out in a way that protects the potentially sensitive nature of the information exchanged.

What Are the Core Obligations for ICT Service Providers?

Noncritical ICT service providers are not directly subject to DORA. However, financial entities will need to conclude DORA specific contract terms with all ICT service providers if they wish to rely on their services. These obligations include, for example, service level descriptions, detailed termination clauses, and data protection provisions. More stringent contractual obligations must be imposed on Critical Providers.

Following the entry into force of DORA, the ESAs, together with competent national authorities, will start the oversight of Critical Providers offering services to financial entities in the EU. The first oversight activity is the designation of Critical Providers, which will start in the second half of 2025. ESAs will supervise Critical Providers through a newly created “Oversight Framework,” with one of the ESAs to supervise each Critical Provider (as Lead Overseer). The Lead Overseer will review whether the Critical Provider has effective rules, procedures, mechanisms, and arrangements in place to manage the ICT risk the outsourcing may pose to financial entities. 

Enforcement

DORA will be enforced at national level by designated national competent authorities. Penalties for noncompliance are determined at national level and include mandated remedial measures for breaches, sanctions for management (e.g., suspension of managerial functions), criminal penalties and administrative fines. For example, sanctions in Luxembourg include fines of up to EUR 5 million or 10 percent of total annual turnover.

Next Steps

Companies can begin preparing for DORA by reviewing and documenting their existing ICT risk management and incident reporting processes, as well as evaluating current ICT vendors and contracts. Financial entities should also familiarize themselves with the Implementing Technical Standards on the Register of Information, ensuring their registers of ICT third-party providers’ contractual arrangements are ready for submission to competent authorities by early 2025.

Additionally, companies must ensure that both management and staff are well-prepared for the implementation deadline and equipped to address potential customer inquiries. ICT service providers, meanwhile, should consider incorporating DORA terms into their standard agreements and prepare for contract requests from financial entity clients.

Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.

Wilson Sonsini routinely advises clients on privacy and cybersecurity issues. For further inquiries about the EU’s cybersecurity regulations, please contact Cédric Burton, Nikolaos Theodorakis, Laura Brodahl, or any attorney from Wilson Sonsini’s EU data, privacy, and cybersecurity practice.

Jessica O’Neill and Hattie Watson contributed to the preparation of this post.

[1] The European Supervisory Authorities are the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).