DORA: What the EU regulation means for the financial sector

Content
Find out more about Symphony

The Digital Operational Resilience Act (DORA) is now in effect as of 17 January 2025. Broad in scope, this landmark legislation represents a major step in strengthening the cyber resilience of financial entities across the EU. Market participants, along with critical information and communications technology (ICT) providers, are subject to direct regulatory oversight and must comply with extensive technical, reporting, and governance requirements.

Cyber legislation in finance: A global trend

The integral role of technology in financial services is subject to ever-increasing scrutiny. Cyberattacks and failures now have the potential to disrupt not just individual businesses but entire sectors and economies. As the dividing line between technology and finance becomes more blurred, digital operational resilience is no longer a matter solely for businesses to assess and choose.

DORA establishes at an EU level a uniform framework for preventing and mitigating cyberattacks, as well as for maintaining critical operations in the event of a disruption. There is a particular focus on third-party risk and incident reporting due to the increasing reliance on these providers to deliver financial services.

The EU is not alone in seeking to achieve resilience through legislation. On 1 January 2025, the UK implemented its rules enacted under the Financial Services and Markets Act 2023 on critical third-party service providers (CTPs). The CTP regime enables regulators to directly oversee services provided to firms in the UK financial sector by third parties designated as “critical” by HM Treasury.

In APAC, the Monetary Authority of Singapore (MAS) updated its outsourcing guidance for banks and non-bank financial institutions in December 2024, while Australia’s Prudential Standard CPS 230 Operational Risk Management will come into force on 1 July 2025. In the US, the Cybersecurity & Infrastructure Security Agency (CISA) has proposed wide-ranging requirements under draft Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) rules; the final rule is expected to be published by October 2025.

DORA: Brief overview

Who is impacted?

Financial entities: A wide range of financial entities operating in the EU must comply with DORA requirements, including traditional and digital banks, payment and electronic money institutions, insurance and reinsurance, investment firms, credit institutions, and crypto-asset service providers. Non-European firms that have regulated operations in the EU are also captured.

Technology service providers: A significant aspect of DORA is its focus on ICT third-party service providers that provide critical services to financial entities. Companies offering information and communication technology services, such as cloud service providers and software vendors, are subject to DORA compliance requirements.

One of the quirks of this regulation is that ICT providers have to identify themselves as though they are market participants. As with other technology service providers, Symphony has had to obtain a LEI (legal entity identifier), which was previously the preserve of trading firms. Just one more bit of governance to attend to.

Key requirements of DORA

DORA outlines a detailed framework structured around five key pillars. These allow entities to develop their own internal governance and control frameworks proportional to their size and risk profile.

  1. ICT risk management: DORA requires that financial entities establish a comprehensive and well-documented plan to identify, protect, detect, respond to, and recover from ICT-related risks.
  2. Managing ICT third-party risk: Financial entities must ensure that contracts with ICT third-party providers include key provisions. Other responsibilities for third-party risk management include conducting due diligence, performing risk assessments, and monitoring performance, as well as maintaining a register of all third-party ICT services arrangements.
  3. Digital operational resilience testing: Both basic tests (such as vulnerability assessments and scenario-based testing) and advanced tests (including threat-led penetration testing) are required under DORA.
  4. Incident reporting: Financial entities must implement systems that monitor, detect, describe, report, and analyze significant ICT-related incidents.
  5. Information sharing: DORA encourages financial entities to share cyber threat information and intelligence on internal and external ICT-related incidents—such as indicators of compromise, tactics, techniques, and procedures, cyber security alerts, and configuration tools—with other community members and the relevant authorities.
Penalties for noncompliance with DORA

The potential penalties for noncompliance are significant. Financial entities can face fines of up to two percent of their annual global revenue, and individual managers can be fined a maximum of one million euros. EU authorities can also levy a fine for failure to report a major ICT-related incident or threat.

How Symphony is enabling customers to comply

Symphony is fully committed to helping customers comply with DORA obligations. We are proud to announce that our contracts for new customers have been updated to cover DORA’s vendor requirements for providing critical or important services. These enhanced terms are available for all customers.

A few takeaways from this process as our team has worked closely with our customers to understand these new requirements and how they will impact both our business and our customers’ operations:

  1. We are all building the plane as we fly it. No one knows exactly how literally to incorporate provisions into contracts, or how they will be interpreted. One of the important implementing regulations relating to subcontracting is not yet in force (as of the date of writing). While some customers want to transcribe the Regulation word for word; others are happy for Symphony to demonstrate where requirements are already covered.

    Our products are built for financial services use, and so include strong security measures and standards, contractual provisions, and audit checks.

  2. We are at the vanguard of a long-term trend. Financial services are the backbone of the economy, and technology forms the nerves that keep the whole system running. Regulators around the world want to see more resilience, more reliability, and more security in critical digital systems, networks, and infrastructures to safeguard against evolving threats. Governing bodies in the US, the UK, the EU, Singapore and Australia have proposed or introduced laws aimed at improving the resilience, reliability, and security of financial technology. Both financial and technology companies need to work together on any long-term requirements.

    Meanwhile, Symphony continues to advocate for greater consistency in cyber legislation across regulatory jurisdictions in an effort to reduce the compliance burdens of firms with global operations.

  3. It’s a paperchase right now, testing will come later. At present, there is a lot of categorisation for registers of ICT services and contract amendments to be completed. We expect that testing and designation of systemically critical or important providers will happen later this year or early next year. Most are taking a step-by-step approach to achieving compliance as it’s a long process, rather than going for a “big bang”.

    Symphony has been planning for the commencement of DORA for a year, and we are well underway in updating contracts with existing customers. As noted above, our new contracts have been upgraded to automatically cover requirements for critical or important ICT providers.

Moving forward

With DORA and other legislative developments, the bottom line is that technology serving financial institutions needs to be stronger, safer, and better suited to meet rigorous standards. But these trends also beg the question: who should be regulated? Should it be financial institutions or their software providers, or both? And how closely aligned will all these regulations be?

While DORA does not provide for a grace period for implementation, areas of uncertainty still remain. For example, there are questions about the practicality of TLPT (threat-led penetration testing) and how it will be implemented. How will the audit rights work? What would pooled testing look like? How often are the regulators going to require these tests, and who are they going to designate as needing to be directly regulated?

Organisations should remain flexible due to the evolving nature of DORA implementation. We will continue to monitor for and adjust to any regulatory changes or clarifications as they emerge. If you have insights or questions, please contact me – I enjoy discussing all things DORA and resilience.

Find out more about Symphony

Related resources