The DORA (Digital Operational Resilience Act) regulation came into force in January 2025. It imposes strict digital operational resilience requirements on the financial sector. If you work in finance or are an IT service provider to this sector, you are affected.
What Is DORA?
DORA is a European regulation (not a directive, so directly applicable) that aims to harmonize and strengthen digital resilience requirements in the financial sector.
Unlike other sector-specific regulations, DORA takes a comprehensive approach: it covers not only financial entities themselves but also their critical IT service providers.
Who Is Affected?
Financial Entities
DORA applies to virtually the entire financial sector:
- Credit institutions (banks)
- Investment firms
- Payment and electronic money institutions
- Insurance and reinsurance companies
- Fund managers (UCITS, AIF)
- Crypto-asset service providers
- Crowdfunding platforms
- Central securities depositories
- Central counterparties
Critical IT Service Providers
A major change: DORA directly regulates ICT (Information and Communication Technology) service providers considered critical to the financial sector. This potentially includes:
- Cloud providers
- Financial software vendors
- Hosting providers
- Payment service providers
These providers may be subject to direct oversight by European authorities.
The Five Pillars of DORA
1. ICT Risk Management
Financial entities must establish a comprehensive IT risk management framework:
- Identification and classification of IT assets
- Continuous risk assessment
- Appropriate protective measures
- Anomaly detection capabilities
- Response and recovery plans
2. Incident Management
A structured IT incident management process is mandatory:
- Detection and classification procedures
- Notification to authorities within specific timeframes
- Post-incident documentation and analysis
- Client communication when necessary
3. Resilience Testing
Regular testing must validate system resilience:
- Vulnerability testing
- Penetration testing (pentests)
- Crisis scenario testing
- For significant entities: advanced penetration testing (TLPT - Threat-Led Penetration Testing)
4. Third-Party Management
This is one of DORA\'s most impactful aspects. Financial entities must:
- Map all their IT service providers
- Assess each provider\'s risks
- Include specific contractual clauses
- Have exit plans in place
- Continuously monitor critical providers
5. Information Sharing
DORA encourages the sharing of cyber threat intelligence between financial entities, within a secure framework.
Impact on Hosting Provider Selection
DORA has direct implications for how financial institutions choose cloud and hosting providers.
Enhanced Contractual Requirements
Contracts with IT service providers must include mandatory clauses:
- Clear description of services and service levels
- Data processing location
- Security and data protection measures
- Audit and inspection rights
- Incident notification obligations
- Business continuity and exit plans
Concentration Risk
DORA requires assessing concentration risk: if too many financial institutions use the same cloud provider, a failure of that provider could have systemic impact.
This may lead to diversifying hosting providers or favoring moderately-sized providers over dominant hyperscalers.
Critical Provider Oversight
IT providers deemed critical to the European financial sector will be subject to direct oversight by European authorities (via a "Lead Overseer"). They will need to meet specific requirements and submit to inspections.
Why a Swiss Hosting Provider May Be Relevant
In the DORA context, a Swiss hosting provider like Infomaniak offers several advantages:
- Outside the scope of monitored hyperscalers (reduces concentration risk)
- Swiss hosting (stable jurisdiction, data protection)
- ISO 27001 certifications
- A size that allows a direct relationship with the provider
Timeline and Penalties
Entry into Force
DORA came into force on January 17, 2025. Financial entities and their providers must be compliant by this date.
Penalties
Competent national authorities (ACPR in France for banks and insurers, AMF for markets) can impose:
- Compliance orders
- Financial penalties (up to 2% of turnover for entities, 1% of daily global turnover for critical providers)
- Personal sanctions against executives
Concrete Steps for Compliance
If You Are a Financial Entity
- Map your IT service providers and assess their criticality
- Review your contracts to include DORA clauses
- Update your IT risk management framework
- Prepare your incident notification procedures
- Plan your resilience testing
If You Are an IT Service Provider to the Financial Sector
- Anticipate your clients\' requests (audits, contractual clauses)
- Strengthen your documentation (security policies, BCP, procedures)
- Obtain certifications (ISO 27001, SOC 2)
- Prepare for potential oversight if deemed critical
Conclusion
DORA represents a major shift for the European financial sector and its IT providers. The regulation mandates a structured approach to digital resilience, with particular attention to third-party risks.
For financial entities, it\'s an opportunity to professionalize their IT risk management. For service providers, it\'s a chance to differentiate through compliance and reliability.
Choosing trusted hosting providers and service providers capable of meeting DORA\'s contractual requirements becomes a strategic priority.
Ready to migrate to Infomaniak?
Contact us for a free 15-minute audit. We will analyze your situation and provide you with a personalized quote.
Request a free audit