The New Dawn of DORA – A Readiness Checklist for New Regulatory Compliance

dora

The Digital Operational Resilience Act (DORA) marks a significant regulatory development in the European financial sector, focusing on strengthening the resilience of financial institutions and their third-party ICT service providers. DORA takes a forward-looking approach to addressing the rising risks associated with ICT failures and growing cyber threats. It establishes a comprehensive, adaptive, and proportionate framework designed to evolve alongside emerging technological challenges. 

While the creation of sophisticated regulations is crucial, effective implementation is where true resilience is forged. Success under DORA relies on robust risk management, ICT security, outsourcing controls, and operational resilience. Effective from the enforcement date of 17 January 2025, financial institutions must focus on enhancing these areas to ensure compliance.

A defining aspect of DORA is its extension of accountability to third-party ICT providers supporting financial institutions such as banks, insurers, and investment firms. Recognising the vulnerabilities posed by outsourcing, DORA mandates rigorous oversight and enhanced accountability for external vendors. This ensures that resilience is embedded across the entire digital ecosystem, not solely within financial firms themselves.

Notably, DORA’s scope extends beyond the EU, applying to global vendors delivering critical services, including cloud computing, data analytics, and software-as-a-service (SaaS), to EU-based financial entities. By reinforcing the resilience of third-party providers, DORA aims to create a stronger, interconnected financial sector capable of withstanding evolving digital threats and disruptions.

Implications for Business Process Outsourcing (BPO)

For Business Process Outsourcing (BPO) providers and their subcontractors (4th-party vendors), DORA introduces critical regulatory obligations concerning compliance and operational resilience. Specialist regulatory BPOs, as well as entry-level service providers supporting financial institutions, must reassess their roles within the supply chain to ensure alignment with DORA’s stringent requirements – particularly in areas such as disaster recovery and data security.

Financial institutions should already have an outsourcing strategy in place, specifying when third-party services will be engaged. This should include detailed onboarding procedures, comprehensive risk assessments, and continuous due diligence and oversight. Exit and termination plans must also be clearly documented.

BPOs must ensure that their own vendor relationships (including those with 4th-party providers) align with DORA’s expectations

A failure by any vendor to meet compliance standards could disrupt critical services, jeopardising both the BPO and its financial clients. As a result, vendor management and contingency planning require heightened scrutiny.

This necessitates that BPOs apply rigorous evaluation processes to their subcontractors, establish backup systems, and proactively manage supply chain risks to guarantee readiness for this transformative regulation.

Top 5 Focus Areas for Dora Readiness
  1. Operational Resilience Planning – Financial entities and their vendors must develop robust continuity plans, encompassing disaster recovery, penetration testing, and business continuity frameworks to ensure critical services remain operational during disruptions.
  2. Transparency and Accountability – Vendors must provide transparent insights into their operations, allowing financial clients and regulators unrestricted audit rights. This ensures ongoing oversight and compliance.
  3. Supply Chain Risk Management – Firms must assess and manage risks across their entire supply chain, ensuring that subcontractors uphold resilience standards.
  4. Contractual Alignment – DORA sets high expectations for contracts between financial institutions and ICT service providers. Agreements must clearly define resilience requirements, including service-level agreements (SLAs), security measures, and accountability clauses.
  5. Testing and Scenario Planning – Regular resilience testing, including scenario exercises, must be conducted to identify vulnerabilities. Vendors will need to actively participate to confirm their ability to withstand disruptions.
Regulatory Developments Beyond the EU

DORA’s focus on operational resilience reflects a broader global regulatory shift. In the UK, the Financial Conduct Authority (FCA) Operational Resilience Framework, with a compliance deadline of 31 March 2025, similarly requires firms to anticipate, adapt to, and recover from disruptions. Financial institutions must test resilience plans, define impact tolerances, and manage third-party risks, closely mirroring DORA’s principles.

Meanwhile, across the Atlantic, the US Securities and Exchange Commission (SEC) has introduced new Treasury Clearing Rules, requiring central clearing for certain U.S. Treasury Securities transactions by 2025 and 2026. Although the SEC’s focus is on market clearing, the initiative underscores the increasing importance of operational continuity and risk management across the financial sector.

Preparing for the Future

Third-party ICT providers play a critical role in the financial ecosystem. A disruption in their services can trigger widespread operational failures, posing systemic risks. DORA’s framework ensures that ICT providers are treated not merely as vendors, but as integral partners in safeguarding financial stability.

As the DORA deadline nears, organisations must take proactive steps to align operational resilience strategies with regulatory expectations—particularly concerning third-party vendors. By reinforcing resilience at every level of the supply chain, financial institutions and their partners will not only achieve compliance but also fortify their defences against future operational threats in an increasingly complex and regulated environment.


To help navigate these requirements and ensure readiness, here’s a checklist to guide organizations through DORA compliance:

DORA Readiness Checklist

  1. Is Your Operational Resilience Plan in Place?
  • Have you developed a comprehensive continuity plan, including disaster recovery strategies?
  • Does your plan include penetration testing to address potential security vulnerabilities?
  • Are your business continuity protocols designed to ensure critical services remain available during disruptions?
  1. Are You Ensuring Transparency and Accountability in Your Vendor Relationships?
  • Have you implemented clear transparency into your operations and service delivery?
  • Are you providing audit rights to your financial clients and regulators to ensure full compliance?
  • Do you have unrestricted access for audits, covering both your services and those provided by your subcontractors?
  1. Are You Actively Managing Supply Chain Risks?
  • Have you assessed and managed risks within your supply chain, particularly with subcontractors?
  • Are all third-party partners in your supply chain compliant with DORA’s operational resilience standards?
  • Have you established protocols to mitigate risks from key subcontractors who might fail to meet these standards?
  1. Are Your Contracts DORA-Ready?
  • Have you updated contracts with financial institutions to ensure they meet DORA’s stringent standards for operational resilience?
  • Do your contracts define service-level agreements (SLAs), security controls, and accountability measures that comply with DORA?
  • Are these agreements documented and ready for audit, as required by DORA?
  1. Are You Regularly Testing and Planning for Operational Disruptions?
  • Do you conduct regular testing of your operational resilience plans, including scenario planning for potential disruptions?
  • Have you established impact tolerances to guide your response to service interruptions?
  • Are your vendors and subcontractors involved in these exercises to validate their ability to maintain services during unforeseen events?

Share On:

Related Articles

Ready to transform your regulatory customer experience?

Let us deliver the quality, efficiency and insights you need to remain trusted and compliant in regulated markets.
AdobeStock_154247658
Scroll to Top