DORA
The EU Digital Operational Resilience Act is the EU's mandatory operational resilience framework for financial services — requiring firms to prove they can withstand, respond to, and recover from ICT-related disruptions.
The Digital Operational Resilience Act (DORA), applicable from January 2025, establishes mandatory ICT risk management requirements for EU financial entities — banks, insurance companies, investment firms, payment institutions, and critically, ICT third-party service providers (including cloud providers and software vendors) that are deemed critical to EU financial services. DORA consolidates and strengthens existing operational resilience requirements under a single EU-wide framework, replacing the patchwork of national guidance that previously applied.
DORA's five pillars create specific engineering obligations. ICT risk management requires a documented ICT risk management framework with board accountability. ICT incident reporting requires financial entities to classify and report major ICT incidents to regulators within strict timelines — one hour for initial notification, four hours for intermediate report, one month for final report. Digital operational resilience testing requires firms to conduct annual vulnerability assessments and, for significant institutions, threat-led penetration testing (TLPT) every three years. ICT third-party risk management requires comprehensive vendor assessment and contractual provisions for all ICT providers.
DORA's most disruptive requirement for technology vendors is the ICT Third-Party Risk Management pillar. Financial entities must identify all ICT dependencies, classify providers by criticality, conduct due diligence, and include specific contractual provisions — including audit rights, incident notification requirements, and exit strategies — in all ICT service agreements. Critical third-party providers may be directly supervised by EU financial regulators. This means cloud providers and SaaS vendors serving EU financial services must prepare for regulatory examination of their own security and resilience practices.
We architect DORA compliance for EU financial entities and the ICT vendors that serve them — implementing ICT risk management frameworks with board-level accountability, designing incident classification and reporting workflows that meet DORA's strict notification timelines, building resilience testing programs that satisfy DORA's annual assessment requirements, and structuring vendor contracts with the provisions DORA mandates. Our teams understand DORA's requirements for both financial entities and their critical ICT suppliers.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.