Skip to content

DORA Requires Financial Institutions to Implement Systematic Digital Risk Management

The Bottom Line: As of January 2025, DORA mandates that financial institutions implement systematic ICT risk management across their entire supply chain with over 350 requirements and requires software-based third-party management processes.

Since 17 January 2025, the Digital Operational Resilience Act (DORA) has been binding for all EU financial institutions. The regulation demands a fundamental reorientation of ICT security governance with over 350 individual requirements, significantly exceeding existing standards such as BAIT or ISO 27001.

The DORA regulation is further specified by more than 100 additional requirements in the Regulatory Technical Standards (RTS) issued by EBA, ESMA and EIOPA. For comparison: the current BAIT, the most demanding standard in German banking, contains approximately 90 requirements. DORA therefore does not represent an extension, but rather introduces a new level of complexity.

Five interlocking pillars structure DORA: ICT risk management, incident management, resilience testing, third-party management and information sharing. Isolated handling of individual areas leads to gaps that quickly become apparent during examinations by BaFin or the ECB. Spreadsheets and isolated solutions do not meet the requirements.

Third-party management remains particularly challenging. DORA requires complete identification of all ICT service providers, their categorization by criticality, documented contractual requirements, regular assessments and mapping of the entire supply chain including subcontracts. Institutions with 50 or 100 external service providers must systematically capture each one and regularly re-evaluate them – manual processes quickly reach their limits. The DORA Information Register had to be submitted for the second time to BaFin in spring 2026, now with feedback from the EBA on data quality.

In November 2025, the European supervisory authorities (EBA, EIOPA, ESMA) published the first list of Critical Third-Party Providers (CTPPs) – systemically relevant technology providers in the financial sector. This activated a pan-European supervisory framework for these services. In parallel, the EU Commission is proposing with the “Digital Omnibus” package to simplify reporting structures and establish a central European reporting portal through which ICT incidents can be reported in a consolidated manner in the future, instead of via parallel national reporting channels.


Source: www.it-daily.net · Published 6 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: