Since the application of the Digital Operational Resilience Act (D.O.R.A) Regulation on 17^th January 2025, financial institutions from banks to asset managers, from insurance undertakings to private credit providers have grown increasingly uneasy about the reliance on, and resilience of, their widely-dispersed outsourced ICT services, such as cloud services, data bases and network infrastructure services, to third-parties service providers.

A vast proportion of financial institutions now rely on third-party ICT service providers based outside the EU, and whose services contribute to important and critical functions within banks and other entities.  This situation has been turbocharged  in the past six months by geo-political events affecting these ICT service providers located in third-countries, ie, outside the EU.

Some analysts fret that souring relations between EU and other major economic trade partners has sparked growing political risks that could result in non-EU cloud providers imposing restrictions to banks in Europe, potentially cutting off access to critical applications and data. Concentration of cloud services and data bases in non-EU jurisdictions has raised the red flag at EU supervisory agencies that many EU financial entities are heavily over-reliant on a few non-EU dominant providers in the sector.

More recently, the conflict in the Middle-East has seen multiple drone attacks on data centers in the region, all resulting in significant outages.  Widespread disruption to local banking and ecommerce apps ensued.

The net result has driven financial services analysts to question the rational for continuing outsourcing of ICT services by EU clients based solely on cost and scalability, and more attention focused on control, jurisdictional exposure and the ability to operate under stress scenarios.

It has also vindicated the value of the EU-dedicated DORA framework, designed to address financial institutions third-party risk management practices and the digital operational resilience, with specific extra-territorial implications. DORA sets out to ensure that all participants in the financial systems have the necessary safeguards in place to withstand, respond to and recover from ICT-related disruptions and threats.

First and foremost, DORA introduces new resilience requirements applicable to all financial entities, embracing:

•  Structured documented ICT risk management framework – policies, procedures, protocols, guidelines, access, responsibilities

•  Reporting of major ICT-related incidents and notifying national supervisors (NCAs)

•  Recording significant cyber threats to NCAs

•  Reporting of major operational or security payment-related incidents to NCAs

•  Introducing in-house digital operational resilience testing by financial entities via on-site investigations, interviews, HQ/operational centers.

DORA also requires financial entities to oversee critical ICT 3^rd party providers (CTTPs), including cloud services’ providers.

Financial entities are called upon to review the sound management of each ICT third-party risks by undertaking the following tasks:

•  Pre-outsourcing due diligence

•  Assessments of ICT 3^rd-party concentration risks

•  Existence of disaster recovery plans

•  Governance arrangements

•  How they report  on  major ICT-related incidents

•  Ensure ICT TPP contracts are ‘resolution-resilient’!

•  Degree of sub-contracting

DORA incorporates and prioritises ICT 3^rd party providers (CTTPs) that are considered to be ‘critical’ to EU-based financial entities as part of the regulatory resilience scope, including cloud services’ providers, which must now be monitored by financial entities using these services.

What constitutes a ‘critical TPP?

Article 3(22) of the DORA defines a ‘critical or important function’ as a function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorization, or with its other obligations under applicable financial services law’.

In November 2025, the  European Supervisory Authorities (ESMA/EBA/EIOPA) issued a list of designated ‘critical ‘ third-party information and communications technology (ICT) service providers, ie, CTPP activities are deemed critical to the stability and security of financial entities. Four statutory criteria were used to designate critical third-party TPPs:

•  The systemic impact on the provision of financial services of the TPP’s failure

•  The systemic importance of G-SIIs and O-SIIs that rely on the TPP

•  Reliance by many financial entities to support critical and important functions

•  The degree of substitutability of the TPP, should the TPP collapse

The direct consequences for client financial entities based in the EU of this CTPP designation are as follows:

•  ESMA/EIOPA/EBA will have discretionary powers in the future to designate ICT TPPs as ‘critical’, on the basis of over-reliance by financial entities

•  Direct ESA oversight of the CTPP will be de rigueur.

•  Potential restrictions will be imposed if risks are not mitigated., ie, persistent non-compliance by a CTPP,  possible suspension of ICT services to the bank by ESAs

•  Enhanced cooperation obligations will be introduced, ie, CTPPs cooperation with sector-wide testing and information requests and to support financial entities’ DORA obligations

•  Financial institutions that rely heavily on any designated CTPP must now document this dependency in the Register of Information and assess concentration risk accordingly

DORA sets out criteria and thresholds for financial institutions to classify and report ICT-related incidents and cyber threats to the national supervisors. The criteria and thresholds triggering a major incident which must be reported to the NCA include, inter alia:

•  the number of affected clients is higher than 10 % of all clients using the affected service

•  the number of affected clients using the affected service is higher than 100,000

•  the number of affected financial counterparts is higher than 30 % of all financial counterparts carrying out activities related to the provision of the affected service

•  the number of affected transactions is higher than 10 % of the daily average number of transactions carried out by the financial entity related to the affected service

•  the amount of affected transactions is higher than 10 % of the daily average value of transactions carried out by the financial entity related to the affected service

The materiality threshold for the criterion ‘economic impact’ is met where the costs and losses incurred by the financial entity due to the incident have exceeded or are likely to exceed €100 000.

Digital and operational resilience: the supervisory perspective

2026 will see DORA firmly embedded in EU-wide supervisory practice, with particular scrutiny of ICT outsourcing, cloud concentration risk, third-party dependency, and in the light of recent geo-political upheavals, third-country dependencies for data bases, cloud services and their mapping and incident reporting discipline.

Supervisory expectations will also review board responsibility and accountability (is there at least one board director with ICT skills-set?) stress-testing regimes and sector-wide interoperability

Incident Reporting: starting now!

DORA harmonizes incident reporting across the EU with strict timelines.

Initial notification to national supervisory agencies must happen within four hours of classification. An intermediate report follows within 72 hours. A final report with root cause analysis is due within one month.

The regulation also introduces “significant cyber threats” as a reportable category, covering threats that have potentially yet to materialize.

Conclusion: DORA requires a culture of continuous compliance and not a point-in-time exercise.

Financial entities need to build continuous processes and consolidate the DORA oversights and management in one place in order to:

•  Undertake ongoing monitoring of ICT third-party providers’ security posture

•  Conduct quarterly review of the Register of Information

•  Prepare an annual review of the ICT risk management framework

•  Prepare an annual review of incident classification thresholds.

Author: Dr David Doyle

Dr Doyle is an EU Regulatory Policy Expert, author and advisor specializing in financial services legislation.  He is a board member of the MEP-led Kangaroo Group at the European Parliament