The Digital Operational Resilience Act, known as DORA, is now in active enforcement across the European Union. Financial firms have been preparing since 2023, and supervisors are increasingly looking for operational evidence rather than just documentation. For B2B vendors that sell to financial services, DORA has changed procurement conversations permanently. This guide cuts through the noise and focuses on what compliance looks like in practice in 2026.
What DORA Actually Requires
DORA establishes a uniform regulatory framework for ICT risk management across EU financial services, replacing the patchwork of national rules that preceded it. Its five pillars are:
- ▸ICT risk management with explicit board responsibility and a formal framework
- ▸ICT incident reporting with strict classification and notification timelines
- ▸Digital operational resilience testing including threat led penetration testing for significant firms
- ▸ICT third party risk management with mandatory contractual terms and oversight of critical providers
- ▸Information sharing to improve sector wide threat awareness
These are not new ideas. The new part is the prescriptive specificity and the active enforcement.
Who Must Comply
DORA covers a broad range of financial entities including banks, payment institutions, e-money institutions, investment firms, insurance, reinsurance, pension funds, crypto asset service providers, central securities depositories, central counterparties, trade repositories, and many more. It also covers critical ICT third party service providers that serve the sector.
Even smaller firms that might hope to fall below thresholds often discover they are in scope through one definition or another. The safe assumption is that any company providing financial services into the EU is in scope.
Board and Management Accountability
DORA explicitly puts ICT risk on the board agenda. Required practices include:
- ▸Approved ICT risk framework reviewed at least annually
- ▸Documented roles including a named senior officer responsible for ICT risk
- ▸Regular board reporting on incidents, third party risk, and resilience testing
- ▸Strategy alignment between business strategy and ICT risk appetite
- ▸Training records showing the board has appropriate cybersecurity literacy
Auditors check these documents during inspections. Vague references to general IT risk are not enough.
Incident Classification and Reporting
DORA incident reporting is tightly defined. Major ICT incidents must be:
- ▸Initial notification as soon as possible, no later than 24 hours after classification
- ▸Intermediate report within 72 hours
- ▸Final report within one month
- ▸Significant cyber threat notifications when relevant even without an incident
Classification criteria include affected customers, financial impact, geographical reach, data losses, reputational impact, duration, criticality of affected services, and economic impact. Most firms have invested in playbooks and tooling to classify incidents within the tight windows.
Resilience Testing
DORA requires a comprehensive testing program. Annual tests at a minimum include vulnerability assessments, source code reviews, network security assessments, gap analyses, scenario based testing, compatibility testing, and performance testing. Significant firms also must undergo threat led penetration testing every three years, conducted by specialized providers and overseen by competent authorities.
This testing is not box ticking. The reports go to supervisors, and material findings drive remediation plans with documented progress.
Third Party Risk
The third party pillar is where DORA most directly affects B2B vendors. Financial firms must:
- ▸Maintain a register of information about every ICT third party arrangement
- ▸Classify which providers support critical or important functions
- ▸Negotiate contractual provisions including audit rights, exit strategies, sub-outsourcing approvals, and security obligations
- ▸Assess concentration risk when multiple critical functions depend on one provider
- ▸Implement exit strategies that are demonstrably tested
For vendors, this means the sales cycle includes detailed security questionnaires, contract negotiations on standard clauses, and ongoing evidence requirements. Vendors that come prepared close faster than those that scramble.
Critical Third Party Designation
DORA introduces a new regime for critical ICT third party providers designated by European supervisors. Designated providers face direct oversight by EU authorities, mandatory cooperation with audits, and potential financial penalties. Major cloud, software, and infrastructure providers are likely candidates. The implications include data sovereignty, transparency obligations, and operational resilience requirements that flow into customer contracts.
If you provide critical infrastructure or platforms to financial services, plan for this designation conversation.
Practical Compliance Posture
For B2B firms selling to financial services, a strong DORA posture includes:
- ▸Public trust center with policies, certifications, and resilience statements
- ▸Standard DORA contract addendum ready to sign
- ▸Detailed sub-outsourcing register with risk assessments
- ▸Tested exit playbook for each customer
- ▸SOC 2 Type II and ISO 27001 as baseline evidence
- ▸Regular penetration testing with executive summaries available under NDA
- ▸Incident response readiness that meets DORA reporting timelines
Firms that arrive with these in place look prepared. Firms that build them mid procurement lose deals to faster competitors.
Looking Beyond the Tick Box
DORA is intentionally outcome focused. The goal is genuine operational resilience, not paper compliance. The firms that treat it as a checkbox exercise will continue to struggle when real incidents test their response. The firms that integrate DORA principles into normal operations build resilience that pays dividends well beyond regulatory compliance. As financial services rely ever more heavily on digital systems, that resilience is becoming a competitive differentiator with customers, partners, and supervisors alike.