DORA in Force: What Changes for 22,000 European Banks and Fintechs Starting January 2025

The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) came into effect on 17 January 2025, concluding a two-year preparation period. The regulation harmonises digital resilience requirements for approximately 22,000 financial entities in the European Union: banks, insurance companies, reinsurance companies, brokerage firms, payment institutions, electronic money institutions, investment firms, and crypto asset providers.

The scope is not limited to traditional institutions. Early-stage fintechs operating as payment platforms, digital credit providers, digital insurance, or crypto asset exchanges fall into the same categories and face the same obligations as large banks. There is no exemption based on size.

The Five Pillars

ICT Risk Management: This requires entities to maintain documented technology risk management frameworks with clear governance, approved by the board of directors. Having a CISO is not sufficient; it must be demonstrated that the board actively supervises cybersecurity risk decisions.

Incident Response and Reporting: Significant ICT incidents must be reported to the regulator within defined timeframes, with initial notification within 4 hours, an interim report within 72 hours, and a final report within one month.

Third-Party Risk Management: Entities are responsible for risks introduced by their technology vendors, especially cloud providers. Contracts with critical suppliers must include specific clauses on auditing, service continuity, and exit plans.

Resilience Testing: Organisations above certain systemic relevance thresholds must conduct Threat-Led Penetration Tests (TLPT) every three years, using the TIBER-EU methodology.

Information Sharing: DORA formally encourages the sharing of threat intelligence among financial entities, creating legal mechanisms that previously presented regulatory ambiguity regarding confidential data.

Designation of the 19 Critical Providers

On 18 November 2025, the European Supervisory Authorities designated 19 critical ICT service providers under DORA, including AWS, Microsoft Azure, and Google Cloud. This designation means that these providers are subject to direct inspections by European regulators, regardless of where they are headquartered. It is the first time that European financial regulators have obtained formal authority for direct oversight of American cloud infrastructure.

The Penalties

Financial entities that fail to comply with DORA may be fined up to 2% of their annual global revenue. For ICT providers designated as critical, penalties can reach 1% of average daily global revenue for each day of non-compliance.

What is Still Open

Practical implementation has revealed ambiguities. The interpretation of "significant incident" for reporting purposes, the exact criteria for the application of TLPT tests for intermediary entities, and how to handle dependencies within subcontracting in complex technological supply chains are still being clarified by the competent national authorities.